Bug 972915
| Summary: | spacewalk-splice-checkin should run as "splice" user, not "root" | ||
|---|---|---|---|
| Product: | [Retired] Subscription Asset Manager | Reporter: | Chris Duryee <cduryee> |
| Component: | Splice | Assignee: | James Slagle <jslagle> |
| Status: | CLOSED ERRATA | QA Contact: | mkovacik |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.3 | CC: | bkearney, jmatthew, jslagle, vkuznets |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-10-01 10:55:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 833466 | ||
commit f0caa010762b5a13387da4eae05c8e8f20442cc7 i fixed the packaging to also set the owner and permissions on /var/lib/splice so that sst can run as a different user. Additionally, if it is running as a different user, I updated the ssh connection to always connect as root to the satellite (previously it was using the current user). However, spacewalk-splice-tool is still configured to run as root. I'm still having permission issues running sst under 'splice' user: [Errno 13] Permission denied: '/var/log/splice/report_server.log' BTW in spacewalk-splice-tool-0.24-1.el6sam.x86_64 cron jobs are still running under 'root' user: # cat /etc/cron.d/sp* # Sync data from spacewalk to candlepin every 4 hours, 9 min past the hour 9 */4 * * * root /usr/bin/spacewalk-splice-checkin --spacewalk-sync # Sync data from candlepin to splice every 10 minutes */10 * * * * root /usr/bin/spacewalk-splice-checkin --splice-sync maybe they're responsible for screwing the permissions. commit 31106c110bc8636c05c97ed5e51a8c899ffb6883 switched sst to run as splice user. this should resolve the issue. Verified in spacewalk-splice-tool-0.25-1.el6sam:
# sudo -u splice /usr/bin/spacewalk-splice-checkin
2013-06-24 10:11:13,973 INFO splice.common.connect connect:_request: Sending 'POST' to '/splice/api//v1/spliceserver/'
with headers '{'Content-type': 'application/json', 'Accept': 'application/json'}'
2013-06-24 10:11:14,073 INFO splice.common.connect connect:_request: Received '204' from 'POST /splice/api//v1/spliceserver/'
2013-06-24 10:11:14,075 INFO splice.common.connect connect:_request: Sending 'POST' to '/splice/api//v1/marketingproductusage/'
with headers '{'Content-type': 'application/json', 'Accept': 'application/json'}'
2013-06-24 10:11:14,174 INFO splice.common.connect connect:_request: Received '204' from 'POST /splice/api//v1/marketingproductusage/'
Upload was successful
# cat /etc/cron.d/sp*
# Sync data from spacewalk to candlepin every 4 hours, 9 min past the hour
9 */4 * * * splice /usr/bin/spacewalk-splice-checkin --spacewalk-sync
# Sync data from candlepin to splice every 10 minutes
*/10 * * * * splice /usr/bin/spacewalk-splice-checkin --splice-sync
Nothing suspicious in /var/log/splice/spacewalk_splice_tool.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1390.html |
Description of problem: Currently, subscription-splice-checkin must run as root in order to access splice log files along with katello log files. Version-Release number of selected component (if applicable): 0.19 How reproducible: every time Steps to Reproduce: 1. attempt to run spacewalk-splice-checkin as splice user Actual results: [root@dhcp129-162 ~]# su - splice -s /bin/bash -bash-4.1$ spacewalk-splice-checkin --splice-sync Traceback (most recent call last): File "/usr/bin/spacewalk-splice-checkin", line 21, in <module> from spacewalk_splice_tool import checkin, utils, constants File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/checkin.py", line 33, in <module> from spacewalk_splice_tool.katello_connect import KatelloConnection, NotFoundException File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/katello_connect.py", line 16, in <module> from katello.client.api.organization import OrganizationAPI File "/usr/lib/python2.6/site-packages/katello/client/api/organization.py", line 16, in <module> from katello.client.api.base import KatelloAPI File "/usr/lib/python2.6/site-packages/katello/client/api/base.py", line 16, in <module> from katello.client import server File "/usr/lib/python2.6/site-packages/katello/client/server.py", line 48, in <module> class AuthenticationStrategy(object): File "/usr/lib/python2.6/site-packages/katello/client/server.py", line 50, in AuthenticationStrategy _log = getLogger('katello') File "/usr/lib/python2.6/site-packages/katello/client/logutil.py", line 62, in getLogger os.mkdir(logdir) OSError: [Errno 13] Permission denied: '/var/lib/splice/.katello' Expected results: successful run of sst Additional info: this may requires changes to katello-cli to support using the API bindings as users besides katello and root, not sure.