Bug 1100169
Summary: | oo-diagnostics tools throw warning message when user add alias cert to app | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Johnny Liu <jialiu> |
Component: | Node | Assignee: | Luke Meyer <lmeyer> |
Status: | CLOSED ERRATA | QA Contact: | libra bugs <libra-bugs> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 2.1.0 | CC: | adellape, bleanhar, jokerman, libra-onpremise-devel, mmccomas |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | rubygem-openshift-origin-common-1.22.5.6-1.el6op | Doc Type: | Bug Fix |
Doc Text: |
After a custom SSL certificate for an alias was added to an application, the oo-diagnostics tool reported warning messages that the permissions on configuration files were not correct. This was due to the oo-diagnostics tool running a test that checked for more than was actually required. This bug fix updates the oo-diagnostics tool to only check files that Apache actually reads at runtime, and the warnings no longer occur for alias certificates.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-23 07:37:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Johnny Liu
2014-05-22 07:18:02 UTC
*facepalm* OK that was a really misguided test. But should be an easy fix. Upstream: https://github.com/openshift/origin-server/pull/5444 Adding to OSE cherrypicks: https://github.com/openshift/enterprise-server/pull/283 Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/366ef378d8ee735b877c92d6799cc703da0b6bd6 diagnostics: fix errant warning on httpd conf Bug 1100169 - oo-diagnostics tools throw warning message when user add alias cert to app https://bugzilla.redhat.com/show_bug.cgi?id=1100169 also: Bug 1002559 - oo-diagnostics should check the mode on important files https://bugzilla.redhat.com/show_bug.cgi?id=1002559 test_apache_can_read_conf_files is intended to warn when the apache user cannot read files it needs to. The files being checked are overly broad; since httpd reads all of its configuration as root before switching to apache user, none of that needs to be apache-readable. Instead, just check files that apache will actually be reading at runtime. Everything related to Rails apps falls into this category. Verified this but with rubygem-openshift-origin-common-1.22.5.6-1.el6op.noarch in 2.1.z/2014-06-10.3, and PASS. On broker: # oo-diagnostics -v test_apache_can_read_conf_files INFO: loading list of installed packages INFO: OpenShift broker installed. INFO: Loading the broker rails environment. INFO: running: test_apache_can_read_conf_files NO ERRORS # chown root:root server_pub.pem # oo-diagnostics -v test_apache_can_read_conf_files INFO: loading list of installed packages INFO: OpenShift broker installed. INFO: Loading the broker rails environment. INFO: running: test_apache_can_read_conf_files WARN: test_apache_can_read_conf_files The following configuration files have names and locations indicating that the apache user should be able to read them, but are not readable by the apache user: /etc/openshift/server_pub.pem The broker and console services may malfunction without read access to these files. 1 WARNINGS NO ERRORS On node: # oo-diagnostics -v test_apache_can_read_conf_files INFO: loading list of installed packages INFO: OpenShift node installed. INFO: running: test_apache_can_read_conf_files NO ERRORS # touch xx.db # chmod o-r xx.db # oo-diagnostics -v test_apache_can_read_conf_files INFO: loading list of installed packages INFO: OpenShift node installed. INFO: running: test_apache_can_read_conf_files WARN: test_apache_can_read_conf_files The following configuration files have names and locations indicating that the apache user should be able to read them, but are not readable by the apache user: /var/lib/openshift/.httpd.d/xx.db The host httpd server may malfunction without read access to these files. 1 WARNINGS NO ERRORS Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0781.html |