Bug 1119910

Summary: katello-installer errors if umask too restrictive
Product: Red Hat Satellite Reporter: Dylan Gross <dgross>
Component: InstallationAssignee: Stephen Benjamin <stbenjam>
Status: CLOSED ERRATA QA Contact: Corey Welton <cwelton>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.3CC: achan, ahumbe, bbuckingham, cwelton, jmontleo, mmccune, sauchter, tkolhar, xdmoon
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/8378
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
katello-installer fails to execute when the host system has restrictive umasks. The restrictive umasks affects permissions and access to the keystore and certain cert files. This fix will set the umask to the required value for installation to make sure that the installation goes through properly.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-16 21:07:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1115190    

Description Dylan Gross 2014-07-15 20:06:31 UTC 
Description of problem:

A HTB customer attempted to install on their standard RHEL6.5 build, which had a more restrictive umask set for the root user (umask 0027).  As a result, some keystore and cert files fail to be placed with appropriate permissions and tomcat has issues during startup.   I have duplicated the customers results by simply changing root's umask to 0027 prior to an install.

Version-Release number of selected component (if applicable):

  Red Hat Satellite 6.0.3

How reproducible:

Steps to Reproduce:
1.  Set umask of root to 0027
2.  perform section 2.1 of the install guide to install satellite from the repo.
3.  Check the log for errors.

Actual results:

Errors during the install:

 Could not start Service[foreman-proxy]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait foreman-proxy start' returned 1: Starting foreman-proxy: Unable to access the SSL keys. Are the values correct in settings.yml and do permissions allow reading?: Permission denied - /etc/foreman-proxy/ssl_cert.pem
 /Stage[main]/Foreman_proxy::Service/Service[foreman-proxy]/ensure: change from stopped to running failed: Could not start Service[foreman-proxy]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait foreman-proxy start' returned 1: Starting foreman-proxy: Unable to access the SSL keys. Are the values correct in settings.yml and do permissions allow reading?: Permission denied - /etc/foreman-proxy/ssl_cert.pem
 Could not start Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 start' returned 5: Starting tomcat6: [  OK  ]
 /Stage[main]/Candlepin::Service/Service[tomcat6]/ensure: change from stopped to running failed: Could not start Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 start' returned 5: Starting tomcat6: [  OK  ]                                    
 /Stage[main]/Candlepin::Service/Service[tomcat6]: Failed to call refresh: Could not restart Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 restart' returned 5: Stopping tomcat6: [  OK  ]
 /Stage[main]/Candlepin::Service/Service[tomcat6]: Could not restart Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 restart' returned 5: Stopping tomcat6: [  OK  ]
 /Stage[main]/Candlepin::Service/Exec[cpinit]: Failed to call refresh: /usr/bin/wget --timeout=30 --tries=5 --retry-connrefused -qO- http://localhost:8080/candlepin/admin/init >/var/log/candlepin/cpinit.log 2>&1 && touch /var/lib/candlepin/cpinit_done returned 8 instead of one of [0]
 /Stage[main]/Candlepin::Service/Exec[cpinit]: /usr/bin/wget --timeout=30 --tries=5 --retry-connrefused -qO- http://localhost:8080/candlepin/admin/init >/var/log/candlepin/cpinit.log 2>&1 && touch /var/lib/candlepin/cpinit_done returned 8 instead of one of [0]
  Something went wrong! Check the log for ERROR-level output
  The full log is at /var/log/katello-installer/katello-installer.log

The installeer is trying to do a wget from tomcat, it looks like, and getting a return code of 8 (a generic "something went wrong on the server side" error")

The first noticeable indication that I saw was in the /var/log/tomcat6/catalina.out log, which is full of exceptions because it cannot read the keystore.

Jul 15, 2014 3:36:36 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Failed to load keystore type PKCS12 with path conf/keystore due to /usr/share/tomcat6/conf/keystore (Permission denied)
java.io.FileNotFoundException: /usr/share/tomcat6/conf/keystore (Permission denied)


# ls -la /usr/share/tomcat6/conf/keystore
lrwxrwxrwx. 1 tomcat foreman 25 Jul 15 15:36 /usr/share/tomcat6/conf/keystore -> /etc/pki/katello/keystore

... and /etc/pki/katello/keystore is restricted to 

# ls -la /etc/pki/katello/keystore
-rw-r-----. 1 root root 3010 Jul 15 15:36 /etc/pki/katello/keystore

... instead of the following on a successful install

# ls -la /etc/pki/katello/keystore
-rw-r--r--. 1 root root 2954 Jul  1 13:26 /etc/pki/katello/keystore


The other resulting permission issue that was apparent was:

