Bug 1182647
| Summary: | Permission denied: '/ostree/deploy/rhel-atomic-host/deploy/a087cbd6a18f8876da6075896994dae0256a09c5f0dc22852675ab47fd122c3c.0.origin on Rhel atomic | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Rehana <redakkan> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.1 | CC: | candlepin-bugs, jneedle, jsefler, lvrabec, mgrepl, mmalik, ovasik, plautrba, pvrabec, ssekidde, walters |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-20.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:48:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1005618 | ||
Setting need info on walters since the origin file is owned by ostree This is a messy topic. One major problem we have here is that the subscription-manager stack runs in two entirely different ways: 1) As a command line in the context of the invoker (unconfined_t admin at a shell, or via cloud-init, etc) 2) As a daemon, running as rhsmcertd_t These have different security contexts. Pretty much all cases of #1 are unconfined_t. What we could probably do on the Atomic side is try to always ensure the .origin file is labeled as etc_t. The other alternative of course is to weaken the policy, and allow rhsmcertd_t to write to usr_t. A 3rd option is to disable rhsmcertd_t on Atomic, but that is not very appealing. Long term though, I think the way subman should work is the command line talks IPC to the daemon. That would ensure there's only one code path used. I know this would be a substantial re-architecting. (And in fact, I have to make the same switch for Atomic). I wrote an untested patch here: https://github.com/selinux-policy/selinux-policy/pull/11 (In reply to Colin Walters from comment #4) > I wrote an untested patch here: > https://github.com/selinux-policy/selinux-policy/pull/11 I don't see how this patch fixes this bug. We don't want to allow to manage usr_t label. Not sure how we want to label /ostree/deploy/rhel-atomic-host/deploy The patch labels the origin file as etc_t, which rhsmcertd_t should be able to write to. Or maybe it should be system_conf_t, matching the /etc/yum.repos.d? As for labeling the deployment root, it's an interesting question as it doesn't have a precedent really. The deployment root lives outside the OS itself, managing the roots. usr_t seems OK to me for it, and actually changing it not would be a serious pain. (In reply to Colin Walters from comment #6) > The patch labels the origin file as etc_t, which rhsmcertd_t should be able > to write to. Or maybe it should be system_conf_t, matching the > /etc/yum.repos.d? Yes, system_conf_t is correct label. > > > As for labeling the deployment root, it's an interesting question as it > doesn't have a precedent really. The deployment root lives outside the OS > itself, managing the roots. usr_t seems OK to me for it, and actually > changing it not would be a serious pain. BTW, see also earlier bug in https://bugzilla.redhat.com/show_bug.cgi?id=1117420 There's another issue here which is that even if we make the .origin file system_conf_t, the parent directory is usr_t, and if subman happened to change the file by the "write new file and rename into place" instead of "truncate", then it'd be denied. I think it's a bug that subman does truncation in place, as it's not atomic. On the other hand, if the file is broken, you can just run subman again. Yes, it is why I (In reply to Miroslav Grepl from comment #5) > (In reply to Colin Walters from comment #4) > > I wrote an untested patch here: > > https://github.com/selinux-policy/selinux-policy/pull/11 > > I don't see how this patch fixes this bug. > > We don't want to allow to manage usr_t label. > > Not sure how we want to label > > /ostree/deploy/rhel-atomic-host/deploy Yes, this is a reason why we need to label /ostree/deploy/rhel-atomic-host/deploy by system_conf_t. Conceptually the OSTree design of having the deployment root next to their .origin file mixes "read only data" with "configuration". Labeling it system_conf_t would probably work fine...a clean solution would probably require moving the .origin file somewhere else. Which would be hard to do right now. Basically I feel like labeling it system_conf_t is kind of a hack, but I don't have any better ideas. Yes, I agree. So at this point I don't think we can get policy changes in 7.1. The options then become: - Include a custom selinux-policy for Atomic This is doable but we don't want to carry a custom policy for long for obvious reasons. - Disable rhsmcertd for Atomic 7.1.0, fix this in an update What would be the risk of this? The issue here is if the entitlement certs expire, right? Could we assume customers will update and get the rhsmcertd fix before they expire? - Change OSTree to explicitly label the .origin file as system_conf_t This should be quite doable, the only thing that would break is if rhsmcertd started doing "write new and rename", but that seems unlikely. https://github.com/GNOME/ostree/pull/53 implements the third option. I added
commit 0bb737ce2e376195b4a68f878173a725bbd621aa
Author: Miroslav Grepl <mgrepl>
Date: Wed Jan 21 10:10:44 2015 +0100
Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t.
for RHEL7.1. We still need to have defined labeling in the policy.
*** Bug 1185930 has been marked as a duplicate of this bug. *** Retested on new atomic machine having below packages installed, -bash-4.2# subscription-manager version server type: This system is currently not registered. subscription management server: 0.9.26.8-1 subscription management rules: 5.12 subscription-manager: 1.13.18-1.el7 python-rhsm: 1.13.10-1.el7 -bash-4.2# rpm -qa | grep selinux-policy* selinux-policy-3.13.1-20.el7.noarch selinux-policy-targeted-3.13.1-20.el7.noarch -bash-4.2# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 -bash-4.2# subscription-manager config --server.hostname=subscription.rhn.stage.redhat.com --server.prefix=/subscription --server.port=443 --rhsm.baseurl=https://cdn.stage.redhat.com/ 1) Register atomic machine to stage server 2) set auto-attach to 2mins, restart rhsmcertd service and wait for 2 mins -bash-4.2# cat /ostree/deploy/rhel-atomic-host/deploy/68c68e36ca47e9370cada4b433c1031c4f5253eef9e41208f1d13f77bdaeb2a0.0.origin [origin] refspec=rhel-atomic-host:rhel-atomic-host/7/x86_64/standard unconfigured-state=This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. -bash-4.2# subscription-manager register Username: stage_atomic1 Password: The system has been registered with ID: 50b65fa9-70a7-4d68-941f-a322f5577eb6 -bash-4.2# service rhsmcertd restart Redirecting to /bin/systemctl restart rhsmcertd.service -bash-4.2# cat /etc/ostree/remotes.d/redhat.conf [remote "rhel-atomic-host-ostree"] url = https://cdn.stage.redhat.com/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo gpg-verify = false tls-client-cert-path = /etc/pki/entitlement/2293790674337488155.pem tls-client-key-path = /etc/pki/entitlement/2293790674337488155-key.pem tls-ca-path = /etc/rhsm/ca/redhat-uep.pem -bash-4.2# ls /etc/pki/entitlement/ 2293790674337488155-key.pem 2293790674337488155.pem -bash-4.2# rpm-ostree status TIMESTAMP (UTC) VERSION ID OSNAME REFSPEC * 2015-01-26 22:23:07 7.1.131 68c68e36ca rhel-atomic-host rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard -bash-4.2# cat /ostree/deploy/rhel-atomic-host/deploy /68c68e36ca47e9370cada4b433c1031c4f5253eef9e41208f1d13f77bdaeb2a0.0.origin [origin] refspec=rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard -bash-4.2# ls -laZ /ostree/deploy/rhel-atomic-host/deploy/ drwxr-xr-x. root root system_u:object_r:usr_t:s0 . drwxr-xr-x. root root system_u:object_r:usr_t:s0 .. drwxr-xr-x. root root system_u:object_r:root_t:s0 68c68e36ca47e9370cada4b433c1031c4f5253eef9e41208f1d13f77bdaeb2a0.0 -rw-r--r--. root root system_u:object_r:system_conf_t:s0 68c68e36ca47e9370cada4b433c1031c4f5253eef9e41208f1d13f77bdaeb2a0.0.origin No error messages were observed in the rhsm.log , Also observed that redhat.conf and .origin file was updated rhsm.log details ================ # tail -f /var/log/rhsm/rhsm.log 2015-01-28 05:28:16,038 [DEBUG] subscription-manager @cert_sorter.py:194 - expired entitled products: [] 2015-01-28 05:28:16,039 [DEBUG] subscription-manager @cert_sorter.py:195 - partially entitled products: [] 2015-01-28 05:28:16,039 [DEBUG] subscription-manager @cert_sorter.py:196 - unentitled products: ['69', '271'] 2015-01-28 05:28:16,039 [DEBUG] subscription-manager @cert_sorter.py:197 - future products: [] 2015-01-28 05:28:16,039 [DEBUG] subscription-manager @cert_sorter.py:198 - partial stacks: [] 2015-01-28 05:28:16,039 [DEBUG] subscription-manager @cert_sorter.py:199 - entitlements valid until: None 2015-01-28 05:28:16,504 [INFO] rhsmd @rhsmd:226 - rhsmd started 2015-01-28 05:28:16,510 [INFO] rhsmd @rhsmd:181 - D-Bus interface com.redhat.SubscriptionManager.EntitlementStatus.update_status called with status = 1 2015-01-28 05:28:16,511 [DEBUG] rhsmd @identity.py:131 - Loading consumer info from identity certificates. 2015-01-28 05:28:16,528 [INFO] rhsmd @rhsmd:149 - D-Bus signal com.redhat.SubscriptionManager.EntitlementStatus.entitlement_status_changed emitted 2015-01-28 05:28:16,511 [DEBUG] rhsmd @identity.py:131 - Loading consumer info from identity certificates. 2015-01-28 05:28:16,528 [INFO] rhsmd @rhsmd:149 - D-Bus signal com.redhat.SubscriptionManager.EntitlementStatus.entitlement_status_changed emitted 2015-01-28 05:30:25,457 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.installedproductslib.InstalledProductsActionInvoker object at 0x2535b10> 2015-01-28 05:30:25,458 [DEBUG] rhsmcertd-worker @profile.py:97 - Loading current RPM profile. 2015-01-28 05:30:25,492 [INFO] rhsmcertd-worker @connection.py:682 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/rhsm/ca/, insecure = False 2015-01-28 05:30:25,493 [INFO] rhsmcertd-worker @connection.py:693 - Connection Built: host: subscription.rhn.stage.redhat.com, port: 443, handler: /subscription 2015-01-28 05:30:25,495 [DEBUG] rhsmcertd-worker @identity.py:131 - Loading consumer info from identity certificates. 2015-01-28 05:30:25,496 [INFO] rhsmcertd-worker @cache.py:138 - Checking current system info against cache: /var/lib/rhsm/cache/installed_products.json 2015-01-28 05:30:25,496 [INFO] rhsmcertd-worker @cache.py:155 - No changes. 2015-01-28 05:30:25,497 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.healinglib.HealingActionInvoker object at 0x2535090> 2015-01-28 05:30:25,509 [DEBUG] rhsmcertd-worker @plugins.py:569 - loaded plugin modules: [<module 'container_content' from '/usr/share/rhsm-plugins/container_content.py'>, <module 'ostree_content' from '/usr/share/rhsm-plugins/ostree_content.py'>] 2015-01-28 05:30:25,509 [DEBUG] rhsmcertd-worker @plugins.py:570 - loaded plugins: {'container_content.ContainerContentPlugin': <container_content.ContainerContentPlugin object at 0x25596d0>, 'ostree_content.OstreeContentPlugin': <ostree_content.OstreeContentPlugin object at 0x2559c90>} 2015-01-28 05:30:25,510 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:30:25,511 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6 2015-01-28 05:30:33,055 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:30:33,058 [INFO] rhsmcertd-worker @healinglib.py:82 - Checking if system requires healing. 2015-01-28 05:30:33,058 [INFO] rhsmcertd-worker @cache.py:138 - Checking current system info against cache: /var/lib/rhsm/cache/installed_products.json 2015-01-28 05:30:33,058 [INFO] rhsmcertd-worker @cache.py:155 - No changes. 2015-01-28 05:30:33,059 [DEBUG] rhsmcertd-worker @certdirectory.py:216 - Installed product IDs: ['69', '271'] 2015-01-28 05:30:33,060 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:30:33,060 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6/compliance 2015-01-28 05:30:33,582 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:30:33,584 [DEBUG] rhsmcertd-worker @cache.py:272 - Started thread to write cache: /var/lib/rhsm/cache/entitlement_status.json 2015-01-28 05:30:33,585 [DEBUG] rhsmcertd-worker @cert_sorter.py:193 - valid entitled products: [] 2015-01-28 05:30:33,585 [DEBUG] rhsmcertd-worker @cert_sorter.py:194 - expired entitled products: [] 2015-01-28 05:30:33,585 [DEBUG] rhsmcertd-worker @cert_sorter.py:195 - partially entitled products: [] 2015-01-28 05:30:33,585 [DEBUG] rhsmcertd-worker @cert_sorter.py:196 - unentitled products: ['69', '271'] 2015-01-28 05:30:33,586 [DEBUG] rhsmcertd-worker @cert_sorter.py:197 - future products: [] 2015-01-28 05:30:33,586 [DEBUG] rhsmcertd-worker @cert_sorter.py:198 - partial stacks: [] 2015-01-28 05:30:33,586 [DEBUG] rhsmcertd-worker @cert_sorter.py:199 - entitlements valid until: None 2015-01-28 05:30:33,587 [WARNING] rhsmcertd-worker @healinglib.py:96 - Found invalid entitlements for today: 2015-01-28 10:30:33.058332+00:00 2015-01-28 05:30:33,588 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:30:33,588 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: POST /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6/entitlements?entitle_date=2015-01-28T10%3A30%3A33.058332%2B00%3A00 2015-01-28 05:31:20,757 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:20,761 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:31:20,762 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6/certificates/serials 2015-01-28 05:31:21,884 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:21,886 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:31:21,886 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6/certificates?serials=2293790674337488155 2015-01-28 05:31:27,644 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:27,646 [DEBUG] rhsmcertd-worker @entcertlib.py:351 - Ent cert bundle pre_install 2015-01-28 05:31:27,671 [DEBUG] rhsmcertd-worker @entcertlib.py:373 - ent cert bundle