Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-49675

In OCL. Usbguard service fails when we install the usbguard extension

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • 5
    • Moderate
    • No
    • None
    • None
    • MCO Sprint 266, MCO Sprint 267, MCO Sprint 268, MCO Sprint 269, MCO Sprint 270
    • 5
    • In Progress
    • Release Note Not Required
    • N/A
    • None
    • None
    • None
    • None

      Description of problem:

      When we install the usbguard extension in a MCP with OCL enabled, and we start the service, then the service fails complaining about not being able to open the file /var/log/usbguard/usbguard-audit.log

      Version-Release number of selected component (if applicable):

      4.18.0-0.nightly-2025-01-30-093109

      How reproducible:

      Always

      Steps to Reproduce:

          1. Enable OCL in the worker pool
    2. Install the usbguard extension in the worker pool using this MC

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: tc-usbguard
spec:
  config:
    ignition:
      version: 3.1.0
  extensions:
  - usbguard


    3. Wait for the image to be created and applied

      Actual results:

      The image is applied properly, and the usbguard rpm is reported to be correctly installed

sh-5.1# rpm -qa |grep usbguard
usbguard-selinux-1.0.0-15.el9.noarch
usbguard-1.0.0-15.el9.x86_64

Nevertheless, when we try to enable the service and start it using the instructions in https://access.redhat.com/solutions/6971900 we get this error

sh-5.1# systemctl enable --now usbguard
Created symlink /etc/systemd/system/basic.target.wants/usbguard.service → /usr/lib/systemd/system/usbguard.service.
Job for usbguard.service failed because the control process exited with error code.
See "systemctl status usbguard.service" and "journalctl -xeu usbguard.service" for details.

In the journal we can see

sh-5.1# journalctl -xeu usbguard.service
....
Jan 30 17:30:02 ip-10-0-18-7 usbguard-daemon[11019]: AuditFileSink: /var/log/usbguard/usbguard-audit.log: failed to open
Jan 30 17:30:02 ip-10-0-18-7 systemd[1]: usbguard.service: Control process exited, code=exited, status=1/FAILURE

sh-5.1# systemctl status usbguard
× usbguard.service - USBGuard daemon
     Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Thu 2025-01-30 17:30:03 UTC; 4min 6s ago
       Docs: man:usbguard-daemon(8)
    Process: 11022 ExecStart=/usr/sbin/usbguard-daemon -f -s -K -c /etc/usbguard/usbguard-daemon.conf (code=exited, status=1/FAILURE)
        CPU: 172ms

Jan 30 17:30:03 ip-10-0-18-7 systemd[1]: usbguard.service: Scheduled restart job, restart counter is at 5.
Jan 30 17:30:03 ip-10-0-18-7 systemd[1]: Stopped USBGuard daemon.
Jan 30 17:30:03 ip-10-0-18-7 systemd[1]: usbguard.service: Start request repeated too quickly.
Jan 30 17:30:03 ip-10-0-18-7 systemd[1]: usbguard.service: Failed with result 'exit-code'.
Jan 30 17:30:03 ip-10-0-18-7 systemd[1]: Failed to start USBGuard daemon.

We see that /var/log/usbguard is missing

sh-5.1# rpm -Vv usbguard
.........    /etc/usbguard
.........    /etc/usbguard/IPCAccessControl.d
.......T.  c /etc/usbguard/rules.conf
.........    /etc/usbguard/rules.d
.......T.  c /etc/usbguard/usbguard-daemon.conf
.......T.    /usr/bin/usbguard
.........  a /usr/lib/.build-id
.........  a /usr/lib/.build-id/36
.........  a /usr/lib/.build-id/36/c90a224cec032281f26da1131a72ce0bd3bc83
.........  a /usr/lib/.build-id/3f
.........  a /usr/lib/.build-id/3f/9e515820ea521b2397990974a0fae8985e8836
.........  a /usr/lib/.build-id/d6
.........  a /usr/lib/.build-id/d6/16a694b6f264bf613ca3370f30b6966cf38f87
.......T.    /usr/lib/systemd/system/usbguard.service
.........    /usr/lib64/libusbguard.so.1
.......T.    /usr/lib64/libusbguard.so.1.0.0
.......T.    /usr/sbin/usbguard-daemon
.......T.    /usr/share/bash-completion/completions/usbguard
.........    /usr/share/doc/usbguard
.......T.  d /usr/share/doc/usbguard/CHANGELOG.md
.......T.  d /usr/share/doc/usbguard/README.adoc
.........    /usr/share/licenses/usbguard
.......T.  l /usr/share/licenses/usbguard/LICENSE
.......T.  d /usr/share/man/man1/usbguard.1.gz
.......T.  d /usr/share/man/man5/usbguard-daemon.conf.5.gz
.......T.  d /usr/share/man/man5/usbguard-rules.conf.5.gz
.......T.  d /usr/share/man/man8/usbguard-daemon.8.gz
missing     /var/log/usbguard

      Expected results:

      When we enable and start the usbguard service after installing the usbguard extension the service should run without problems.

      Additional info:

      
This issue does not happen if we install the usbguard extension without using OCL.

As a workaround, if we create the directory /var/log/usbguard manually and we restart the service the service will run without failing.

If we install all the extensions and we check the rpms, we can see that there are other rpms with missing directories

sh-5.1#  rpm -V --nomtime crun-wasm kata-containers kernel-devel kernel-headers krb5-workstation libkadm5 libreswan NetworkManager-libreswan sysstat usbguard
missing     /var/lib/ipsec
missing     /var/lib/ipsec/nss
missing     /var/log/usbguard

sh-5.1# rpm -qf /var/lib/ipsec/nss
libreswan-4.15-3.el9.x86_64
sh-5.1# rpm -qf /var/lib/ipsec
libreswan-4.15-3.el9.x86_64

              dkhater@redhat.com Dalia Khater
              sregidor@redhat.com Sergio Regidor de la Rosa
              None
              None
              Sergio Regidor de la Rosa Sergio Regidor de la Rosa
              None
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: