Bug 1186420

Summary: celery.worker.consumer:ERROR: consumer: Cannot connect to qpid
Product: [Retired] Pulp Reporter: Brian Bouterse <bmbouter>
Component: async/tasksAssignee: Brian Bouterse <bmbouter>
Status: CLOSED UPSTREAM QA Contact: Preethi Thomas <pthomas>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.6 BetaCC: bkearney, bmbouter, jsherril, katello-qa-list, lzap, omaciel, pthomas, rbarlow
Target Milestone: ---Keywords: Triaged
Target Release: 2.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1185401 Environment:
Last Closed: 2015-02-28 23:21:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1185401    

Description Brian Bouterse 2015-01-27 16:12:40 UTC 
+++ This bug was initially created as a clone of Bug #1185401 +++

Sometimes SSL certs need to be labeled with cert_t due to requirements from other software systems which manage SSL certs or share them. A file cannot carry two SELinux labels so it would be good if Pulp could have read-access on certificates that have the cert_t label.
Comment 2 Brian Bouterse 2015-01-28 16:04:04 UTC 
PR available at: https://github.com/pulp/pulp/pull/1580
Comment 3 Brian Bouterse 2015-01-28 16:05:07 UTC 
Merged to 2.6-testing -> 2.6-dev -> master
Comment 4 Brian Bouterse 2015-01-28 16:07:22 UTC 
QE to verify this bug have SSL certs that Celery uses live in /etc/pki/* instead of /etc/pki/pulp/*. Also verify that the SSL certs have the cert_t permission. You can list the file permissions using:

ls -laZ /etc/pki/*

If Celery can still work with its certs (configured in the [tasks] section) having the cert_t context then this bug should be verified.
Comment 5 Brian Bouterse 2015-01-29 15:19:38 UTC 
Ran into an issue on EL6 with this statement so another PR was made:  https://github.com/pulp/pulp/pull/1584
Comment 6 Brian Bouterse 2015-01-29 15:19:57 UTC 
Merged to 2.6-testing -> 2.6-dev -> master
Comment 7 Brian Bouterse 2015-02-10 15:10:34 UTC 
QE to verify:

1. Configure the [tasks] section of server.conf to connect to Qpid with SSL. Configure Qpid to accept this connection. Using the Qpid cert generator script would be useful for this.
2. Keep the certs somewhere under the normal location /etc/pki/pulp/*
3. Verify the certs have the pulp_cert_t SELinux label using `ls -laZ <cert location>` Verify you see the 'pulp_cert_t' label on the cert you are telling Pulp to use for an SSL connection with Qpid.
4. Ensure SELinux is on. `getenforce` should show Enforcing.
5. Restart all pulp services
6. Sanity check Pulp that it is working.
7. Stop all of Pulp
8. Change the label of those certs to be 'cert_t' instead of 'pulp_cert_t'. Use chcon or setfiles for this [0].
9. Verify the certs have the label 'cert_t'
10. Restart all of pulp and verify everything works.



[0]:  http://danwalsh.livejournal.com/4208.html
Comment 8 Chris Duryee 2015-02-10 22:33:04 UTC 
2.6.0-0.7.beta
Comment 9 Brian Bouterse 2015-02-24 14:13:41 UTC 
Here's an example of a similar operation for step 8.

http://fpaste.org/189713/
Comment 10 Preethi Thomas 2015-02-24 15:31:49 UTC 
verified.
Followed comment#7
After step 3 with selinux enabled
[root@gizmo qpid]# ls -laZ /etc/pki/pulp/qpid/
drwxr-xr-x. root root   unconfined_u:object_r:pulp_cert_t:s0 .
drwxr-xr-x. root root   system_u:object_r:pulp_cert_t:s0 ..
-rw-r-----. root apache unconfined_u:object_r:pulp_cert_t:s0 broker.crt
-rw-r-----. root apache unconfined_u:object_r:pulp_cert_t:s0 ca.crt
-rw-r-----. root apache unconfined_u:object_r:pulp_cert_t:s0 client.crt
drwxr-xr-x. root root   unconfined_u:object_r:pulp_cert_t:s0 nss


[root@gizmo ~]# pulp-admin rpm repo create --repo-id zoo --feed https://repos.fedorapeople.org/repos/pulp/pulp/demo_repos/zoo/
Successfully created repository [zoo]

[root@gizmo ~]# pulp-admin rpm repo sync run --repo-id zoo
+----------------------------------------------------------------------+
                     Synchronizing Repository [zoo]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.


Downloading metadata...
[|]
... completed

Downloading repository content...
[==================================================] 100%
RPMs:       32/32 items
Delta RPMs: 0/0 items

... completed

Downloading distribution files...
[==================================================] 100%
Distributions: 0/0 items
... completed

Importing errata...
[-]
... completed

Importing package groups/categories...
[-]
... completed


Task Succeeded



Initializing repo metadata
[-]
... completed

Publishing Distribution files
[-]
... completed

Publishing RPMs
[==================================================] 100%
32 of 32 items
... completed

Publishing Delta RPMs
... skipped

Publishing Errata
[==================================================] 100%
4 of 4 items
... completed

Publishing Comps file
[==================================================] 100%
3 of 3 items
... completed

Publishing Metadata.
[-]
... completed

Closing repo metadata
[-]
... completed

Generating sqlite files
... skipped

Publishing files to web
[-]
... completed

Writing Listings File
[-]
... completed


Task Succeeded



Now step  8

[root@gizmo qpid]# ls -laZ /etc/pki/pulp/qpid/
drwxr-xr-x. root root   unconfined_u:object_r:pulp_cert_t:s0 .
drwxr-xr-x. root root   system_u:object_r:pulp_cert_t:s0 ..
-rw-r-----. root apache system_u:object_r:cert_t:s0      broker.crt
-rw-r-----. root apache system_u:object_r:cert_t:s0      ca.crt
-rw-r-----. root apache system_u:object_r:cert_t:s0      client.crt
drwxr-xr-x. root root   unconfined_u:object_r:pulp_cert_t:s0 nss

Restarted services and 

Pulp is running fine

[root@gizmo qpid]# pulp-admin rpm repo sync run --repo-id zoo
+----------------------------------------------------------------------+
                     Synchronizing Repository [zoo]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.


Downloading metadata...
[|]
... completed

Downloading repository content...
[==================================================] 100%
RPMs:       0/0 items
Delta RPMs: 0/0 items

... completed

Downloading distribution files...
[==================================================] 100%
Distributions: 0/0 items
... completed

Importing errata...
[-]
... completed

Importing package groups/categories...
[-]
... completed


Task Succeeded



Copying files
[-]
... completed

Initializing repo metadata
[-]
... completed

Publishing Distribution files
[-]
... completed

Publishing RPMs
[-]
... completed

Publishing Delta RPMs
... skipped

Publishing Errata
[==================================================] 100%
4 of 4 items
... completed

Publishing Comps file
[==================================================] 100%
3 of 3 items
... completed

Publishing Metadata.
[-]
... completed

Closing repo metadata
[-]
... completed

Generating sqlite files
... skipped

Publishing files to web
[-]
... completed

Writing Listings File
[-]
... completed


Task Succeeded
Comment 11 Brian Bouterse 2015-02-28 23:21:48 UTC 
Moved to https://pulp.plan.io/issues/679