post_install 2015-01-28 05:31:27,672 [DEBUG] rhsmcertd-worker @entcertlib.py:305 - cert bundles post_install: <rhsm.certificate2.EntitlementCertificate object at 0x2a6d210> 2015-01-28 05:31:27,672 [INFO] rhsmcertd-worker @entcertlib.py:131 - certs updated: Total updates: 1 Found (local) serial# [] Expected (UEP) serial# [2293790674337488155] Added (new) [sn:2293790674337488155 (Oracle Java (for RHEL Server),) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Enterprise Linux Workstation,) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Enterprise Linux Desktop,) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Developer Toolset (for RHEL Workstation),) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Enterprise Linux Atomic Host,) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Enterprise Linux Server,) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Software Collections (for RHEL Client),) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Enterprise Linux for IBM POWER,) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Software Collections (for RHEL Server),) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Beta,) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Software Collections (for RHEL Workstation),) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Enterprise Linux Atomic Host Beta,) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Developer Toolset (for RHEL Server),) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Software Collections Beta (for RHEL Server),) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Container Images,) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Software Collections Beta (for RHEL Client),) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Enterprise Linux for Scientific Computing,) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Container Images Beta,) @ /etc/pki/entitlement/2293790674337488155.pem] [sn:2293790674337488155 (Red Hat Software Collections Beta (for RHEL Workstation),) @ /etc/pki/entitlement/2293790674337488155.pem] Deleted (rogue): <NONE> 2015-01-28 05:31:27,680 [DEBUG] rhsmcertd-worker @entcertlib.py:173 - entcerlibaction.repo_hook 2015-01-28 05:31:27,681 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.repolib.RepoActionInvoker object at 0x255ef90> 2015-01-28 05:31:27,713 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:31:27,714 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/ 2015-01-28 05:31:28,851 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:28,852 [DEBUG] rhsmcertd-worker @connection.py:709 - Server supports the following resources: 2015-01-28 05:31:28,853 [DEBUG] rhsmcertd-worker @connection.py:710 - {'': '/', 'guestids': '/consumers/{consumer_uuid}/guestids', 'cdn': '/cdn', 'content_overrides': '/consumers/{consumer_uuid}/content_overrides', 'hypervisors': '/hypervisors', 'serials': '/serials', 'deleted_consumers': '/deleted_consumers', 'consumers': '/consumers', 'migrations': '/migrations', 'content': '/content', 'entitlements': '/entitlements', 'events': '/events', 'status': '/status', 'jobs': '/jobs', 'users': '/users', 'subscriptions': '/subscriptions', 'rules': '/rules', 'distributor_versions': '/distributor_versions', 'statistics/generate': '/statistics/generate', 'pools': '/pools', 'atom': '/atom', 'owners': '/owners', 'roles': '/roles', 'admin': '/admin', 'products': '/products', 'activation_keys': '/activation_keys', 'consumertypes': '/consumertypes', 'crl': '/crl'} 2015-01-28 05:31:28,853 [ERROR] rhsmcertd-worker @cache.py:128 - Unable to read cache: /var/lib/rhsm/cache/written_overrides.json 2015-01-28 05:31:28,854 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:31:28,854 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6/content_overrides 2015-01-28 05:31:29,395 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:29,397 [DEBUG] rhsmcertd-worker @cache.py:272 - Started thread to write cache: /var/lib/rhsm/cache/content_overrides.json 2015-01-28 05:31:29,398 [DEBUG] rhsmcertd-worker @__init__.py:85 - Searching for content of type: yum 2015-01-28 05:31:29,401 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:31:29,402 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6/release 2015-01-28 05:31:30,392 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:30,393 [DEBUG] rhsmcertd-worker @cache.py:272 - Started thread to write cache: /var/lib/rhsm/cache/releasever.json 2015-01-28 05:31:30,449 [DEBUG] rhsmcertd-worker @cache.py:110 - Wrote cache: /var/lib/rhsm/cache/written_overrides.json 2015-01-28 05:31:30,451 [INFO] rhsmcertd-worker @repolib.py:270 - repos updated: Repo updates Total repo updates: 58 Updated <NONE> Added (new) [id:rhel-7-server-optional-debug-rpms Red Hat Enterprise Linux 7 Server - Optional (Debug RPMs)] [id:rhel-7-server-rhn-tools-beta-debug-rpms RHN Tools for Red Hat Enterprise Linux 7 Server Beta (Debug RPMs)] [id:rhel-7-server-v2vwin-1-debug-rpms Red Hat Virt V2V Tool for RHEL 7 (Debug RPMs)] [id:rhel-7-server-rhn-tools-debug-rpms RHN Tools for Red Hat Enterprise Linux 7 Server (Debug RPMs)] [id:rhel-server-rhscl-7-beta-rpms Red Hat Software Collections Beta RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-7-server-beta-source-rpms Red Hat Enterprise Linux 7 Server Beta (Source RPMs)] [id:rhel-7-server-v2vwin-1-rpms Red Hat Virt V2V Tool for RHEL 7 (RPMs)] [id:rhel-atomic-host-beta-source-rpms Red Hat Enterprise Linux Atomic Host Beta (Source RPMs)] [id:rhel-7-server-rpms Red Hat Enterprise Linux 7 Server (RPMs)] [id:rhel-7-server-beta-rpms Red Hat Enterprise Linux 7 Server Beta (RPMs)] [id:rhel-7-server-extras-rpms Red Hat Enterprise Linux 7 Server - Extras (RPMs)] [id:rhel-7-server-rh-common-beta-debug-rpms Red Hat Enterprise Linux 7 Server - RH Common Beta (Debug RPMs)] [id:rhel-7-server-supplementary-beta-debug-rpms Red Hat Enterprise Linux 7 Server - Supplementary Beta (Debug RPMs)] [id:rhel-server-rhscl-7-source-rpms Red Hat Software Collections Source RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-atomic-host-beta-debug-rpms Red Hat Enterprise Linux Atomic Host Beta (Debug RPMs)] [id:rhel-7-server-rhn-tools-beta-rpms RHN Tools for Red Hat Enterprise Linux 7 Server Beta (RPMs)] [id:rhel-7-server-optional-beta-source-rpms Red Hat Enterprise Linux 7 Server - Optional Beta (Source RPMs)] [id:rhel-7-server-supplementary-debug-rpms Red Hat Enterprise Linux 7 Server - Supplementary (Debug RPMs)] [id:rhel-server-rhscl-7-debug-rpms Red Hat Software Collections Debug RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-server-rhscl-7-beta-source-rpms Red Hat Software Collections Beta Source RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-7-server-rhn-tools-rpms RHN Tools for Red Hat Enterprise Linux 7 Server (RPMs)] [id:rhel-server-rhscl-7-beta-debug-rpms Red Hat Software Collections Beta Debug RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-7-server-extras-debug-rpms