Bug 1261530
| Summary: | /etc/opendnssec is not writeable by ods-ksmutil running under ods user | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Kaleem <ksiddiqu> | ||||
| Component: | opendnssec | Assignee: | Paul Wouters <pwouters> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.2 | CC: | arubin, lmiksik, mbasti, nsoman, pspacek, pvoborni, pwouters, rcritten | ||||
| Target Milestone: | rc | Keywords: | TestBlocker | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-11-19 10:20:18 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1115294, 2084180 | ||||||
| Attachments: |
|
||||||
there is missing write permission for group on /etc/opendnssec directory. The daemon fails when executing external command under user ods:
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG Starting external process
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG args='ods-ksmutil' 'zonelist' 'export'
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG Process finished, return code=0
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG stdout=<?xml version="1.0"?>
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: <ZoneList/>
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG stderr=
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG ODS zones: {}
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO Zones removed from LDAP: []
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO Zones added to LDAP: [('83510b83-56ee-11e
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG Starting external process
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG args='ods-ksmutil' 'zone' 'add' '--zone' 'dnssec.test.' '--inpu
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG Process finished, return code=1
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa : DEBUG stdout=WARNING: The input file /var/lib/ipa/dns/zone/entryUUID/
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: zonelist filename set to /etc/opendnssec/zonelist.xml.
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ERROR: The backup file /etc/opendnssec/zonelist.xml.backup can not be written.
The difference between Fedora and RHEL spec is this:
-%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec
+%attr(0750,root,ods) %dir %{_sysconfdir}/opendnssec
I.e. the filesystem permissions prevent the daemon running under ods user from writting to the directory.
This has to be fixed in opendnssec package.
This bug has to be fixed otherwise the DNSSEC signing feature in FreeIPA will not work at all. Paul, can you get dev_ack for it? confirmed Created attachment 1073204 [details]
console output with verification steps
Verified.
opendnssec version:
===================
[root@dhcp207-115 ~]# rpm -q ipa-server opendnssec
ipa-server-4.2.0-9.el7.x86_64
opendnssec-1.4.7-3.el7.x86_64
[root@dhcp207-115 ~]#
Please find the attached console output for verification steps.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2303.html |
Description of problem: Following crash seen when adding a dnszone with --dnssec=true option. Sep 9 16:58:13 dhcp207-20 ipa-dnskeysyncd: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO Zones removed from LDAP: [] Sep 9 16:58:13 dhcp207-20 ipa-dnskeysyncd: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO Zones added to LDAP: [('d4103682-56e5-11e5-9989-c99194724b35', <DNS name dnssec.test.>)] Sep 9 16:58:13 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): loaded serial 1441798093 Sep 9 16:58:13 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): receive_secure_serial: unchanged Sep 9 16:58:13 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): reconfiguring zone keys Sep 9 16:58:13 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): next key event: 09-Sep-2015 17:58:13.365 Sep 9 16:58:13 dhcp207-20 python2: detected unhandled Python exception in '/usr/libexec/ipa/ipa-dnskeysyncd' Sep 9 16:58:14 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): serial 1441798094 (unsigned 1441798094) Sep 9 16:58:14 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): could not get zone keys for secure dynamic update Sep 9 16:58:14 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): receive_secure_serial: not found Sep 9 16:58:17 dhcp207-20 dbus[568]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Sep 9 16:58:17 dhcp207-20 dbus-daemon: dbus[568]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Sep 9 16:58:17 dhcp207-20 dbus[568]: [system] Successfully activated service 'org.freedesktop.problems' Sep 9 16:58:17 dhcp207-20 dbus-daemon: dbus[568]: [system] Successfully activated service 'org.freedesktop.problems' Sep 9 16:58:17 dhcp207-20 abrt-server: Email address of sender was not specified. Would you like to do so now? If not, 'user@localhost' is to be used [y/N] Sep 9 16:58:17 dhcp207-20 abrt-server: Email address of receiver was not specified. Would you like to do so now? If not, 'root@localhost' is to be used [y/N] Sep 9 16:58:17 dhcp207-20 abrt-server: Sending an email... Sep 9 16:58:17 dhcp207-20 abrt-server: Executing: /bin/mailx -s [abrt] full crash report -r user@localhost root@localhost Sep 9 16:58:17 dhcp207-20 abrt-server: Email was sent to: root@localhost Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: Traceback (most recent call last): Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 112, in <module> Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 376, in syncrepl_poll Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.syncrepl_entry(dn, attrs, c.entryUUID) Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/syncrepl.py", line 77, in syncrepl_entry Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.application_add(uuid, dn, attributes) Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 70, in application_add Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.zone_add(uuid, dn, newattrs) Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 146, in zone_add Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.ods_sync() Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 161, in ods_sync Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.odsmgr.sync() Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/odsmgr.py", line 181, in sync Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.add_ods_zone(uuid, name) Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/odsmgr.py", line 141, in add_ods_zone Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: output = self.ksmutil(cmd) Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/odsmgr.py", line 131, in ksmutil Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: return ipautil.run(cmd)[0] Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 373, in run Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, stdout) Sep 9 16:58:17 dhcp207-20 ipa-dnskeysyncd: subprocess.CalledProcessError: Command ''ods-ksmutil' 'zone' 'add' '--zone' 'dnssec.test.' '--input' '/var/lib/ipa/dns/zone/entryUUID/d4103682-56e5-11e5-9989-c99194724b35'' returned non-zero exit status 1 Sep 9 16:58:17 dhcp207-20 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE Sep 9 16:58:17 dhcp207-20 systemd: Unit ipa-dnskeysyncd.service entered failed state. Sep 9 16:58:17 dhcp207-20 systemd: ipa-dnskeysyncd.service failed. Version-Release number of selected component (if applicable): [root@dhcp207-20 ~]# rpm -q ipa-server ipa-server-4.2.0-9.el7.x86_64 [root@dhcp207-20 ~]# How reproducible: Always Steps to Reproduce: 1. Install IPA Server 2. Install DNSSEC master 3. Add a dnszone with --dnssec=true Actual results: Crash of ipa-dnskeysyncd seen Expected results: No crash of ipa-dnskeysyncd seen