Bug 1477545
| Summary: | Upgrade of dhcpd always breaks permissions | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Lukas Zapletal <lzap> |
| Component: | Installation | Assignee: | Eric Helms <ehelms> |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.3.0 | CC: | apatel, bbuckingham, bkearney, brubisch, cdonnell, ehelms, fgarciad, inecas, jcallaha, lpramuk, lzap, mmccune, nshaik, pdwyer, rjerrido, sokeeffe |
| Target Milestone: | Unspecified | Keywords: | PrioBumpGSS, PrioBumpPM, Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | foreman-installer-1.15.5 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-02-21 17:11:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Lukas Zapletal
2017-08-02 11:27:47 UTC
Nagoor, I can confirm my typo. The correct form is indeed: setfacl -R -m u:foreman-proxy:rwx /etc/dhcp /var/lib/dhcpd Created redmine issue http://projects.theforeman.org/issues/20683 from this bug Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/20683 has been resolved. FailedQA.
@satellite-6.3.0-21.0.beta.el7sat.noarch
foreman-installer-1.15.6.1-1.el7sat.noarch
# getfacl -p /etc/dhcp /var/lib/dhcpd
# file: /etc/dhcp
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: /var/lib/dhcpd
# owner: dhcpd
# group: dhcpd
user::rwx
group::r-x
other::r-x
>>> no special acl set on the dhcp directories
Lukas, Do you have both --foreman-proxy-dhcp and --foreman-proxy-dhcp-managed set to true? Be warned, this will enable DHCP server and management so you need to do it in an isolated network. These are not true in a default installation for that reason. The management of DHCP ACLs are only relevant in the case that DHCP is being managed by the Capsule so you will not see this present without the above. Flipping back to ON_QA for further analysis. Eric,
Yes I have Internal Capsule having DHCP, DNS, Discovery, Dynflow, Openscap, Pulp, Puppet, Puppet CA, SSH, and TFTP features
# satellite-installer -h | grep -E "dhcp( |-manage)"
--foreman-proxy-dhcp Enable DHCP feature (current: true)
--foreman-proxy-dhcp-manage-acls Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750. (current: true)
--foreman-proxy-dhcp-managed DHCP is managed by Foreman proxy (current: true)
setfacl installer code is working but with reverse logic, see: 1. Set ACL # setfacl -R -m u:foreman-proxy:rx /var/lib/dhcpd /etc/dhcp # satellite-installer -v ... [ WARN 2017-10-22 06:48:16 verbose] /Stage[main]/Foreman_proxy::Proxydhcp/Exec[setfacl_etc_dhcp]/returns: executed successfully [ WARN 2017-10-22 06:48:16 verbose] /Stage[main]/Dhcp/Concat[/etc/dhcp/dhcpd.conf]/File[/etc/dhcp/dhcpd.conf]/mode: mode changed '0654' to '0644' [ INFO 2017-10-22 06:48:16 verbose] Concat[/etc/dhcp/dhcpd.conf]: Scheduling refresh of Service[dhcpd] ... >>> when acl is present installer sets it !!! 2. Remove ACL # setfacl -R -x u:foreman-proxy /var/lib/dhcpd /etc/dhcp # satellite-installer -v ... <no exec of setfacl_etc_dhcp> ... >>> when acl is not set installer doesn't set it !!! While setfacl_var_lib_dhcp has typo!!!
onlyif => "getfacl -p /var/lib/dhcp | grep user:${::foreman_proxy::user}:r-x"
>>> /var/lib/dhcp doesn't exist it should be /var/lib/dhcpd
VERIFIED.
@satellite-6.3.0-21.0.beta.el7sat.noarch
foreman-installer-1.15.6.4-1.el7sat.noarch
1. Have a capsule with DHCP feature, i.e. all these installer options are enabled
# satellite-installer -h | grep -E "dhcp( |-manage)"
--foreman-proxy-dhcp Enable DHCP feature (current: true)
--foreman-proxy-dhcp-manage-acls Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750. (current: true)
--foreman-proxy-dhcp-managed DHCP is managed by Foreman proxy (current: true)
2. Check for file ACLs of dhcp files (after installation)
# getfacl -p /etc/dhcp /var/lib/dhcpd
# file: /etc/dhcp
# owner: root
# group: root
user::rwx
user:foreman-proxy:r-x <<< OK
group::r-x
mask::r-x
other::r-x
# file: /var/lib/dhcpd
# owner: dhcpd
# group: dhcpd
user::rwx
user:foreman-proxy:r-x <<< OK
group::r-x
mask::r-x
other::r-x
>>> foreman will be able to access dhcp files
Wait, comment#0 and comment#10 are talking about rwx for foreman-proxy and I se just r-x So foreman won't be able to modify/write to dhcp files. Is write access needed? Yes, only read access for all DHCP files is needed as Foreman calls "omapi" tool to do the updates as external process and I believe this talks to the server via network. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336 For googlers, the correct command is again: setfacl -R -m u:foreman-proxy:rx /etc/dhcp /var/lib/dhcpd No write permission needed! |