Bug 1100169
| Summary: | oo-diagnostics tools throw warning message when user add alias cert to app | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Johnny Liu <jialiu> |
| Component: | Node | Assignee: | Luke Meyer <lmeyer> |
| Status: | CLOSED ERRATA | QA Contact: | libra bugs <libra-bugs> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 2.1.0 | CC: | adellape, bleanhar, jokerman, libra-onpremise-devel, mmccomas |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | rubygem-openshift-origin-common-1.22.5.6-1.el6op | Doc Type: | Bug Fix |
| Doc Text: |
After a custom SSL certificate for an alias was added to an application, the oo-diagnostics tool reported warning messages that the permissions on configuration files were not correct. This was due to the oo-diagnostics tool running a test that checked for more than was actually required. This bug fix updates the oo-diagnostics tool to only check files that Apache actually reads at runtime, and the warnings no longer occur for alias certificates.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-23 07:37:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*facepalm* OK that was a really misguided test. But should be an easy fix. Upstream: https://github.com/openshift/origin-server/pull/5444 Adding to OSE cherrypicks: https://github.com/openshift/enterprise-server/pull/283 Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/366ef378d8ee735b877c92d6799cc703da0b6bd6 diagnostics: fix errant warning on httpd conf Bug 1100169 - oo-diagnostics tools throw warning message when user add alias cert to app https://bugzilla.redhat.com/show_bug.cgi?id=1100169 also: Bug 1002559 - oo-diagnostics should check the mode on important files https://bugzilla.redhat.com/show_bug.cgi?id=1002559 test_apache_can_read_conf_files is intended to warn when the apache user cannot read files it needs to. The files being checked are overly broad; since httpd reads all of its configuration as root before switching to apache user, none of that needs to be apache-readable. Instead, just check files that apache will actually be reading at runtime. Everything related to Rails apps falls into this category. Verified this but with rubygem-openshift-origin-common-1.22.5.6-1.el6op.noarch in 2.1.z/2014-06-10.3, and PASS.
On broker:
# oo-diagnostics -v test_apache_can_read_conf_files
INFO: loading list of installed packages
INFO: OpenShift broker installed.
INFO: Loading the broker rails environment.
INFO: running: test_apache_can_read_conf_files
NO ERRORS
# chown root:root server_pub.pem
# oo-diagnostics -v test_apache_can_read_conf_files
INFO: loading list of installed packages
INFO: OpenShift broker installed.
INFO: Loading the broker rails environment.
INFO: running: test_apache_can_read_conf_files
WARN: test_apache_can_read_conf_files
The following configuration files have names and locations indicating
that the apache user should be able to read them, but are not readable
by the apache user:
/etc/openshift/server_pub.pem
The broker and console services may malfunction without read access to these files.
1 WARNINGS
NO ERRORS
On node:
# oo-diagnostics -v test_apache_can_read_conf_files
INFO: loading list of installed packages
INFO: OpenShift node installed.
INFO: running: test_apache_can_read_conf_files
NO ERRORS
# touch xx.db
# chmod o-r xx.db
# oo-diagnostics -v test_apache_can_read_conf_files
INFO: loading list of installed packages
INFO: OpenShift node installed.
INFO: running: test_apache_can_read_conf_files
WARN: test_apache_can_read_conf_files
The following configuration files have names and locations indicating
that the apache user should be able to read them, but are not readable
by the apache user:
/var/lib/openshift/.httpd.d/xx.db
The host httpd server may malfunction without read access to these files.
1 WARNINGS
NO ERRORS
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0781.html |
Description of problem: oo-diagnostics tools throw warning message to complain the permission of config files are incorrect when user add alias cert to app Version-Release number of selected component (if applicable): rubygem-openshift-origin-common-1.22.5.4-1.el6op.noarch How reproducible: Always Steps to Reproduce: 1.create app, and add alias cert to this app. Then the following apache config file is added. # ll /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.* -rw-------. 1 root root 1273 May 20 03:11 /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.crt -rw-------. 1 root root 1679 May 20 03:11 /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.key 2.Run oo-diagnostics 3. Actual results: <--snip--> INFO: running: test_apache_can_read_conf_files WARN: test_apache_can_read_conf_files The following configuration files have names and locations indicating that the apache user should be able to read them, but are not readable by the apache user: /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.crt /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.key The host httpd server may malfunction without read access to these files. <--snip--> Expected results: No warning message is seen. Additional info: