Bug 1432013

Summary: katello-backup does not apply postgres group owner to the whole backup path
Product: Red Hat Satellite Reporter: Dmitry Zhukovski <dzhukous>
Component: Backup & RestoreAssignee: Christine Fouant <cfouant>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 6.2.8CC: bbuckingham, bkearney, egolov, jcallaha, ldelouw, mmccune, rbeyel, riehecky, rvdwees
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: katello-3.4.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1456379 (view as bug list) Environment:
Last Closed: 2018-02-21 16:54:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1456379    

Description Dmitry Zhukovski 2017-03-14 10:24:58 UTC 
Description of problem:
katello-backup does not apply postgres group owner to the whole backup path

Version-Release number of selected component (if applicable):
katello-common-3.0.0-17.el7sat.noarch

How reproducible:
everytime

Steps to Reproduce:
1. make backup top level directory belonging to root group
# ls -la /backup
total 4
drwxrwx---.  2 root root    6 Mar 14 10:17 .
2. run o# katello-backup --skip-pulp-content --online-backup /backup/db-backup-2017-03-13/
Starting backup: 2017-03-14 10:17:58 +0000
Creating backup folder /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00
Redirecting to /bin/systemctl stop  foreman-tasks.service
Redirecting to /bin/systemctl stop  httpd.service
Redirecting to /bin/systemctl stop  pulp_workers.service
Redirecting to /bin/systemctl stop  foreman-proxy.service
Redirecting to /bin/systemctl stop  pulp_streamer.service
Redirecting to /bin/systemctl stop  pulp_resource_manager.service
Redirecting to /bin/systemctl stop  pulp_celerybeat.service
Redirecting to /bin/systemctl stop  smart_proxy_dynflow_core.service
Redirecting to /bin/systemctl stop  tomcat.service
Redirecting to /bin/systemctl stop  squid.service
Redirecting to /bin/systemctl stop  qdrouterd.service
Redirecting to /bin/systemctl stop  qpidd.service
Redirecting to /bin/systemctl stop  postgresql.service
Redirecting to /bin/systemctl stop  mongod.service
Backing up config files... 
tar: Removing leading `/' from member names
Done.
Backing up postgres db... 
-bash: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00/foreman.dump: Permission denied
-bash: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00/candlepin.dump: Permission denied
Done.
Backing up mongo db... 
couldn't connect to [localhost] couldn't connect to server localhost:27017 (127.0.0.1), connection attempt failed
Done.
**** BACKUP Complete, contents can be found in: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00 ****
nline backup



Actual results:
Top level and intermediate directory belongs to root so postgres user can't dump database
# ls -lRa /backup
/backup:
total 4
drwxrwx---.  3 root root   33 Mar 14 10:17 .
dr-xr-xr-x. 18 root root 4096 Mar 13 13:30 ..
drwxr-xr-x.  3 root root   53 Mar 14 10:17 db-backup-2017-03-13

/backup/db-backup-2017-03-13:
total 0
drwxr-xr-x. 3 root root     53 Mar 14 10:17 .
drwxrwx---. 3 root root     33 Mar 14 10:17 ..
drwxrwx---. 2 root postgres 51 Mar 14 10:17 katello-backup-2017-03-14T10:17:58+00:00


Expected results:
postgres group should be propagated from top to bottom if we wish to write postgres dumps:
  `runuser - postgres -c "pg_dump -Fc foreman > #{@dir}/foreman.dump"`
  `runuser - postgres -c "pg_dump -Fc candlepin > #{@dir}/candlepin.dump"
..or - write dumps to temporary directory and then copy

Additional info:
Comment 2 Christine Fouant 2017-05-03 17:22:28 UTC 
Created redmine issue http://projects.theforeman.org/issues/19453 from this bug
Comment 3 Christine Fouant 2017-05-04 14:15:37 UTC 
> Expected results:
> postgres group should be propagated from top to bottom if we wish to write
> postgres dumps:
>   `runuser - postgres -c "pg_dump -Fc foreman > #{@dir}/foreman.dump"`
>   `runuser - postgres -c "pg_dump -Fc candlepin > #{@dir}/candlepin.dump"
> ..or - write dumps to temporary directory and then copy
> 
> Additional info:

It would be pretty bad to go in and change permissions all the way up the filesystem. For instance, doing so might give postgresql access to the root's home directory, and that would not be good. Also, creating the necessary files elsewhere and moving them into the backup directory would only cause failure upon attempt to restore. I believe the responsibility of permissions in this case is the user's, so the solution I think best would be to fail with an error message if the path prevents postgres group permissions.
Comment 4 Dmitry Zhukovski 2017-05-04 14:22:27 UTC 
i am not asking to change permissions from root top but rather from backup top directory down to the structure. in 6.2.8 you had introduced intermediate directory level as db-backup-<date> but did forget to chgrp to postrgesql as you do on low level backup file.

thats why backup script fails to write to backup file as it's cant traverse via db-backup-<date> directory
Comment 5 Satellite Program 2017-05-11 18:15:34 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/19453 has been resolved.
Comment 6 Peter Ondrejka 2017-09-05 13:29:49 UTC 
Verified on satellite-6.3.0-17.0.beta.el7sat.noarch, postgres group rights are applied down the path where needed:

# ll /var/tmp/
drwxrwx---. 3 root postgres 43 Sep  5 08:45 backup

# ll /var/tmp/backup/katello-backup-20170905084527/
total 4980
-rw-r--r--. 1 postgres postgres  267615 Sep  5 08:46 candlepin.dump
-rw-r--r--. 1 root     root      674369 Sep  5 08:45 config_files.tar.gz
-rw-r--r--. 1 postgres postgres 4099807 Sep  5 08:46 foreman.dump
-rw-r--r--. 1 root     root       48812 Sep  5 08:45 metadata.yml
drwxr-xr-x. 5 root     root          52 Sep  5 08:46 mongo_dump
-rw-r--r--. 1 postgres postgres     650 Sep  5 08:46 pg_globals.dump
Comment 7 Satellite Program 2018-02-21 16:54:37 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> > 
> > For information on the advisory, and where to find the updated files, follow the link below.
> > 
> > If the solution does not work for you, open a new bug report.
> > 
> > https://access.redhat.com/errata/RHSA-2018:0336