Red Hat Enterprise Linux 7 Server - Extras (Debug RPMs)] [id:rhel-7-server-debug-rpms Red Hat Enterprise Linux 7 Server (Debug RPMs)] [id:rhel-7-server-thirdparty-oracle-java-rpms Red Hat Enterprise Linux 7 Server - Oracle Java (RPMs)] [id:rhel-server-rhscl-7-rpms Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-7-server-optional-fastrack-rpms Red Hat Enterprise Linux 7 Server - Optional Fastrack (RPMs)] [id:rhel-7-server-fastrack-rpms Red Hat Enterprise Linux 7 Server - Fastrack (RPMs)] [id:rhel-7-server-optional-beta-debug-rpms Red Hat Enterprise Linux 7 Server - Optional Beta (Debug RPMs)] [id:rhel-7-server-rh-common-rpms Red Hat Enterprise Linux 7 Server - RH Common (RPMs)] [id:rhel-7-server-thirdparty-oracle-java-beta-rpms Red Hat Enterprise Linux 7 Server - Oracle Java Beta (RPMs)] [id:rhel-7-server-optional-fastrack-debug-rpms Red Hat Enterprise Linux 7 Server - Optional Fastrack (Debug RPMs)] [id:rhel-atomic-host-rpms Red Hat Enterprise Linux Atomic Host (RPMs)] [id:rhel-7-server-rh-common-debug-rpms Red Hat Enterprise Linux 7 Server - RH Common (Debug RPMs)] [id:rhel-7-server-supplementary-rpms Red Hat Enterprise Linux 7 Server - Supplementary (RPMs)] [id:rhel-7-server-rhn-tools-beta-source-rpms RHN Tools for Red Hat Enterprise Linux 7 Server Beta (Source RPMs)] [id:rhel-7-server-fastrack-source-rpms Red Hat Enterprise Linux 7 Server - Fastrack (Source RPMs)] [id:rhel-7-server-source-rpms Red Hat Enterprise Linux 7 Server (Source RPMs)] [id:rhel-7-server-optional-rpms Red Hat Enterprise Linux 7 Server - Optional (RPMs)] [id:rhel-7-server-rh-common-beta-source-rpms Red Hat Enterprise Linux 7 Server - RH Common Beta (Source RPMs)] [id:rhel-7-server-thirdparty-oracle-java-source-rpms Red Hat Enterprise Linux 7 Server - Oracle Java (Source RPMs)] [id:rhel-7-server-supplementary-beta-source-rpms Red Hat Enterprise Linux 7 Server - Supplementary Beta (Source RPMs)] [id:rhel-7-server-rh-common-beta-rpms Red Hat Enterprise Linux 7 Server - RH Common Beta (RPMs)] [id:rhel-atomic-host-source-rpms Red Hat Enterprise Linux Atomic Host (Source RPMs)] [id:rhel-7-server-supplementary-beta-rpms Red Hat Enterprise Linux 7 Server - Supplementary Beta (RPMs)] [id:rhel-atomic-host-beta-rpms Red Hat Enterprise Linux Atomic Host Beta (RPMs)] [id:rhel-7-server-extras-source-rpms Red Hat Enterprise Linux 7 Server - Extras (Source RPMs)] [id:rhel-7-server-optional-fastrack-source-rpms Red Hat Enterprise Linux 7 Server - Optional Fastrack (Source RPMs)] [id:rhel-7-server-rhn-tools-source-rpms RHN Tools for Red Hat Enterprise Linux 7 Server (Source RPMs)] [id:rhel-7-server-fastrack-debug-rpms Red Hat Enterprise Linux 7 Server - Fastrack (Debug RPMs)] [id:rhel-7-server-rh-common-source-rpms Red Hat Enterprise Linux 7 Server - RH Common (Source RPMs)] [id:rhel-7-server-supplementary-source-rpms Red Hat Enterprise Linux 7 Server - Supplementary (Source RPMs)] [id:rhel-7-server-thirdparty-oracle-java-beta-source-rpms Red Hat Enterprise Linux 7 Server - Oracle Java Beta (Source RPMs)] [id:rhel-7-server-optional-beta-rpms Red Hat Enterprise Linux 7 Server - Optional Beta (RPMs)] [id:rhel-7-server-beta-debug-rpms Red Hat Enterprise Linux 7 Server Beta (Debug RPMs)] [id:rhel-7-server-optional-source-rpms Red Hat Enterprise Linux 7 Server - Optional (Source RPMs)] [id:rhel-atomic-host-debug-rpms Red Hat Enterprise Linux Atomic Host (Debug RPMs)] [id:rhel-7-server-v2vwin-1-source-rpms Red Hat Virt V2V Tool for RHEL 7 (Source RPMs)] Deleted <NONE> 2015-01-28 05:31:30,457 [DEBUG] rhsmcertd-worker @plugins.py:769 - Running update_content_hook in container_content.ContainerContentPlugin 2015-01-28 05:31:30,457 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.content_action_client.ContentPluginActionInvoker object at 0x2d24810> 2015-01-28 05:31:30,457 [INFO] rhsmcertd-worker @container_content.py:43 - Updating container content. 2015-01-28 05:31:30,458 [INFO] rhsmcertd-worker @container_content.py:45 - registry hostnames = registry.access.redhat.com,cdn.redhat.com,access.redhat.com 2015-01-28 05:31:30,458 [DEBUG] rhsmcertd-worker @__init__.py:85 - Searching for content of type: containerimage 2015-01-28 05:31:30,459 [DEBUG] rhsmcertd-worker @container.py:53 - Got content_sets: [<subscription_manager.model.ent_cert.EntitlementCertContent object at 0x2b76b90>, <subscription_manager.model.ent_cert.EntitlementCertContent object at 0x2b93050>] 2015-01-28 05:31:30,459 [DEBUG] rhsmcertd-worker @container.py:138 - Syncing container certificates to /etc/docker/certs.d/registry.access.redhat.com 2015-01-28 05:31:30,459 [WARNING] rhsmcertd-worker @container.py:140 - Container cert directory does not exist: /etc/docker/certs.d/ 2015-01-28 05:31:30,459 [WARNING] rhsmcertd-worker @container.py:141 - Exiting plugin 2015-01-28 05:31:30,460 [DEBUG] rhsmcertd-worker @container.py:138 - Syncing container certificates to /etc/docker/certs.d/cdn.redhat.com 2015-01-28 05:31:30,460 [WARNING] rhsmcertd-worker @container.py:140 - Container cert directory does not exist: /etc/docker/certs.d/ 2015-01-28 05:31:30,460 [WARNING] rhsmcertd-worker @container.py:141 - Exiting plugin 2015-01-28 05:31:30,460 [DEBUG] rhsmcertd-worker @container.py:138 - Syncing container certificates to /etc/docker/certs.d/access.redhat.com 2015-01-28 05:31:30,460 [WARNING] rhsmcertd-worker @container.py:140 - Container cert directory does not exist: /etc/docker/certs.d/ 2015-01-28 05:31:30,461 [WARNING] rhsmcertd-worker @container.py:141 - Exiting plugin 2015-01-28 05:31:30,462 [DEBUG] rhsmcertd-worker @plugins.py:769 - Running update_content_hook in ostree_content.OstreeContentPlugin 2015-01-28 05:31:30,462 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.content_action_client.ContentPluginActionInvoker object at 0x2d24910> 2015-01-28 05:31:30,462 [INFO] rhsmcertd-worker @ostree_content.py:34 - ostree update_content_hook plugin. 2015-01-28 05:31:30,464 [DEBUG] rhsmcertd-worker @__init__.py:85 - Searching for content of type: ostree 2015-01-28 05:31:30,465 [DEBUG] rhsmcertd-worker @config.py:200 - full_url: https://cdn.stage.redhat.com/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo 2015-01-28 05:31:30,652 [WARNING] rhsmcertd-worker @model.py:403 - Multiple remotes configured in <<subscription_manager.plugin.ostree.model.OstreeRepoConfig object at 0x2d24510> repo_file_path=/etc/ostree/remotes.d/redhat.conf> Core: {} Remotes: <class 'subscription_manager.plugin.ostree.model.OstreeRemotes'> <subscription_manager.plugin.ostree.model.OstreeRemote object at 0x2d25bd0> (name=rhel-atomic-host-ostree url=https://cdn.stage.redhat.com/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo gpg_verify=false tls_client_cert_path=/etc/pki/entitlement/2293790674337488155.pem tls_client_key_path=/etc/pki/entitlement/2293790674337488155-key.pem) </OstreeRemotes> . 2015-01-28 05:31:30,652 [DEBUG] rhsmcertd-worker @model.py:355 - First portion of previous ref: rhel-atomic-host 2015-01-28 05:31:30,653 [WARNING] rhsmcertd-worker @model.py:407 - Unable to find matching remote for origin: rhel-atomic-host:rhel-atomic-host/7/x86_64/standard 2015-01-28 05:31:30,653 [WARNING] rhsmcertd-worker @model.py:408 - Leaving refspec in /ostree/deploy/rhel-atomic-host/deploy/68c68e36ca47e9370cada4b433c1031c4f5253eef9e41208f1d13f77bdaeb2a0.0.origin 2015-01-28 05:31:30,653 [WARNING] rhsmcertd-worker @model.py:424 - No remotes that match refspec for deployed origin found, so choosing the first remote names sorted: rhel-atomic-host-ostree 2015-01-28 05:31:30,653 [INFO] rhsmcertd-worker @model.py:437 - Updating refspec in: /ostree/deploy/rhel-atomic-host/deploy/68c68e36ca47e9370cada4b433c1031c4f5253eef9e41208f1d13f77bdaeb2a0.0.origin 2015-01-28 05:31:30,654 [INFO] rhsmcertd-worker @model.py:438 - old = rhel-atomic-host:rhel-atomic-host/7/x86_64/standard 2015-01-28 05:31:30,654 [INFO] rhsmcertd-worker @model.py:439 - new = rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard 2015-01-28 05:31:30,655 [DEBUG] rhsmcertd-worker @model.py:449 - But saving /ostree/deploy/rhel-atomic-host/deploy/68c68e36ca47e9370cada4b433c1031c4f5253eef9e41208f1d13f77bdaeb2a0.0.origin anyway, in case other values changed. 2015-01-28 05:31:30,656 [DEBUG] rhsmcertd-worker @action_invoker.py:95 - Ostree update report: Ostree repo updates Updates: remote "rhel-atomic-host-ostree" url: /content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo gpg-verify: False tls-client-cert-path: /etc/pki/entitlement/2293790674337488155.pem tls-client-key-path: /etc/pki/entitlement/2293790674337488155-key.pem tls-ca-path: None Added: remote "rhel-atomic-host-ostree" url: /content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo gpg-verify: False tls-client-cert-path: /etc/pki/entitlement/2293790674337488155.pem tls-client-key-path: /etc/pki/entitlement/2293790674337488155-key.pem tls-ca-path: None Deleted: remote "rhel-atomic-host-ostree" url: /content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo gpg-verify: False tls-client-cert-path: /etc/pki/entitlement/2293790674337488155.pem tls-client-key-path: /etc/pki/entitlement/2293790674337488155-key.pem tls-ca-path: None 2015-01-28 05:31:30,658 [DEBUG] rhsmcertd-worker @entbranding.py:47 - BrandInstaller ent_certs: [] 2015-01-28 05:31:30,658 [DEBUG] rhsmcertd-worker @certdirectory.py:216 - Installed product IDs: ['69', '271'] 2015-01-28 05:31:30,685 [DEBUG] rhsmcertd-worker @rhelentbranding.py:122 - 0 entitlement certs with brand info found 2015-01-28 05:31:30,686 [INFO] rhsmcertd-worker @healinglib.py:133 - Auto-heal check complete. 2015-01-28 05:31:30,686 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.entcertlib.EntCertActionInvoker object at 0x25a7250> 2015-01-28 05:31:30,711 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:31:30,712 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6/certificates/serials 2015-01-28 05:31:31,975 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:31,976 [INFO] rhsmcertd-worker @entcertlib.py:131 - certs updated: Total updates: 0 Found (local) serial# [2293790674337488155L] Expected (UEP) serial# [2293790674337488155] Added (new) <NONE> Deleted (rogue): <NONE> 2015-01-28 05:31:32,474 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.entcertlib.EntCertActionInvoker object at 0x126f250> 2015-01-28 05:31:32,475 [DEBUG] rhsmcertd-worker @profile.py:97 - Loading current RPM profile. 2015-01-28 05:31:32,509 [INFO] rhsmcertd-worker @connection.py:682 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/rhsm/ca/, insecure = False 2015-01-28 05:31:32,509 [INFO] rhsmcertd-worker @connection.py:693 - Connection Built: host: subscription.rhn.stage.redhat.com, port: 443, handler: /subscription 2015-01-28 05:31:32,509 [DEBUG] rhsmcertd-worker @identity.py:131 - Loading consumer info from identity certificates. 2015-01-28 05:31:32,536 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:31:32,536 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6/certificates/serials 2015-01-28 05:31:33,358 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:33,359 [INFO] rhsmcertd-worker @entcertlib.py:131 - certs updated: Total updates: 0 Found (local) serial# [2293790674337488155L] Expected (UEP) serial# [2293790674337488155] Added (new) <NONE> Deleted (rogue): <NONE> 2015-01-28 05:31:33,361 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.identitycertlib.IdentityCertActionInvoker object at 0x1284b50> 2015-01-28 05:31:33,362 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:31:33,362 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6 2015-01-28 05:31:42,273 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:42,276 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.content_action_client.ContentActionClient object at 0x1284b10> 2015-01-28 05:31:42,276 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.repolib.RepoActionInvoker object at 0x1284d10> 2015-01-28 05:31:42,284 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:31:42,285 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/ 2015-01-28 05:31:48,959 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:48,960 [DEBUG] rhsmcertd-worker @connection.py:709 - Server supports the following resources: 2015-01-28 05:31:48,961 [DEBUG] rhsmcertd-worker @connection.py:710 - {'': '/', 'guestids': '/consumers/{consumer_uuid}/guestids', 'cdn': '/cdn', 'content_overrides': '/consumers/{consumer_uuid}/content_overrides', 'hypervisors': '/hypervisors', 'serials': '/serials', 'deleted_consumers': '/deleted_consumers', 'consumers': '/consumers', 'migrations': '/migrations', 'content': '/content', 'entitlements': '/entitlements', 'events': '/events', 'status': '/status', 'jobs': '/jobs', 'users': '/users', 'subscriptions': '/subscriptions', 'rules': '/rules', 'distributor_versions': '/distributor_versions', 'statistics/generate': '/statistics/generate', 'activation_keys': '/activation_keys', 'atom': '/atom', 'owners': '/owners', 'roles': '/roles', 'admin': '/admin', 'products': '/products', 'pools': '/pools', 'consumertypes': '/consumertypes', 'crl': '/crl'} 2015-01-28 05:31:48,962 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:31:48,962 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6/content_overrides 2015-01-28 05:31:56,171 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:56,173 [DEBUG] rhsmcertd-worker @cache.py:272 - Started thread to write cache: /var/lib/rhsm/cache/content_overrides.json 2015-01-28 05:31:56,205 [DEBUG] rhsmcertd-worker @__init__.py:85 - Searching for content of type: yum 2015-01-28 05:31:56,208 [DEBUG] rhsmcertd-worker @connection.py:420 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-stage.pem 2015-01-28 05:31:56,209 [DEBUG] rhsmcertd-worker @connection.py:469 - Making request: GET /subscription/consumers/50b65fa9-70a7-4d68-941f-a322f5577eb6/release 