(On my deliberately umask-sabotaged katello-installer)
# ll /etc/pki/katello/certs/katello-ca-stripped.crt
-rw-r-----. 1 root root 1883 Jul 15 15:20 /etc/pki/katello/certs/katello-ca-stripped.crt

(On a successful umask-0022 katello-installer)
# ll /etc/pki/katello/certs/katello-ca-stripped.crt
-rw-r--r--. 1 root root 1805 Jul  1 13:20 /etc/pki/katello/certs/katello-ca-stripped.crt



Expected results:

No Errors during the install
/etc/pki/katello/keystore readable by tomcat:foreman

Additional info:

I didn't see anything about a umask requirement in the installation guide.  However, I'd suspect that we'd just want to manually set it to 0022 in the early parts of the katello-installer, rather than adding a bit to the documentation.  There may be other permissions that are not quite as expected, but customer and I didn't pursue any deeper.   Just changed the umask to 0022 and did a re-install without issues.
Comment 1 Dylan Gross 2014-07-15 20:11:26 UTC 
Seems like I may have opened a duplicate.   Bug 1117265 *may* be the exact same.  Describing the symptoms of incorrect permissions.
Comment 2 RHEL Program Management 2014-07-15 20:24:19 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 4 Mike McCune 2014-08-07 13:28:48 UTC 
Minimum is a docs addition

Ideally we can add a pre-install check that will dump the installer if the umask is incompat with our installer.
Comment 5 Mike McCune 2014-08-26 05:19:35 UTC 
DOCS:

Customers need to have a umask of 0022 before executing the installation program.

WORKAROUND:

Ensure that the root user's umask is set to 0022 before executing katello-installer.
Comment 7 Dominic Cleal 2014-11-12 13:10:53 UTC 
*** Bug 1163018 has been marked as a duplicate of this bug. ***
Comment 9 Stephen Benjamin 2014-11-12 18:43:19 UTC 
Created redmine issue http://projects.theforeman.org/issues/8378 from this bug
Comment 11 Bryan Kearney 2014-11-17 23:02:39 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/8378 has been closed
-------------
Anonymous
Applied in changeset commit:katello-installer|96373329c7d528b1786514e546caa4cbfee6e3bb.
Comment 12 Stephen Benjamin 2014-11-18 16:21:11 UTC 
Change is upstream. To test this,

1. Set umask to something restrictive, like 027:
        umask 027
2. Run katello-installer
3. Ensure install completes successfully
Comment 17 Mike McCune 2014-12-11 17:24:34 UTC 
temp move to MOD for ET
Comment 19 Tazim Kolhar 2015-01-02 03:28:10 UTC 
VERIFIED:

# umask 0027
# umask
0027


# tail -f /var/log/katello-installer/katello-installer.log
[DEBUG 2015-01-01 22:23:53 main]  Finishing transaction 49036620
[DEBUG 2015-01-01 22:23:53 main]  Received report to process from intel-piketon-01.lab.bos.redhat.com
[DEBUG 2015-01-01 22:23:53 main]  Processing report from intel-piketon-01.lab.bos.redhat.com with processor Puppet::Reports::Store
[ INFO 2015-01-01 22:23:56 main] Puppet has finished, bye!
[ INFO 2015-01-01 22:23:56 main] Executing hooks in group post
[DEBUG 2015-01-01 22:23:56 main] Hook /usr/share/katello-installer/hooks/post/10-post_install.rb returned nil
[ INFO 2015-01-01 22:23:56 main] All hooks in group post finished
[DEBUG 2015-01-01 22:23:56 main] Exit with status code: 2 (signal was 2)
[DEBUG 2015-01-01 22:23:56 main] Cleaning /etc/katello-installer/d20150101-20238-zh2yjt
[DEBUG 2015-01-01 22:23:56 main] Cleaning /tmp/default_values.yaml

#  ls -la /etc/pki/katello/keystore
-rw-r--r--. 1 root root 2962 Dec 30 06:35 /etc/pki/katello/keystore

# ls -la /etc/pki/katello/keystore
-rw-r--r--. 1 root root 2962 Dec 30 06:35 /etc/pki/katello/keystore
Comment 20 Tazim Kolhar 2015-01-03 13:26:20 UTC 
verified in upstream,moving it back
to ON_QA
Comment 22 Corey Welton 2015-01-08 19:59:41 UTC 
QE Verified.
Comment 24 errata-xmlrpc 2015-01-16 21:07:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:0054