Bug 2064410

Summary:	Incorrect file permissions in /var/lib/pulp/media/... lead to repository sync errors
Product:	Red Hat Satellite	Reporter:	Ian Ballou <iballou>
Component:	Satellite Maintain	Assignee:	Ian Ballou <iballou>
Status:	CLOSED ERRATA	QA Contact:	sganar
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.11.0	CC:	ahumbe, apatel, aupadhye, ehelms, gtalreja, kgaikwad
Target Milestone:	6.11.0	Keywords:	Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	rubygem-foreman_maintain-1.0.5	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-07-05 14:34:27 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Ian Ballou 2022-03-15 18:50:32 UTC

Description of problem:

After the Pulp 2 to Pulp 3 migration, upstream users have been reporting failing syncs that seem to be related to incorrect permissions in Pulp's artifacts directory.  Thread: https://community.theforeman.org/t/katello-4-3-repo-sync-error-errno1-operation-not-permitted/27262/11

From the report, it seems that something changed in Pulp 3 between Pulpcore 3.14 and 3.16 that suddenly made the incorrect permissions cause sync errors.  Users have no issues syncing on Katello with Pulpcore 3.14.

I'm setting this on the Installer component for now because the installer keeps track of other Pulp-related permissions: https://github.com/theforeman/puppet-pulpcore/blob/master/manifests/config.pp

Foreman Maintain is another place where these permissions could be fixed if there is some reason with doing so in the Foreman Installer.

Version-Release number of selected component (if applicable):

Satellite 7.0 (Katello 4.3)

How reproducible:
The permissions being wrong is likely 100% reproducible.
The repository sync error is unknown right now because the reporting user could sync some repositories.

Steps to Reproduce:
From Grant's comment, to reproduce you would only need to run the upgrade to 6.10 where the Pulp 3 files are on the same volume as the Pulp 2 ones: https://community.theforeman.org/t/katello-4-3-repo-sync-error-errno1-operation-not-permitted/27262/14

Actual results:
Syncing fails and some files under /var/lib/pulp/media are owned by apache rather than pulp.

Expected results:
Syncing works fine and the files under /var/lib/pulp/media are owned by the pulp user. 

Additional info:

Comment 2 Ian Ballou 2022-03-15 21:43:03 UTC

I just did a standard upgrade from 6.9 to 6.10 and saw no issues with the file permissions in the artifacts folder. It could be that the upstream users did the migration when it wasn't as well-supported.

Comment 3 Ian Ballou 2022-03-16 16:03:23 UTC

Created redmine issue https://projects.theforeman.org/issues/34631 from this bug

Comment 5 Bryan Kearney 2022-03-16 20:05:38 UTC

Upstream bug assigned to iballou

Comment 6 Bryan Kearney 2022-03-16 20:05:40 UTC

Upstream bug assigned to iballou

Comment 9 Brad Buckingham 2022-03-28 19:54:42 UTC

Moving to POST as upstream PR is merged.

Comment 10 sganar 2022-05-05 08:34:08 UTC

Verified.

Tested on Satellite 6.9.9 snap 2.0
rubygem-foreman_maintain-1.0.6-1.el7sat.noarch

Steps followed: 
1. Run upgrade to 6.10 

Observation: 
Syncing works fine and the files under /var/lib/pulp/media are owned by the pulp user.
when running the pulp2 removal procedure, artifact ownership procedure is also run.

Comment 13 errata-xmlrpc 2022-07-05 14:34:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498