Bug 1261530
Summary: | /etc/opendnssec is not writeable by ods-ksmutil running under ods user | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Kaleem <ksiddiqu> | ||||
Component: | opendnssec | Assignee: | Paul Wouters <pwouters> | ||||
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.2 | CC: | arubin, lmiksik, mbasti, nsoman, pspacek, pvoborni, pwouters, rcritten | ||||
Target Milestone: | rc | Keywords: | TestBlocker | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-11-19 10:20:18 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1115294, 2084180 | ||||||
Attachments: |
|
Description
Kaleem
2015-09-09 14:23:28 UTC
there is missing write permission for group on /etc/opendnssec directory. The daemon fails when executing external command under user ods: Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG Starting external process Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG args='ods-ksmutil' 'zonelist' 'export' Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG Process finished, return code=0 Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG stdout=<?xml version="1.0"?> Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: <ZoneList/> Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG stderr= Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG ODS zones: {} Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO Zones removed from LDAP: [] Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO Zones added to LDAP: [('83510b83-56ee-11e Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG Starting external process Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG args='ods-ksmutil' 'zone' 'add' '--zone' 'dnssec.test.' '--inpu Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG Process finished, return code=1 Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG stdout=WARNING: The input file /var/lib/ipa/dns/zone/entryUUID/ Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: zonelist filename set to /etc/opendnssec/zonelist.xml. Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ERROR: The backup file /etc/opendnssec/zonelist.xml.backup can not be written. The difference between Fedora and RHEL spec is this: -%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec +%attr(0750,root,ods) %dir %{_sysconfdir}/opendnssec I.e. the filesystem permissions prevent the daemon running under ods user from writting to the directory. This has to be fixed in opendnssec package. This bug has to be fixed otherwise the DNSSEC signing feature in FreeIPA will not work at all. Paul, can you get dev_ack for it? confirmed Created attachment 1073204 [details]
console output with verification steps
Verified.
opendnssec version:
===================
[root@dhcp207-115 ~]# rpm -q ipa-server opendnssec
ipa-server-4.2.0-9.el7.x86_64
opendnssec-1.4.7-3.el7.x86_64
[root@dhcp207-115 ~]#
Please find the attached console output for verification steps.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2303.html |