Bug 1914602

Summary: [RHV 4.4] /var/lib/ovirt-engine/external_truststore (Permission denied)
Product: Red Hat Enterprise Virtualization Manager Reporter: Chetan Nagarkar <cnagarka>
Component: ovirt-engineAssignee: eraviv
Status: CLOSED ERRATA QA Contact: msheena
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4.3CC: ahadas, dfodor, didi, gveitmic, mburman, mkalinin, mperina
Target Milestone: ovirt-4.4.5   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.4.5.7 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-14 11:40:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chetan Nagarkar 2021-01-10 04:09:35 UTC 
Description of problem: 

On freshly setup RHV 4.4 Manager, Provider ovirt-provider-ovn failing to synchronize.
~~~
Cannot register external providers trust store: java.io.FileNotFoundException: /var/lib/ovirt-engine/external_truststore (Permission denied)
~~~

Version-Release number of selected component (if applicable):
ovirt-engine-4.4.3.12-0.1.el8ev.noarch
ovirt-provider-ovn-1.2.32-1.el8ev.noarch

Actual results:
EVENT_ID: PROVIDER_SYNCHRONIZED_FAILED(216), Failed to synchronize networks of Provider ovirt-provider-ovn.

Expected results:
Networks of Provider ovirt-provider-ovn should synchronize successfully.

Additional info:
Comment 2 Dominik Holler 2021-01-11 08:56:08 UTC 
For me there is
[root@keytest ~]# ls -laZ /var/lib/ovirt-engine/external_truststore
-rw-r--r--. 1 root root unconfined_u:object_r:var_lib_t:s0 997 Jan  7 16:23 /var/lib/ovirt-engine/external_truststore
also on a recent oVirt-4.4 setup.
Michael, can you please check in your environments?
Comment 4 Dominik Holler 2021-01-11 10:21:33 UTC 
Also installing current master, the problem does not reproduce:
[root@permtest ~]# ls -laZ /var/lib/ovirt-engine/external_truststore
-rw-r--r--. 1 root root unconfined_u:object_r:var_lib_t:s0 1000 Jan 11 10:41 /var/lib/ovirt-engine/external_truststore
[root@permtest ~]# rpm -qa ovirt-engine
ovirt-engine-4.4.5-0.0.master.20210110135511.gitfc28888a0cf.el8.noarch
Comment 5 Marina Kalinin 2021-01-11 19:34:01 UTC 
Hi Chetan,

Can you please confirm the severity of the bug and attach the KCS for it?

We are considering closing this bug, since we cannot reproduce, we are considering closing this bug, so KCS would be extremely helpful here. (unless you can provide additional details, but it seems like the issue was cause by something outside of RHV and one time)

Thank you!
Comment 6 Yedidyah Bar David 2021-01-12 10:48:11 UTC 
FWIW, managed to reproduce this bug by:

# umask 0027
# engine-setup

This causes /var/lib/ovirt-engine/external_truststore to be created with 0640 (root:root), and engine.log has:

2021-01-12 12:36:58,126+02 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-49) [12c14d61] EVENT_ID: PROVIDER_SYNCHRONIZED_FAILED(216), Failed to synchronize networks of Provider ovirt-provider-ovn.

This happens because normally, this file does not exist in new setups. It is created by the first command which imports stuff into it, which is in the setup plugin ovirt-engine-setup/ovirt-engine/network/ovirtproviderovn.py . Perhaps we should create it (empty?) beforehand somewhere with correct permissions.

Workaround: Use "standard" umask 0022 when running engine-setup.
Comment 7 Martin Perina 2021-02-01 12:14:35 UTC 
(In reply to Marina Kalinin from comment #5)
> Hi Chetan,
> 
> Can you please confirm the severity of the bug and attach the KCS for it?
> 
> We are considering closing this bug, since we cannot reproduce, we are
> considering closing this bug, so KCS would be extremely helpful here.
> (unless you can provide additional details, but it seems like the issue was
> cause by something outside of RHV and one time)
> 
> Thank you!

Any progress with the KCS?
Comment 8 Yedidyah Bar David 2021-02-01 12:40:17 UTC 
(In reply to Martin Perina from comment #7)
> 
> Any progress with the KCS?

Did you notice comment 6? I think 'umask 027' should be considered "legitimate". If not, we should document this. I think adding chmod, chown or chgrp should not be that hard.
Comment 11 msheena 2021-03-02 12:42:09 UTC 
Verified
========
rhvm-4.4.5.7-0.1.el8ev.noarch

Regarded file permissions are correct (-rw-r--r--. 1 root root unconfined_u:object_r:var_lib_t:s0 1123 Feb 17 13:27 /var/lib/ovirt-engine/external_truststore) after
====================================================================================================================================================================
* Fresh deployment
* engine-setup
* umask 0027
  engine-setup
Comment 16 errata-xmlrpc 2021-04-14 11:40:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1169