Custom RHEL5.5 EC2 images will not boot after creation

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 5.5 Starter images in Amazon Web Services EC2(Elastic Compute Cloud)

Issue

  • After bundling a custom image based on the RHEL5.5 starter images, the new images will not instantiate.

Resolution

Red Hat is aware of the issue, and is working  on a permanent solution.  In the meantime, a custom image with working selinux may be created as follows.

  • Start up a new, unmodified instance of an official RHEL5.5 starter image.
  • Edit the /etc/selinux/config file and set it to disabled.
  • Use the setenforce 0 command to set selinux to permissive mode.
  • Customize the image to meet your needs.
  • Rebundle, upload and register the new image.
  • Launch an instance of the new image, and check the console output to ensure there are no errors.
  • Login to the instance, and edit /etc/selinux/config to set it to permissive mode.
  • Touch the file /.autorelabel
  • Reboot the instance from the AWS management console or use 'reboot' command.
  • After  successful reboot, login and look to see if the /.autorelabel file is  there.  If it is not then the relabel was successful.
  • Now use the 'setenforce 1' command to change selinux to enforcing mode.
  • Sestatus should return the following:

      # sestatus
      SELinux status:                enabled
      SELinuxfs mount:                /selinux
      Current mode:                  enforcing
      Mode from config file:          permissive
      Policy version:                21
      Policy from config file:        targeted
    
  • vi /etc/selinux/config file and set it to enforcing.

  • Reboot  the instance one last time and now the sestatus command should report  back that selinux is enabled and in enforcing mode.

Root Cause

  • The ec2-bundle-vol binary provided by Amazon Web Services via the ec2-ami-tools package uses the RHEL rsync command to copy over an instance's filesystem during the custom image creation.  During this process, the selinux context of the files is not transferred over.  The RHEL5.5 starter images we have recently posted are the very first images to have selinux enabled.  As a result, any custom images based on the RHEL5.5 starter images with selinux enabled fail to boot. This issue does not affect any Red Hat images based on RHEL5.4 or earlier.

Diagnostic Steps

  • Messages similar to the following will be seen in the instance logs of the Amazon Management Console.
      /sbin/agetty: error while loading shared libraries: libc.so.6: cannot open shared object file: Permission denied
      /sbin/agetty: error while loading shared libraries: libc.so.6: cannot open shared object file: Permission denied
      /sbin/agetty: error while loading shared libraries: libc.so.6: cannot open shared object file: Permission denied
    

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments