Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1692835

Summary: [RFE] satellite-clone should check umask prior to cloning
Product: Red Hat Satellite 6 Reporter: Taft Sanders <tasander>
Component: Satellite CloneAssignee: Lucie Vrtelova <lvrtelov>
Status: NEW --- QA Contact: Lucie Vrtelova <lvrtelov>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.4.2CC: bkearney
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Taft Sanders 2019-03-26 14:22:47 UTC
Description of problem:
Foreman-proxy is failing to start due to incorrect permissions being set on the directory because of the umask set on the server prior to satellite installation

Version-Release number of selected component (if applicable):
6.4.2

How reproducible:
always

Steps to Reproduce:
1. Set umask 0077
2. Run satellite-clone
3.

Actual results:
satellite-clone fails with the below error:
Failed at step EXEC spawning /usr/share/foreman-proxy/bin/smart-proxy: permission denied

Expected results:
no failure

Additional info:

Comment 3 Taft Sanders 2019-03-26 14:46:09 UTC
Satellite clone is failing on permissions being set for /usr/share/foreman-proxy/bin/smart-proxy:
With 0077:
[root@satellite ~]# namei -ml /usr/share/foreman-proxy/bin/smart-proxy
f: /usr/share/foreman-proxy/bin/smart-proxy
dr-xr-xr-x root root /
drwx------ root root usr
drwx------ root root share
drwx------ root root foreman-proxy
drwxr-xr-x root root bin
-rwxr-xr-x root root smart-proxy

With 0022:
[root@satellite ~]# namei -ml /usr/share/foreman-proxy/bin/smart-proxy
f: /usr/share/foreman-proxy/bin/smart-proxy
dr-xr-xr-x root root /
drwxr-xr-x root root usr
drwxr-xr-x root root share
drwxr-xr-x root root foreman-proxy
drwxr-xr-x root root bin
-rwxr-xr-x root root smart-proxy


Also failing on mongo:
With 0077:
[root@satellite satellite-backup-2019-03-19-14-37-13]# namei -ml /opt/rh/rh-mongodb34/root/usr/libexec/mongodb-scl-helper
f: /opt/rh/rh-mongodb34/root/usr/libexec/mongodb-scl-helper
dr-xr-xr-x root root /
drwx------ root root opt
drwxr-xr-x root root rh
dr-xr-xr-x root root rh-mongodb34
dr-xr-xr-x root root root
drwxr-xr-x root root usr
drwxr-xr-x root root libexec
-rwxr-xr-x root root mongodb-scl-helper

With 0022:
[root@satellite ~]# namei -ml /opt/rh/rh-mongodb34/root/usr/libexec/mongodb-scl-helper 
f: /opt/rh/rh-mongodb34/root/usr/libexec/mongodb-scl-helper
dr-xr-xr-x root root /
drwxr-xr-x root root opt
drwxr-xr-x root root rh
dr-xr-xr-x root root rh-mongodb34
dr-xr-xr-x root root root
drwxr-xr-x root root usr
drwxr-xr-x root root libexec
-rwxr-xr-x root root mongodb-scl-helper

Comment 4 Taft Sanders 2019-03-26 19:05:42 UTC
The following plays were appended to the satellite-clone main.yml file right above the Satellite installer play to resolve permission issues.

- name: fix permissions
  file:
    path: "{{ item }}"
    state: directory
    mode: 0755
  with_items:
    - /opt
    - /etc
    - /usr
    - /usr/share
    - /usr/share/foreman-proxy
    - /var
    - /var/lib
    - /opt/puppetlabs
    - /etc/sysconfig
    - /usr/share/foreman
    - /etc/opt
    - /etc/opt/rh
    - /etc/opt/rh/rh-mongodb34
    - /opt/puppetlabs/puppet
    - /opt/puppetlabs/puppet/cache
    - /opt/puppetlabs/puppet/lib
    - /opt/puppetlabs/puppet/lib/ruby
    - /opt/puppetlabs/puppet/lib/ruby/vendor_ruby
    - /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet
    - /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/reports
    - /opt/puppetlabs/puppet/cache/foreman_cache_data
    - /etc/pki

- name: fix permissions part 2
  file:
    path: "{{ item }}"
    state: directory
    mode: 0755
    owner: puppet
    group: root
  with_items:
    - /opt/puppetlabs/puppet/cache/foreman_cache_data

- name: fix permissions part 3
  file:
    path: "{{ item }}"
    state: file
    mode: 0600
    owner: puppet
    group: root
  with_items:
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/admin_password
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/ca_key_password
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/candlepin_db_password
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/candlepin_oauth_secret
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/db_password
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/keystore_password-file
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/oauth_consumer_key
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/oauth_consumer_secret
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/post_sync_token
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/pulp_node_admin_password
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/pulp_password