Bug 747661

Summary: Content Certificate permission errors in an AWS guest
Product: [Retired] Pulp Reporter: Mike McCune <mmccune>
Component: rel-engAssignee: John Matthews <jmatthew>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: lzap, skarmark
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 760683    
Bug Blocks:    

Description Mike McCune 2011-10-20 16:37:04 UTC 
When using Katello and Candlepin together on an AWS guest we create content which ends up creating a directory here:

 /etc/pki/content/ACME_Corporation

the problem is that on hosts that allow calls to setfacl we grant access to apache to write to this dir but on the AWS host this fails:

# setfacl -m u:apache:rwx content
setfacl: content: Operation not supported

so Candlepin is not able to setup directory properly and blocks Katello's ability to create custom products and repos.
Comment 1 Bryan Kearney 2011-10-20 16:55:53 UTC 
Not candlepin proper. Katello is writing to this locatoin so that grinder can use the certs to download content. Moving this to the appropriate project, and changing the title to reflect this.
Comment 2 Lukas Zapletal 2011-12-07 15:22:28 UTC 
So what is the task for this one? To set this during configuration?
Comment 3 Lukas Zapletal 2011-12-07 16:07:57 UTC 
Okay this is Pulp issue most likely, this is set during pulp installation and as the system is not mounted with ACL, it fails.
Comment 4 Lukas Zapletal 2011-12-07 16:13:03 UTC 
Looks like an issue in the Pulp RPM. There must be some constriant.
Comment 5 John Matthews 2011-12-07 17:28:21 UTC 
We are planning to make a change to the location of content certs Pulp uses, this will help clean up the SELinux policy.  As part of that we will remove the ACL dependency and use chown/chmod to allow pulp to read/write to this directory.

Relates to bz 760683
Comment 6 John Matthews 2011-12-16 15:02:22 UTC 
We removed the setfacl and changed it to apache owning those files.

Commit is here:
http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=3f7636356e43815272714e085037cd22b75a0f7f


QE:
Use getfacl -a /etc/pki/pulp/content  and verify that no special rules are in place

Note that /etc/pki/content has changed to /etc/pki/pulp/content
Comment 7 Jeff Ortel 2012-01-04 21:48:37 UTC 
build: 0.256
Comment 8 Preethi Thomas 2012-01-09 16:06:22 UTC 
verified that the cert locations have been moved
[root@katello-test ~]# rpm -q pulp
pulp-0.0.256-1.el6.noarch
[root@katello-test ~]# 

[root@katello-test ~]# ls -l /etc/pki/pulp/content/
total 12
drwxr-xr-x. 2 apache apache 4096 Jan  6 14:56 bad_url
drwxr-xr-x. 2 apache apache 4096 Jan  6 14:57 pulp
-rw-r--r--. 1 apache apache    0 Jan  5 13:07 pulp-protected-repos
drwxr-xr-x. 2 apache apache 4096 Jan  5 13:09 rhel6_x86_64_preserve
[root@katello-test ~]# 


[root@katello-test ~]# getfacl -a /etc/pki/pulp/conten/
getfacl: /etc/pki/pulp/conten/: No such file or directory
[root@katello-test ~]# getfacl -a /etc/pki/pulp/content/
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/pulp/content/
# owner: apache
# group: apache
user::rwx
group::r-x
other::r-x
Comment 9 Preethi Thomas 2012-02-24 20:17:46 UTC 
Pulp v1.0 is released
Closed Current Release.
Comment 10 Preethi Thomas 2012-02-24 20:18:36 UTC 
Pulp v1.0 is released.