Out-of-memory Micro Instance Woes: setsebool Killed

The other day I deployed a micro CentOS instance in Google Cloud’s Compute Engine. Normally 600mb of RAM is more than enough to do some light nginx/node.js work for me, but I ran into a bit of an issue when working with setsebool.

In order to allow nginx to proxy websockets to my upstream node.js server, I have to loosen some SELinux boolean and to make sure this change is permanent.

SELinux, in enforcing mode with default booleans, blocks nginx from proxying connections to anything (even to localhost):

/var/log/audit/audit.log:

type=AVC msg=audit(1454856569.618:238): avc:  denied  { name_connect } for  pid=3627 comm="nginx" dest=3000 scontext=u
nconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1454856569.618:238): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=2248698 a2=10 a3=7ff
c72709950 items=0 ppid=3625 pid=3627 auid=500 uid=498 gid=499 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499

The following command will allow httpd (nginx in our case) to make network connections:

setsebool httpd_can_network_connect on -P

The default CentOS micro instance that GCE deploys does not utilize a swap file or partition. Running the above command will consume more memory than is available and the kernel will kill it:

Feb  6 15:06:05 www2 kernel: Out of memory: Kill process 4112 (setsebool) score 707 or sacrifice child
Feb  6 15:06:05 www2 kernel: Killed process 4112, UID 0, (setsebool) total-vm:442668kB, anon-rss:425760kB, file-rss:8
68kB

The setsebool command can be run without -P and it will work, but to make the change permanent I would need a workaround.

Cue the following:

# swapoff -a
# dd if=/dev/zero of=/root/swapfile bs=1M count=300
# mkswap /root/swapfile
# swapon /root/swapfile

What I’m doing there is creating a temporary container on the disk and using it while I run my setsebool commands with -P.

Once the policy is compiled and the boolean is set I can turn off the swap again:

# swapoff -a
# rm -rf /root/swapfile

While this workaround is ideal for increasing the available memory quickly without downtime to the instance, it should only be a temporary solution to OOM errors.