2015-01-28 05:31:56,736 [DEBUG] rhsmcertd-worker @connection.py:492 - Response: status=200 2015-01-28 05:31:56,738 [DEBUG] rhsmcertd-worker @cache.py:272 - Started thread to write cache: /var/lib/rhsm/cache/releasever.json 2015-01-28 05:31:56,932 [DEBUG] rhsmcertd-worker @cache.py:110 - Wrote cache: /var/lib/rhsm/cache/written_overrides.json 2015-01-28 05:31:56,934 [INFO] rhsmcertd-worker @repolib.py:270 - repos updated: Repo updates Total repo updates: 58 Updated [id:rhel-7-server-optional-debug-rpms Red Hat Enterprise Linux 7 Server - Optional (Debug RPMs)] [id:rhel-7-server-rhn-tools-beta-debug-rpms RHN Tools for Red Hat Enterprise Linux 7 Server Beta (Debug RPMs)] [id:rhel-7-server-v2vwin-1-debug-rpms Red Hat Virt V2V Tool for RHEL 7 (Debug RPMs)] [id:rhel-7-server-rhn-tools-debug-rpms RHN Tools for Red Hat Enterprise Linux 7 Server (Debug RPMs)] [id:rhel-server-rhscl-7-beta-rpms Red Hat Software Collections Beta RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-7-server-beta-source-rpms Red Hat Enterprise Linux 7 Server Beta (Source RPMs)] [id:rhel-7-server-v2vwin-1-rpms Red Hat Virt V2V Tool for RHEL 7 (RPMs)] [id:rhel-atomic-host-beta-source-rpms Red Hat Enterprise Linux Atomic Host Beta (Source RPMs)] [id:rhel-7-server-rpms Red Hat Enterprise Linux 7 Server (RPMs)] [id:rhel-7-server-beta-rpms Red Hat Enterprise Linux 7 Server Beta (RPMs)] [id:rhel-7-server-extras-rpms Red Hat Enterprise Linux 7 Server - Extras (RPMs)] [id:rhel-7-server-rh-common-beta-debug-rpms Red Hat Enterprise Linux 7 Server - RH Common Beta (Debug RPMs)] [id:rhel-7-server-supplementary-beta-debug-rpms Red Hat Enterprise Linux 7 Server - Supplementary Beta (Debug RPMs)] [id:rhel-server-rhscl-7-source-rpms Red Hat Software Collections Source RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-atomic-host-beta-debug-rpms Red Hat Enterprise Linux Atomic Host Beta (Debug RPMs)] [id:rhel-7-server-rhn-tools-beta-rpms RHN Tools for Red Hat Enterprise Linux 7 Server Beta (RPMs)] [id:rhel-7-server-optional-beta-source-rpms Red Hat Enterprise Linux 7 Server - Optional Beta (Source RPMs)] [id:rhel-7-server-supplementary-debug-rpms Red Hat Enterprise Linux 7 Server - Supplementary (Debug RPMs)] [id:rhel-server-rhscl-7-debug-rpms Red Hat Software Collections Debug RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-server-rhscl-7-beta-source-rpms Red Hat Software Collections Beta Source RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-7-server-rhn-tools-rpms RHN Tools for Red Hat Enterprise Linux 7 Server (RPMs)] [id:rhel-server-rhscl-7-beta-debug-rpms Red Hat Software Collections Beta Debug RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-7-server-extras-debug-rpms Red Hat Enterprise Linux 7 Server - Extras (Debug RPMs)] [id:rhel-7-server-debug-rpms Red Hat Enterprise Linux 7 Server (Debug RPMs)] [id:rhel-7-server-thirdparty-oracle-java-rpms Red Hat Enterprise Linux 7 Server - Oracle Java (RPMs)] [id:rhel-server-rhscl-7-rpms Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server] [id:rhel-7-server-optional-fastrack-rpms Red Hat Enterprise Linux 7 Server - Optional Fastrack (RPMs)] [id:rhel-7-server-fastrack-rpms Red Hat Enterprise Linux 7 Server - Fastrack (RPMs)] [id:rhel-7-server-optional-beta-debug-rpms Red Hat Enterprise Linux 7 Server - Optional Beta (Debug RPMs)] [id:rhel-7-server-rh-common-rpms Red Hat Enterprise Linux 7 Server - RH Common (RPMs)] [id:rhel-7-server-thirdparty-oracle-java-beta-rpms Red Hat Enterprise Linux 7 Server - Oracle Java Beta (RPMs)] [id:rhel-7-server-optional-fastrack-debug-rpms Red Hat Enterprise Linux 7 Server - Optional Fastrack (Debug RPMs)] [id:rhel-atomic-host-rpms Red Hat Enterprise Linux Atomic Host (RPMs)] [id:rhel-7-server-rh-common-debug-rpms Red Hat Enterprise Linux 7 Server - RH Common (Debug RPMs)] [id:rhel-7-server-supplementary-rpms Red Hat Enterprise Linux 7 Server - Supplementary (RPMs)] [id:rhel-7-server-rhn-tools-beta-source-rpms RHN Tools for Red Hat Enterprise Linux 7 Server Beta (Source RPMs)] [id:rhel-7-server-fastrack-source-rpms Red Hat Enterprise Linux 7 Server - Fastrack (Source RPMs)] [id:rhel-7-server-source-rpms Red Hat Enterprise Linux 7 Server (Source RPMs)] [id:rhel-7-server-optional-rpms Red Hat Enterprise Linux 7 Server - Optional (RPMs)] [id:rhel-7-server-rh-common-beta-source-rpms Red Hat Enterprise Linux 7 Server - RH Common Beta (Source RPMs)] [id:rhel-7-server-thirdparty-oracle-java-source-rpms Red Hat Enterprise Linux 7 Server - Oracle Java (Source RPMs)] [id:rhel-7-server-supplementary-beta-source-rpms Red Hat Enterprise Linux 7 Server - Supplementary Beta (Source RPMs)] [id:rhel-7-server-rh-common-beta-rpms Red Hat Enterprise Linux 7 Server - RH Common Beta (RPMs)] [id:rhel-atomic-host-source-rpms Red Hat Enterprise Linux Atomic Host (Source RPMs)] [id:rhel-7-server-supplementary-beta-rpms Red Hat Enterprise Linux 7 Server - Supplementary Beta (RPMs)] [id:rhel-atomic-host-beta-rpms Red Hat Enterprise Linux Atomic Host Beta (RPMs)] [id:rhel-7-server-extras-source-rpms Red Hat Enterprise Linux 7 Server - Extras (Source RPMs)] [id:rhel-7-server-optional-fastrack-source-rpms Red Hat Enterprise Linux 7 Server - Optional Fastrack (Source RPMs)] [id:rhel-7-server-rhn-tools-source-rpms RHN Tools for Red Hat Enterprise Linux 7 Server (Source RPMs)] [id:rhel-7-server-fastrack-debug-rpms Red Hat Enterprise Linux 7 Server - Fastrack (Debug RPMs)] [id:rhel-7-server-rh-common-source-rpms Red Hat Enterprise Linux 7 Server - RH Common (Source RPMs)] [id:rhel-7-server-supplementary-source-rpms Red Hat Enterprise Linux 7 Server - Supplementary (Source RPMs)] [id:rhel-7-server-thirdparty-oracle-java-beta-source-rpms Red Hat Enterprise Linux 7 Server - Oracle Java Beta (Source RPMs)] [id:rhel-7-server-optional-beta-rpms Red Hat Enterprise Linux 7 Server - Optional Beta (RPMs)] [id:rhel-7-server-beta-debug-rpms Red Hat Enterprise Linux 7 Server Beta (Debug RPMs)] [id:rhel-7-server-optional-source-rpms Red Hat Enterprise Linux 7 Server - Optional (Source RPMs)] [id:rhel-atomic-host-debug-rpms Red Hat Enterprise Linux Atomic Host (Debug RPMs)] [id:rhel-7-server-v2vwin-1-source-rpms Red Hat Virt V2V Tool for RHEL 7 (Source RPMs)] Added (new) <NONE> Deleted <NONE> 2015-01-28 05:31:56,948 [DEBUG] rhsmcertd-worker @plugins.py:569 - loaded plugin modules: [<module 'container_content' from '/usr/share/rhsm-plugins/container_content.py'>, <module 'ostree_content' from '/usr/share/rhsm-plugins/ostree_content.py'>] 2015-01-28 05:31:56,948 [DEBUG] rhsmcertd-worker @plugins.py:570 - loaded plugins: {'container_content.ContainerContentPlugin': <container_content.ContainerContentPlugin object at 0x13d7d90>, 'ostree_content.OstreeContentPlugin': <ostree_content.OstreeContentPlugin object at 0x1198150>} 2015-01-28 05:31:56,953 [DEBUG] rhsmcertd-worker @plugins.py:769 - Running update_content_hook in container_content.ContainerContentPlugin 2015-01-28 05:31:56,953 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.content_action_client.ContentPluginActionInvoker object at 0x11981d0> 2015-01-28 05:31:56,953 [INFO] rhsmcertd-worker @container_content.py:43 - Updating container content. 