Bug 1374260

Summary: The yum configuration provided by the client configuration RPM doesn't work, the client always gets HTTP 404 on the mirrorlist
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: Radek Bíba <rbiba>
Component: CDSAssignee: Patrick Creech <pcreech>
Status: CLOSED ERRATA QA Contact: Vratislav Hutsky <vhutsky>
Severity: high Docs Contact:
Priority: high    
Version: 3.0.0CC: pcreech
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-01 22:12:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1176577    

Description Radek Bíba 2016-09-08 11:08:50 UTC 
Description of problem:
After generating a client configuration RPM with a Red Hat repo (the HA for RHEL 7 repo in my test case) and installing it on a client, the following problem occurs:

# yum repolist
Loaded plugins: search-disabled-repos
Could not retrieve mirrorlist https://cds.example.com/pulp/mirror//content/dist/rhel/rhui/server/7/7Server/x86_64/highavailability/os error was
14: HTTPS Error 404 - Not Found
repo id                                                 repo name                                                status
rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64 Red Hat Enterprise Linux High Availability (for RHEL 7 S 0
repolist: 0

The cds.example.com host is the HAProxy instance, which is set up to perform load balancing between cds01.example.com and cds02.example.com. The following error message can be observed in /var/log/httpd/cds.example.com_access_ssl.log on both CDS instances after two attempts to run the yum command:

IP - - [DATE:TIME] "GET /pulp/mirror//content/dist/rhel/rhui/server/7/7Server/x86_64/highavailability/os HTTP/1.1" 404 277 "-" "urlgrabber/3.10 yum/3.4.3"

I might add that /etc/httpd/conf.d/25-cds.example.com.conf contains:

WSGIScriptAlias /pulp/mirror "/usr/share/pulp/wsgi/mirrorlist.wsgi"

But there's no such file as /usr/share/pulp/wsgi/mirrorlist.wsgi. Also, in /var/log/httpd/cds.example.com_error_ssl.log, I see:

[DATE TIME] [:error] [pid PID] [client IP:PORT] Target WSGI script not found or unable to stat: /usr/share/pulp/wsgi/mirrorlist.wsgi

There's /srv/pulp/mirrorlist.wsgi, FWIW, but if I put that into the Apache conf file instead of the wrong (?) path, I get:

[DATE TIME] [core:error] [pid PID] (13)Permission denied: [client IP:PORT] AH00035: access to /pulp/mirror/content/dist/rhel/rhui/server/7/7Server/x86_64/highavailability/os denied (filesystem path '/srv/pulp/mirrorlist.wsgi') because search permissions are missing on a component of the path

FWIW #2, the path is comprised of directories owned by apache:apache with the following permissions:

# ll -d `find /var/lib/pulp/published/yum/https/repos/ | grep -v listing` | awk '{print $1 $9}'drwxr-x---./var/lib/pulp/published/yum/https/repos/
drwxr-x---./var/lib/pulp/published/yum/https/repos/content
drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist
drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel
drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui
drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server
drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server/7
drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server/7/7Server
drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server/7/7Server/x86_64
drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server/7/7Server/x86_64/highavailability
lrwxrwxrwx./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server/7/7Server/x86_64/highavailability/os

Version-Release number of selected component (if applicable):
RHUI-3.0-RHEL-7-20160830.n.0-RHUI-x86_64-dvd1.iso

How reproducible:
Always

Steps to Reproduce:
1. Prepare a set of machines: one RHUA, two CDS, and one HAProxy instance.
2. Run rhui-manager to upload an RH cert, add a repo, set up the loadbalancer and the two CDS machines, sync the repo.
3. Create a client configuration RPM and install in on yet another machine.
4. Run `yum repolist' on that machine, or any other yum command which communicates with configured repo servers.

Actual results:
Yum fails with the 404 error above.

Expected results:
Yum works.
Comment 1 Radek Bíba 2016-09-08 12:17:43 UTC 
After some more digging, I see it's SELinux that causes the permission issues. With SELinux in permissive mode, Yum does work as expected:

# yum repolist
Loaded plugins: search-disabled-repos
rhui-rhel-ha-for-rhel-7-server-rhui-rpms                                                        | 2.0 kB  00:00:00     
(1/3): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64/updateinfo                       |  42 kB  00:00:00     
(2/3): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64/group                            |  11 kB  00:00:00     
(3/3): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64/primary                          |  51 kB  00:00:00     
rhui-rhel-ha-for-rhel-7-server-rhui-rpms                                                                       224/224
repo id                                                 repo name                                                status
rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64 Red Hat Enterprise Linux High Availability (for RHEL 7 S 224

The 'grep httpd /var/log/audit/audit.log | audit2allow -M cds' command has produced the cds.te file with the following content:

module cds 1.0;

require {
	type httpd_t;
	type var_t;
	class file { read getattr open };
}

#============= httpd_t ==============
allow httpd_t var_t:file { read getattr open };

I can see some detailed information when I search for httpd in the auditd log:

type=SYSCALL msg=audit(09/08/2016 07:50:38.031:3556) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7eff6f5b7688 a1=0x7fff0b9865d0 a2=0x7fff0b9865d0 a3=0x0 items=0 ppid=20142 pid=20291 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(09/08/2016 07:50:38.031:3556) : avc:  denied  { getattr } for  pid=20291 comm=httpd path=/srv/pulp/mirrorlist.wsgi dev="xvda2" ino=9291215 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

So, AIUI, what needs to be done for this bug is:

1 - Ensure that the correct path is put into /etc/httpd/conf.d/25-cds.example.com.conf for WSGIScriptAlias /pulp/mirror.
2 - Tweak SELinux rules accordingly.
Comment 3 Radek Bíba 2016-09-22 11:17:42 UTC 
Fix confirmed in RHUI-3.0-RHEL-6-20160921.n.0. Thanks Patrick!
Comment 4 errata-xmlrpc 2017-03-01 22:12:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0367