Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1692835 - [RFE] satellite-clone should check umask prior to cloning
Summary: [RFE] satellite-clone should check umask prior to cloning
Keywords:
Status: NEW
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Satellite Clone
Version: 6.4.2
Hardware: x86_64
OS: Linux
medium
medium vote
Target Milestone: Unspecified
Assignee: Lucie Vrtelova
QA Contact: Lucie Vrtelova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-26 14:22 UTC by Taft Sanders
Modified: 2019-04-03 03:31 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description Taft Sanders 2019-03-26 14:22:47 UTC
Description of problem:
Foreman-proxy is failing to start due to incorrect permissions being set on the directory because of the umask set on the server prior to satellite installation

Version-Release number of selected component (if applicable):
6.4.2

How reproducible:
always

Steps to Reproduce:
1. Set umask 0077
2. Run satellite-clone
3.

Actual results:
satellite-clone fails with the below error:
Failed at step EXEC spawning /usr/share/foreman-proxy/bin/smart-proxy: permission denied

Expected results:
no failure

Additional info:

Comment 3 Taft Sanders 2019-03-26 14:46:09 UTC
Satellite clone is failing on permissions being set for /usr/share/foreman-proxy/bin/smart-proxy:
With 0077:
[root@satellite ~]# namei -ml /usr/share/foreman-proxy/bin/smart-proxy
f: /usr/share/foreman-proxy/bin/smart-proxy
dr-xr-xr-x root root /
drwx------ root root usr
drwx------ root root share
drwx------ root root foreman-proxy
drwxr-xr-x root root bin
-rwxr-xr-x root root smart-proxy

With 0022:
[root@satellite ~]# namei -ml /usr/share/foreman-proxy/bin/smart-proxy
f: /usr/share/foreman-proxy/bin/smart-proxy
dr-xr-xr-x root root /
drwxr-xr-x root root usr
drwxr-xr-x root root share
drwxr-xr-x root root foreman-proxy
drwxr-xr-x root root bin
-rwxr-xr-x root root smart-proxy


Also failing on mongo:
With 0077:
[root@satellite satellite-backup-2019-03-19-14-37-13]# namei -ml /opt/rh/rh-mongodb34/root/usr/libexec/mongodb-scl-helper
f: /opt/rh/rh-mongodb34/root/usr/libexec/mongodb-scl-helper
dr-xr-xr-x root root /
drwx------ root root opt
drwxr-xr-x root root rh
dr-xr-xr-x root root rh-mongodb34
dr-xr-xr-x root root root
drwxr-xr-x root root usr
drwxr-xr-x root root libexec
-rwxr-xr-x root root mongodb-scl-helper

With 0022:
[root@satellite ~]# namei -ml /opt/rh/rh-mongodb34/root/usr/libexec/mongodb-scl-helper 
f: /opt/rh/rh-mongodb34/root/usr/libexec/mongodb-scl-helper
dr-xr-xr-x root root /
drwxr-xr-x root root opt
drwxr-xr-x root root rh
dr-xr-xr-x root root rh-mongodb34
dr-xr-xr-x root root root
drwxr-xr-x root root usr
drwxr-xr-x root root libexec
-rwxr-xr-x root root mongodb-scl-helper

Comment 4 Taft Sanders 2019-03-26 19:05:42 UTC
The following plays were appended to the satellite-clone main.yml file right above the Satellite installer play to resolve permission issues.

- name: fix permissions
  file:
    path: "{{ item }}"
    state: directory
    mode: 0755
  with_items:
    - /opt
    - /etc
    - /usr
    - /usr/share
    - /usr/share/foreman-proxy
    - /var
    - /var/lib
    - /opt/puppetlabs
    - /etc/sysconfig
    - /usr/share/foreman
    - /etc/opt
    - /etc/opt/rh
    - /etc/opt/rh/rh-mongodb34
    - /opt/puppetlabs/puppet
    - /opt/puppetlabs/puppet/cache
    - /opt/puppetlabs/puppet/lib
    - /opt/puppetlabs/puppet/lib/ruby
    - /opt/puppetlabs/puppet/lib/ruby/vendor_ruby
    - /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet
    - /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/reports
    - /opt/puppetlabs/puppet/cache/foreman_cache_data
    - /etc/pki

- name: fix permissions part 2
  file:
    path: "{{ item }}"
    state: directory
    mode: 0755
    owner: puppet
    group: root
  with_items:
    - /opt/puppetlabs/puppet/cache/foreman_cache_data

- name: fix permissions part 3
  file:
    path: "{{ item }}"
    state: file
    mode: 0600
    owner: puppet
    group: root
  with_items:
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/admin_password
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/ca_key_password
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/candlepin_db_password
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/candlepin_oauth_secret
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/db_password
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/keystore_password-file
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/oauth_consumer_key
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/oauth_consumer_secret
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/post_sync_token
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/pulp_node_admin_password
    - /opt/puppetlabs/puppet/cache/foreman_cache_data/pulp_password


Note You need to log in before you can comment on or make changes to this bug.