| Summary: | syncing repo with feed=file://</path/to/the/repo/> fails | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Garik Khachikyan <gkhachik> | |
| Component: | Content Management | Assignee: | Todd Sanders <tsanders> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Katello QA List <katello-qa-list> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 6.0.0 | CC: | bkearney, jlaska, jmatthew, mkoci, mmccune, snansi | |
| Target Milestone: | Unspecified | Keywords: | Regression, Reopened, Triaged | |
| Target Release: | Unused | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Attempting to sync a repository referenced by "file://" URLs may fail due to local file permissions or SELinux policy. Additional steps may be required to allow syncing content from repositories referenced by "file://".
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 799181 (view as bug list) | Environment: | ||
| Last Closed: | 2012-09-07 20:56:29 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 799181 | |||
hah!!! there is SELinux issue there: putting on `setenforce 0` does "fixes" that issue but for sure we would need either some doc for users or allow the process to go smoothly. When SELinux is enabled a user will need to ensure that local content they want to sync is labeled with 'httpd_sys_content_t'.
This can be done with the command:
chcon -R -t httpd_sys_content_t $PATH
Additionally the 'apache' user needs read access to the content.
Additional info:
For the specific path noted in the description, the AVCs are not shown because of dontaudit rules.
I enabled display of the AVCs with:
$ sudo semodule -DB
Once the dontaudits are disabled we see the below AVC denial.
type=AVC msg=audit(1329939479.431:43457): avc: denied { search } for pid=2534 comm="sh" name="tito" dev=sda3 ino=26624026 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
To allow the sync to work I ran the below:
chcon -R -t httpd_sys_content_t /tmp/tito
Any particular reason this should need to be in V1? qa ack- to find out what the need is for v1, and if none, push to 1.x. Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Attempting to sync a repository referenced by "file://" URLs may fail due to local file permissions or SELinux policy. Additional steps may be required to allow syncing content from repositories referenced by "file://".
qa ack+ is for release note only Release Note added. Link: http://documentation-stage.bne.redhat.com/docs/en-US/CloudForms/1.0/html-single/Release_Notes/index.html#sect-Release_Notes-System_Engine-System_Engine_Considerations-known_issues_14 Regards, Shikha I don't know why this got re-opened. the rel-note got added for 1.0. CLOSED:CR |
Description of problem: On recent version of pulp: pulp-0.0.265-1.el6.noarch pulp-admin-0.0.265-1.el6.noarch doing pulp-admin repo sync --id <ID> fails doing sync (status returns: "Exception: Cannot read from directory /tmp/tito/katello/noarch") owner of that directory: is root:root and there is file read access for all. Version-Release number of selected component (if applicable): How reproducible: from 1st attempt Steps to Reproduce: 1.createrepo some repodata under: /tmp/tito/katello/noarch 2.pulp-admin repo create --id test1 --feed file:///tmp/tito/katello/noarch 3.pulp-admin repo sync --id test1 Actual results: see the pulp-status - error --- from log: /var/log/pulp/pulp.log 2012-02-13 11:38:06,907 12415:140126720091904: pulp.server.tasking.task:ERROR: task:474 Task failed: Task d0bb456b-562e-11e1-b9e8-5254004ffc5f: _sync(test1, synchronizer=<pulp.server.api.synchronizers.YumSynchronizer object at 0x7f71c4219250>, skip={}, max_speed=None, threads=None, progress_callback=<bound method RepoSyncTask.progress_callback of <pulp.server.api.repo_sync_task.RepoSyncTask object at 0x7f71c4219210>>) Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/pulp/server/tasking/task.py", line 420, in run result = self.callable(*self.args, **self.kwargs) File "/usr/lib/python2.6/site-packages/pulp/server/api/repo_sync.py", line 272, in _sync progress_callback, synchronizer, max_speed, threads) File "/usr/lib/python2.6/site-packages/pulp/server/api/repo_sync.py", line 355, in fetch_content progress_callback, max_speed, threads) File "/usr/lib/python2.6/site-packages/pulp/server/api/synchronizers.py", line 163, in sync max_speed=max_speed, threads=threads) File "/usr/lib/python2.6/site-packages/pulp/server/api/synchronizers.py", line 1208, in local self.init_progress_details(src_repo_dir, skip_dict) File "/usr/lib/python2.6/site-packages/pulp/server/api/synchronizers.py", line 880, in init_progress_details rpm_list = self.list_rpms(src_repo_dir) File "/usr/lib/python2.6/site-packages/pulp/server/api/synchronizers.py", line 849, in list_rpms pkglist = pulp.server.util.listdir(src_repo_dir) File "/usr/lib/python2.6/site-packages/pulp/server/util.py", line 380, in listdir raise Exception("Cannot read from directory %s" % directory) Exception: Cannot read from directory /tmp/tito/katello/noarch --- Expected results: no error, repo should get synced from local repodata Additional info: m2crypto-0.21.1.pulp-7.el6.x86_64 python-oauth2-1.5.170-2.pulp.el6.noarch katello-glue-pulp-0.1.235-1.git.0.737ec3f.el6.noarch pulp-selinux-server-0.0.265-1.el6.noarch pulp-0.0.265-1.el6.noarch pulp-client-lib-0.0.265-1.el6.noarch mod_wsgi-3.3-3.pulp.el6.x86_64 pulp-common-0.0.265-1.el6.noarch pulp-admin-0.0.265-1.el6.noarch