MicroOS noob having problems with transactional-update and selinux

English Install/Boot/Login
#1

Hi,

I recently started looking into using MicroOS for a tiny server with a few containers, but am encountering some problems. I’m new to MicroOS and the Suse ecosystem in general, although I have experience with immutable OSes as I’ve been using Silverblue/Kinoite on my main workstation for a long time.

Any guidance would be greatly appreciated!

transactional-update

The first problem is that transactional-update always returns errors like this:

Checking for newer version.
Problem retrieving files from ‘openSUSE-Tumbleweed-Non-Oss’.
Download (curl) error for ‘http://download.opensuse.org/tumbleweed/repo/non-oss/repodata/repomd.xml’:
Error code: Connection failed
Error message: Could not resolve host: download(dot)opensuse(dot)org

Please see the above error message for a hint.
Problem retrieving files from ‘Open H.264 Codec (openSUSE Tumbleweed)’.
Download (curl) error for ‘(http)://codecs(dot)opensuse(dot)org/openh264/openSUSE_Tumbleweed/repodata/repomd.xml’:
Error code: Connection failed
Error message: Could not resolve host: codecs(dot)opensuse(dot)org

Please see the above error message for a hint.
Problem retrieving files from ‘openSUSE-Tumbleweed-Oss’.
Download (curl) error for ‘(http)://download(dot)opensuse(dot)org/tumbleweed/repo/oss/repodata/repomd.xml’:
Error code: Connection failed
Error message: Could not resolve host: download(dot)opensuse(dot)org

Please see the above error message for a hint.
Problem retrieving files from ‘openSUSE-Tumbleweed-Update’.
Download (curl) error for ‘(http)://download(dot)opensuse(dot)org/update/tumbleweed/repodata/repomd.xml’:
Error code: Connection failed
Error message: Could not resolve host: download(dot)opensuse(dot)org

Please see the above error message for a hint.
Some of the repositories have not been refreshed because of an error.

Sorry, I had to butcher the URLs with (dot) because this forum wouldn’t let me post more than 2 urls.

I confirmed that the network is functioning properly and that those services seem to be up. I can even call curl manually and it works (e.g. curl http://download.opensuse.org/tumbleweed/repo/non-oss/repodata/repomd.xml succeeds on that machine). So it seems there’s something going on in transactional-update that breaks it.

This is happening on a fresh x64 iso I downloaded from the microos site yesterday and installed on a physical machine. The only modifications so far have been to sshd config and fstab plus some packages I installed (see below)

SELinux

The second problem I’m having is just that I can’t seem to figure out how to install semanage. Old reddit and forum posts I found suggest that I need to install policycoreutils-python-utils, which I did via transactional-update pkg install. However, idk what was in that package because semanage is still not available.

I tried running zypper se --provides --match-exact semanage in a tumbleweed distrobox on my laptop (which is running Kalpa), but it didn’t find any packages for it.

Does semanage not exist in suse land? How do I change the labels of paths? One thing I need it for is to change the default location of container storage for podman to a custom location.

This wiki article suggests running transactional-update setup-selinux, but that didn’t seem to make the tools available. (and yes, I rebooted)

#2

@aramallo Hi
Maybe a funky DNS issue?

I see semanage installed… (Need to run as root user)

cnf semanage
                          
Program 'semanage' is present in package 'policycoreutils-python-utils', which is installed on your system.

Absolute path to 'semanage' is '/usr/sbin/semanage', so running it may require superuser privileges (eg. root).

zypper lr -dE
# | Alias         | Name                                   | Enabled | GPG Check | Refresh | Priority | Type   | URI                                                     | Service
--+---------------+----------------------------------------+---------+-----------+---------+----------+--------+---------------------------------------------------------+--------
2 | repo-non-oss  | openSUSE-Tumbleweed-Non-Oss            | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/tumbleweed/repo/non-oss/   | 
3 | repo-openh264 | Open H.264 Codec (openSUSE Tumbleweed) | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://codecs.opensuse.org/openh264/openSUSE_Tumbleweed | 
4 | repo-oss      | openSUSE-Tumbleweed-Oss                | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/tumbleweed/repo/oss/       | 
6 | repo-update   | openSUSE-Tumbleweed-Update             | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/tumbleweed/         |
#3

I honestly don’t know what to tell you here. It’s a DNS error, and not one that I’ve been experiencing, if you’re able to hit those URLs manually via curl or a webbrowser or whatever, that’s really odd. It isn’t as if transactional-update is using any special dns settings.

I guess I need some clarification here. Are you running MicroOS, or Kalpa? It doesn’t really make a difference, but it’s helpful to know what you’re actually using.

I’m just curious why you feel you need semanage?

I’ve been using MicroOS, Aeon, and Kalpa for a couple years now, and not found myself in need of it.

#4

Of course you do not need troubleshooting tools if everything works. But when something does not work, you do need them to gather information. semanage is the primary Google hit for this. I was in the same boat recently helping with some problem on MicroOS related to SELinux.

May be we are just ignorant and MicroOS does have other tools to investigate current SELinux policy. In this case it would be more useful to just tell us what those tools are.

#5

Hence why I was asking. We’ve got some of the more common issues users have encountered listed on the wiki pages at:

https://en.opensuse.org/Portal:Kalpa
and
https://en.opensuse.org/Portal:Aeon

#6

Thanks for the replies everyone. I’m baffled as to what happened, but I did a clean reinstall using the exact same image and I am no longer getting those errors with transactional-update, and I even got semanage installed :smiley: . I must have broken something without noticing… or was zapped by cosmic rays.

Regarding SELinux, I want semanage it because that’s the only tool I know for changing selinux labels on directories. If there’s a better way, I’d be open to learning it. For example, the built in /etc/containers/storage.conf file even has these instructions:

 # When changing the graphroot location on an SELINUX system, you must
 # ensure  the labeling matches the default locations labels with the
 # following commands:
 # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
 # restorecon -R -v /NEWSTORAGEPATH

I installed the OS to a smallish SSD, but have some other larger disks installed which I’d like to use for container storage since I know I’ll need the space. Unless selinux can parse podman config files to update labels automatically, I assume the only option is to set them manually myself.

also, I have Kalpa on a separate laptop, but MicroOS installed on a physical server. I just used it for the search command because it’s currently the only way I know of achieving a dnf provides equivalent in suse.

#7

Makes sense, for Kalpa/Aeon manually relabelling isn’t something that we’re really aiming to support, given the goals of the project.

Not to say it can’t be done. Obviously, it can.

I’m glad you got it sorted.

1 Like