2015-01-28 05:31:56,954 [INFO] rhsmcertd-worker @container_content.py:45 - registry hostnames = registry.access.redhat.com,cdn.redhat.com,access.redhat.com 2015-01-28 05:31:56,954 [DEBUG] rhsmcertd-worker @__init__.py:85 - Searching for content of type: containerimage 2015-01-28 05:31:56,955 [DEBUG] rhsmcertd-worker @container.py:53 - Got content_sets: [<subscription_manager.model.ent_cert.EntitlementCertContent object at 0x19649d0>, <subscription_manager.model.ent_cert.EntitlementCertContent object at 0x1966450>] 2015-01-28 05:31:56,955 [DEBUG] rhsmcertd-worker @container.py:138 - Syncing container certificates to /etc/docker/certs.d/registry.access.redhat.com 2015-01-28 05:31:56,955 [WARNING] rhsmcertd-worker @container.py:140 - Container cert directory does not exist: /etc/docker/certs.d/ 2015-01-28 05:31:56,956 [WARNING] rhsmcertd-worker @container.py:141 - Exiting plugin 2015-01-28 05:31:56,956 [DEBUG] rhsmcertd-worker @container.py:138 - Syncing container certificates to /etc/docker/certs.d/cdn.redhat.com 2015-01-28 05:31:56,956 [WARNING] rhsmcertd-worker @container.py:140 - Container cert directory does not exist: /etc/docker/certs.d/ 2015-01-28 05:31:56,956 [WARNING] rhsmcertd-worker @container.py:141 - Exiting plugin 2015-01-28 05:31:56,957 [DEBUG] rhsmcertd-worker @container.py:138 - Syncing container certificates to /etc/docker/certs.d/access.redhat.com 2015-01-28 05:31:56,957 [WARNING] rhsmcertd-worker @container.py:140 - Container cert directory does not exist: /etc/docker/certs.d/ 2015-01-28 05:31:56,957 [WARNING] rhsmcertd-worker @container.py:141 - Exiting plugin 2015-01-28 05:31:56,957 [DEBUG] rhsmcertd-worker @plugins.py:769 - Running update_content_hook in ostree_content.OstreeContentPlugin 2015-01-28 05:31:56,958 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.content_action_client.ContentPluginActionInvoker object at 0x1966750> 2015-01-28 05:31:56,958 [INFO] rhsmcertd-worker @ostree_content.py:34 - ostree update_content_hook plugin. 2015-01-28 05:31:56,960 [DEBUG] rhsmcertd-worker @__init__.py:85 - Searching for content of type: ostree 2015-01-28 05:31:56,962 [DEBUG] rhsmcertd-worker @config.py:200 - full_url: https://cdn.stage.redhat.com/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo 2015-01-28 05:31:57,126 [WARNING] rhsmcertd-worker @model.py:403 - Multiple remotes configured in <<subscription_manager.plugin.ostree.model.OstreeRepoConfig object at 0x1198250> repo_file_path=/etc/ostree/remotes.d/redhat.conf> Core: {} Remotes: <class 'subscription_manager.plugin.ostree.model.OstreeRemotes'> <subscription_manager.plugin.ostree.model.OstreeRemote object at 0x1967e10> (name=rhel-atomic-host-ostree url=https://cdn.stage.redhat.com/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo gpg_verify=false tls_client_cert_path=/etc/pki/entitlement/2293790674337488155.pem tls_client_key_path=/etc/pki/entitlement/2293790674337488155-key.pem) </OstreeRemotes> . 2015-01-28 05:31:57,127 [DEBUG] rhsmcertd-worker @model.py:355 - First portion of previous ref: rhel-atomic-host 2015-01-28 05:31:57,127 [WARNING] rhsmcertd-worker @model.py:407 - Unable to find matching remote for origin: rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard 2015-01-28 05:31:57,127 [WARNING] rhsmcertd-worker @model.py:408 - Leaving refspec in /ostree/deploy/rhel-atomic-host/deploy/68c68e36ca47e9370cada4b433c1031c4f5253eef9e41208f1d13f77bdaeb2a0.0.origin 2015-01-28 05:31:57,127 [WARNING] rhsmcertd-worker @model.py:424 - No remotes that match refspec for deployed origin found, so choosing the first remote names sorted: rhel-atomic-host-ostree 2015-01-28 05:31:57,128 [DEBUG] rhsmcertd-worker @model.py:444 - No change to refspec in /ostree/deploy/rhel-atomic-host/deploy/68c68e36ca47e9370cada4b433c1031c4f5253eef9e41208f1d13f77bdaeb2a0.0.origin 2015-01-28 05:31:57,128 [DEBUG] rhsmcertd-worker @model.py:449 - But saving /ostree/deploy/rhel-atomic-host/deploy/68c68e36ca47e9370cada4b433c1031c4f5253eef9e41208f1d13f77bdaeb2a0.0.origin anyway, in case other values changed. 2015-01-28 05:31:57,129 [DEBUG] rhsmcertd-worker @action_invoker.py:95 - Ostree update report: Ostree repo updates Updates: remote "rhel-atomic-host-ostree" url: /content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo gpg-verify: False tls-client-cert-path: /etc/pki/entitlement/2293790674337488155.pem tls-client-key-path: /etc/pki/entitlement/2293790674337488155-key.pem tls-ca-path: None Added: remote "rhel-atomic-host-ostree" url: /content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo gpg-verify: False tls-client-cert-path: /etc/pki/entitlement/2293790674337488155.pem tls-client-key-path: /etc/pki/entitlement/2293790674337488155-key.pem tls-ca-path: None Deleted: remote "rhel-atomic-host-ostree" url: /content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo gpg-verify: False tls-client-cert-path: /etc/pki/entitlement/2293790674337488155.pem tls-client-key-path: /etc/pki/entitlement/2293790674337488155-key.pem tls-ca-path: None 2015-01-28 05:31:57,131 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.factlib.FactsActionInvoker object at 0x1284990> 2015-01-28 05:31:57,222 [DEBUG] rhsmcertd-worker @hwprobe.py:554 - cpu info: {'cpu.cpu(s)': 1, 'cpu.core(s)_per_socket': 1, 'cpu.thread(s)_per_core': 1, 'cpu.topology_source': 'kernel /sys cpu sibling lists', 'cpu.cpu_socket(s)': 1} 2015-01-28 05:31:57,231 [DEBUG] rhsmcertd-worker @hwprobe.py:773 - Running 'virt-what' 2015-01-28 05:31:57,259 [DEBUG] rhsmcertd-worker @hwprobe.py:777 - virt-what stdout: kvm 2015-01-28 05:31:57,260 [DEBUG] rhsmcertd-worker @hwprobe.py:778 - virt-what stderr: 2015-01-28 05:31:57,260 [INFO] rhsmcertd-worker @hwprobe.py:766 - virt.is_guest: True 2015-01-28 05:31:57,260 [INFO] rhsmcertd-worker @hwprobe.py:767 - virt.host_type: kvm 2015-01-28 05:31:57,270 [INFO] rhsmcertd-worker @hwprobe.py:822 - virt.uuid: b448ffe2-5242-4857-9bff-e489d15d0a44 2015-01-28 05:31:57,271 [INFO] rhsmcertd-worker @factlib.py:104 - Facts have not changed, skipping upload. 2015-01-28 05:31:57,271 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.packageprofilelib.PackageProfileActionInvoker object at 0x1284290> 2015-01-28 05:31:57,272 [INFO] rhsmcertd-worker @cache.py:381 - Server does not support packages, skipping profile upload. 2015-01-28 05:31:57,272 [DEBUG] rhsmcertd-worker @base_action_client.py:85 - running lib: <subscription_manager.installedproductslib.InstalledProductsActionInvoker object at 0x1284b90> 2015-01-28 05:31:57,273 [INFO] rhsmcertd-worker @cache.py:138 - Checking current system info against cache: /var/lib/rhsm/cache/installed_products.json 2015-01-28 05:31:57,273 [INFO] rhsmcertd-worker @cache.py:155 - No changes. Marking Verified!! