Bug 1452182

Summary: engine-backup restores pki packaged files
Product: [oVirt] ovirt-engine Reporter: Yedidyah Bar David <didi>
Component: Backup-Restore.EngineAssignee: Yedidyah Bar David <didi>
Status: CLOSED CURRENTRELEASE QA Contact: Lucie Leistnerova <lleistne>
Severity: high Docs Contact:
Priority: high    
Version: 4.1.2.2CC: bugs, didi, lleistne, lsvaty, stirabos
Target Milestone: ovirt-4.1.3Flags: rule-engine: ovirt-4.1+
lsvaty: testing_ack+
Target Release: 4.1.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: engine-backup --mode=restore used to restore/overwrite also the following files, which are packaged in ovirt-engine-backend: /etc/pki/ovirt-engine/cacert.template.in /etc/pki/ovirt-engine/cert.template.in /etc/pki/ovirt-engine/openssl.conf These files are marked '%config(noreplace)' in the spec file, so if the user changed them, rpm/yum will not overwrite them with the updated version, keeping the user's version. In this context, 'engine-backup --more=restore' is considered a manual change by the user. Consequence: When restoring with version X a backup taken with version Y, where these files where different, the backed up version will be kept, instead of the newer version from version X. Fix: These files are now excluded from 'engine-backup --mode=restore'. Result: The new version of the files will not be overwritten by restore. Additional notes: Main implication of current bug is that in 4.1.2 we changed cert.template.in, for bug 1449084. So taking a backup with 4.1.1 or earlier and restoring it with 4.1.2 will cause current bug. To work around this in 4.1.2: Restore the backup rm /etc/pki/ovirt-engine/cert.template.in yum reinstall ovirt-engine-backend engine-setup This is not needed when restoring with 4.1.3 or a later version, where the bug is fixed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-06 13:41:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yedidyah Bar David 2017-05-18 13:38:02 UTC 
Description of problem:

Originally reported by Lucie Leistnerova.

'engine-backup --mode=restore' restores also all of /etc/pki/ovirt-engine. Most of it is data generated by engine-setup and the engine, but the following files are not - they are packaged in ovirt-engine-backend:

/etc/pki/ovirt-engine/cacert.template.in
/etc/pki/ovirt-engine/cert.template.in
/etc/pki/ovirt-engine/openssl.conf

So they should not be restored.

There is another complication about them - they are marked in the spec file as '%config(noreplace)', meaning they are considered configuration files, and are not replaced by yum update if a user changed them.

This bug affects the following flows, as far as we managed to find. There might be others:

Flow 1:
- engine-setup on 4.1.1
- engine-backup --mode=backup --file=b411
on some other machine:
- install 4.1.2
- engine-backup --mode=restore --file=b411
- engine-setup
Apply the workaround described in bug 1449084 comment 5 for that bug

Result is:

# /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name="${name}" --password=mypass --subject="${subject}" --keep-key --san=DNS:"${ENGINE_FQDN}"
MAC verified OK
Using configuration from openssl.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
organizationName      :ASN.1 12:'eng.lab.tlv.redhat.com'
commonName            :ASN.1 12:'didi-rhv41-engine.eng.lab.tlv.redhat.com'
ERROR: adding extensions in section v3_ca_san
Cannot sign certificate
Cannot sign request

Because of the overwritten cert.template.in.

Flow 2:
- engine-setup on 4.1.1
- engine-backup --mode=backup --file=b411
on some other machine:
- install 4.1.2
- engine-backup --mode=restore --file=b411
- engine-setup
- engine-cleanup
- engine-setup

Results in a similar error in the setup log.

It might affect other flows we didn't try yet involving pki, in particular will very likely fail an upgrade that also renews pki (bug 1214860).

Version-Release number of selected component (if applicable):
Current 4.1.2

How reproducible:
Always

Steps to Reproduce:
1. See above
2.
3.

Actual results:
Files overwritten by restore

Expected results:
Files kept untouched

Additional info:

A workaround:

rm /etc/pki/ovirt-engine/cert.template.in
(perhaps other files, but above is enough for the above flows)
yum reinstall ovirt-engine-backend
engine-setup
Comment 1 Yedidyah Bar David 2017-05-18 13:42:08 UTC 
This bug probably exists since 3.3 or so, but was not discovered so far because we rarely change these files. However, we recently changed them - for bug 1449084 (4.1.2) and for sha256 [1] (4.1.0).

[1] https://www.ovirt.org/documentation/how-to/migrate-pki-to-sha256/
Comment 2 Yedidyah Bar David 2017-05-18 14:42:02 UTC 
The linked patch is enough if the bug is included in 4.1.2. If we fix in 4.1.3, we might want to consider what to do with an already-existing bad file from previous restore to 4.1.2 - since, as explained above, it's not overwritten by updates (because of '%config(noreplace)').
Comment 3 Yedidyah Bar David 2017-05-29 06:17:44 UTC 
Updated doc text adding a workaround for 4.1.2.
Comment 4 Lucie Leistnerova 2017-06-21 06:50:12 UTC 
engine-backup doesn't overwrite files cacert.template.in, cert.template.in and openssl.conf.

Issue with backup - setup - cleanup - setup was not reproduced.

verified in ovirt-engine-4.1.3.2-0.1.el7.noarch