Bug 1209281

Summary: [pki] pki-pkcs12-extract.sh fails with /dev/fd is not mounted
Product: Red Hat Enterprise Virtualization Manager Reporter: Perry Clegg <pclegg>
Component: ovirt-engineAssignee: Yaniv Kaul <ykaul>
Status: CLOSED ERRATA QA Contact: Jiri Belka <jbelka>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.5.0CC: bazulay, didi, iheim, jko, juwu, lsurette, pstehlik, rbalakri, Rhev-m-bugs, sbonazzo, yeylon, ykaul, ylavi
Target Milestone: ovirt-3.6.0-rcKeywords: Patch, ZStream
Target Release: 3.6.0Flags: ylavi: Triaged+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, the pki-pkcs12-extract.sh script relied on the existence of the /dev/fd directory. In Linux, this is normally symbolically linked to the /proc/self/fd directory, allowing processes to access its STDIN, STDOUT, etc as named files. If the /dev/fd directory did not exist, the script failed. This includes, for example, trying to run engine-setup during installation from a kickstart file. With this update, the script was updated to use the /proc/self/fd directly. Now the script only requires that the /proc direcory is mounted, and does not fail if the /dev/fd directory does not exist.
 Story Points: ---
Clone Of:
: 1213288 (view as bug list) Environment:
Last Closed: 2016-03-09 21:02:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1213288    

Description Perry Clegg 2015-04-07 00:01:17 UTC 
Description of problem:

When kickstarting a RHEV system the following error occurs in the ovirt logs:

Traceback in ovirt-engine-setup-20150302232315-a4ccw1.log
~~~
2015-03-02 23:23:59 DEBUG otopi.context context._executeMethod:138 Stage misc METHOD otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ssh.Plugin._misc
2015-03-02 23:23:59 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ssh plugin.executeRaw:785 execute: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=engine', '--passin=**FILTERED**', '--key=-'), executable='None', cwd='None', env=None
2015-03-02 23:23:59 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ssh plugin.executeRaw:803 execute-result: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=engine', '--passin=**FILTERED**', '--key=-'), rc=1
2015-03-02 23:23:59 DEBUG otopi.context context._executeMethod:152 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/otopi/context.py", line 142, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ssh.py", line 115, in _misc
    logStreams=False,
  File "/usr/lib/python2.6/site-packages/otopi/plugin.py", line 871, in execute
    command=args[0],
RuntimeError: Command '/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh' failed to execute
2015-03-02 23:23:59 ERROR otopi.context context._executeMethod:161 Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh' failed to execute
2015-03-02 23:23:59 DEBUG otopi.transaction transaction.abort:131 aborting 'Yum Transaction'
~~~


Version-Release number of selected component (if applicable): RHEV 5.6


How reproducible: Very reproducible, Roman Hodain  reproduced the issue with extra logging adding:

   #/bin/sh -x
   exec &>/root/pki.out

to /usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh and reproducing the issue. The openssl complains about /dev/fd/1 which is not available during the installation:

/root/pki.out:
   openssl pkcs12 -in /etc/pki/ovirt-engine/keys/engine.p12 -passin pass:mypass -passout pass: -nocerts -out /dev/fd/1 -nodes
   Error opening output file /dev/fd/1
   /dev/fd/1: No such file or directory

To fix the issue:

As it turns out the device is missing during the installation. A workaround can be achieve by adding the following in the post script of the kickstart:

    mkdir /dev/fd
    ln -s /proc/self/fd/0 /dev/fd/0
    ln -s /proc/self/fd/1 /dev/fd/1

Related code:
=========================================================================
/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh:

        if [ "${key}" = - ]; then
                key=/dev/fd/1
        else
                touch "${key}"
                chmod go-rwx "${key}" || die "Cannot set key permissions"
        fi

        openssl \
                pkcs12 \
                -in "${pkcs12}" \
                -passin "pass:${passin}" \
                -passout "pass:${passout}" \
                -nocerts \
                -out "${key}" \
                ${extra_args} \
                || die "Cannot create key"

        return 0
=========================================================================

All credit for reproducing and solving the issue goes to: Roman.Hodain++
Comment 1 Alon Bar-Lev 2015-04-15 11:34:09 UTC 
this utility should not have been added, bug#1133421.

anyway, fixed.
Comment 4 Jiri Belka 2015-05-26 09:50:23 UTC 
ok, ovirt-engine-backend-3.6.0-0.0.master.20150519172219.git9a2e2b3.el6.noarch

verification based on https://bugzilla.redhat.com/show_bug.cgi?id=1213288#c1
Comment 8 errata-xmlrpc 2016-03-09 21:02:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html