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |
Description of problem: Observed that after subscription-manager auto-heal on rhel atomic, selinux denials were observed on the system, and that prevented .origin file from updating Version-Release number of selected component (if applicable): selinux-policy-3.13.1-16.el7.noarch selinux-policy-targeted-3.13.1-16.el7.noarch subscription management server: 0.9.26.7-1 subscription management rules: 5.12 subscription-manager: 1.13.12-1.el7 python-rhsm: 1.13.8-1.el7 How reproducible: 100% Steps to Reproduce: 1.Register atomic host stage server 2.set auto-heal interval to 2mins, restart rhsmcertd services 3.Wait for the auto-heal to complete Actual results: Observed Permission denied error on rhsm.log Expected results: No denials are expected, .origin file should be updated with details Additional info: Jan 15 13:28:41 localhost kernel: type=1400 audit(1421328521.078:6): avc: denied { write } for pid=1125 comm="rhsmcertd-worke" name="a087cbd6a18f8876da6075896994dae0256a09c5f0dc22852675ab47fd122c3c.0.origin" dev="dm-0" ino=4223084 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file Jan 15 13:28:43 localhost kernel: type=1400 audit(1421328523.342:7): avc: denied { write } for pid=1130 comm="rhsmcertd-worke" name=".dbenv.lock" dev="dm-0" ino=12616198 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file Jan 15 13:28:47 localhost kernel: type=1400 audit(1421328527.172:8): avc: denied { write } for pid=1130 comm="rhsmcertd-worke" name="a087cbd6a18f8876da6075896994dae0256a09c5f0dc22852675ab47fd122c3c.0.origin" dev="dm-0" ino=4223084 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file Jan 15 13:29:17 localhost kernel: type=1400 audit(1421328556.976:9): avc: denied { write } for pid=1162 comm="rhsmcertd-worke" name=".dbenv.lock" dev="dm-0" ino=12616198 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file $ ls -laZ /ostree/deploy/rhel-atomic-host/deploy/ drwxr-xr-x. root root system_u:object_r:usr_t:s0 . drwxr-xr-x. root root system_u:object_r:usr_t:s0 .. drwxr-xr-x. root root system_u:object_r:root_t:s0 a087cbd6a18f8876da6075896994dae0256a09c5f0dc22852675ab47fd122c3c.0 -rw-r--r--. root root system_u:object_r:usr_t:s0 a087cbd6a18f8876da6075896994dae0256a09c5f0dc22852675ab47fd122c3c.0.origin rhsm.log ========== orted: rhel-atomic-host-beta-ostree 2015-01-15 13:28:41,077 [INFO] rhsmcertd-worker @model.py:437 - Updating refspec in: /ostree/deploy/rhel-atomic-host/deploy/a087cbd6a18f8876da6075896994dae0256a09c5f0dc22852675ab47fd122c3c.0.origin 2015-01-15 13:28:41,077 [INFO] rhsmcertd-worker @model.py:438 - old = rhel-atomic-host:rhel-atomic-host/7/x86_64/standard 2015-01-15 13:28:41,078 [INFO] rhsmcertd-worker @model.py:439 - new = rhel-atomic-host-beta-ostree:rhel-atomic-host/7/x86_64/standard 2015-01-15 13:28:41,145 [ERROR] rhsmcertd-worker @plugins.py:489 - [Errno 13] Permission denied: '/ostree/deploy/rhel-atomic-host/deploy/a087cbd6a18f8876da6075896994dae0256a09c5f0dc22852675ab47fd122c3c.0.origin' Traceback (most recent call last): File "/usr/share/rhsm/subscription_manager/plugins.py", line 487, in run self.func(self.conduit) File "/usr/share/rhsm-plugins/ostree_content.py", line 36, in update_content_hook report = action_invoker.OstreeContentUpdateActionCommand(ent_source=conduit.ent_source).perform() File "/usr/share/rhsm/subscription_manager/plugin/ostree/action_invoker.py", line 67, in perform return self.update_repo_config() File "/usr/share/rhsm/subscription_manager/plugin/ostree/action_invoker.py", line 93, in update_repo_config self.update_origin_file(ostree_repo_config) File "/usr/share/rhsm/subscription_manager/plugin/ostree/action_invoker.py", line 120, in update_origin_file updater.run() File "/usr/share/rhsm/subscription_manager/plugin/ostree/model.py", line 441, in run origin_cfg.save() File "/usr/share/rhsm/subscription_manager/plugin/ostree/config.py", line 119, in save super(KeyFileConfigParser, self).save() File "/usr/lib64/python2.7/site-packages/rhsm/config.py", line 107, in save fo = open(self.config_file, "wb") IOError: [Errno 13] Permission denied: '/ostree/deploy/rhel-atomic-host/deploy/a087cbd6a18f8876da6075896994dae0256a09c5f0dc22852675ab47fd122c3c.0.origin' 2015-01-15 13:28:41,153 [WARNING] rhsmcertd-worker @base_action_client.py:72 - Exception caught while running <subscription_manager.content_action_client.ContentPluginActionInvoker object at 0x1a910d0> update 2015-01-15 13:28:41,154 [ERROR] rhsmcertd-worker @base_action_client.py:73 - [Errno 13] Permission denied: '/ostree/deploy/rhel-atomic-host/deploy/a087cbd6a18f8876da6075896994dae0256a09c5f0dc22852675ab47fd122c3c.0.origin' Traceback (most recent call last): File "/usr/share/rhsm/subscription_manager/base_action_client.py", line 63, in _run_update update_report = lib.update() File "/usr/share/rhsm/subscription_manager/certlib.py", line 31, in update self.report = self.locker.run(self._do_update) File "/usr/share/rhsm/subscription_manager/certlib.py", line 17, in run return action() File "/usr/share/rhsm/subscription_manager/content_action_client.py", line 81, in _do_update return action.perform() File "/usr/share/rhsm/subscription_manager/content_action_client.py", line 59, in perform self.runner.run() File "/usr/share/rhsm/subscription_manager/plugins.py", line 487, in run self.func(self.conduit) File "/usr/share/rhsm-plugins/ostree_content.py", line 36, in update_content_hook report = action_invoker.OstreeContentUpdateActionCommand(ent_source=conduit.ent_source).perform() File "/usr/share/rhsm/subscription_manager/plugin/ostree/action_invoker.py", line 67, in perform return self.update_repo_config() File "/usr/share/rhsm/subscription_manager/plugin/ostree/action_invoker.py", line 93, in update_repo_config self.update_origin_file(ostree_repo_config) File "/usr/share/rhsm/subscription_manager/plugin/ostree/action_invoker.py", line 120, in update_origin_file updater.run() File "/usr/share/rhsm/subscription_manager/plugin/ostree/model.py", line 441, in run origin_cfg.save() File "/usr/share/rhsm/subscription_manager/plugin/ostree/config.py", line 119, in save super(KeyFileConfigParser, self).save() File "/usr/lib64/python2.7/site-packages/rhsm/config.py", line 107, in save fo = open(self.config_file, "wb") IOError: [Errno 13] Permission denied: '/ostree/deploy/rhel-atomic-host/deploy/a087cbd6a18f8876da6075896994dae0256a09c5f0dc22852675ab47fd122c3c.0.origin' 2015-01-15 13:28:41,174 [DEBUG] rhsmcertd-worker @entbranding.py:47 - BrandInstaller ent_certs: [] 2015-01-15 13:28:41,175 [DEBUG] rhsmcertd-worker @certdirectory.py:216 - Installed product IDs: ['69', '272'] 2015-01-15 13:28:41,283 [DEBUG] rhsmcertd-worker @rhelentbranding.py:122 - 0 entitlement certs with brand info found 2015-01-15 13:28:41,286 [INFO] rhsmcertd-worker @healinglib.py:133 - Auto-heal check complete.