Bug 1100169 – oo-diagnostics tools throw warning message when user add alias cert to app

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1100169 - oo-diagnostics tools throw warning message when user add alias cert to app

Summary:	oo-diagnostics tools throw warning message when user add alias cert to app

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Pod (Show other bugs)
Sub Component:
Version:	2.1.0
Hardware:	Unspecified Unspecified

Priority	medium Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Luke Meyer
QA Contact:	libra bugs
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2014-05-22 03:18 EDT by Johnny Liu
Modified:	2014-06-23 03:37 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	rubygem-openshift-origin-common-1.22.5.6-1.el6op
Doc Type:	Bug Fix
Doc Text:	After a custom SSL certificate for an alias was added to an application, the oo-diagnostics tool reported warning messages that the permissions on configuration files were not correct. This was due to the oo-diagnostics tool running a test that checked for more than was actually required. This bug fix updates the oo-diagnostics tool to only check files that Apache actually reads at runtime, and the warnings no longer occur for alias certificates.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-06-23 03:37:48 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:0781	normal	SHIPPED_LIVE	Red Hat OpenShift Enterprise 2.1.2 bug fix update	2014-06-23 07:36:38 EDT

Groups: None (edit)

Description Johnny Liu 2014-05-22 03:18:02 EDT

Description of problem:
oo-diagnostics tools throw warning message to complain the permission of config files are incorrect when user add alias cert to app

Version-Release number of selected component (if applicable):
rubygem-openshift-origin-common-1.22.5.4-1.el6op.noarch

How reproducible:
Always

Steps to Reproduce:
1.create app, and add alias cert to this app. Then the following apache config file is added.
# ll /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.*
-rw-------. 1 root root 1273 May 20 03:11 /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.crt
-rw-------. 1 root root 1679 May 20 03:11 /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.key
2.Run oo-diagnostics
3.

Actual results:
<--snip-->
INFO: running: test_apache_can_read_conf_files
WARN: test_apache_can_read_conf_files
        The following configuration files have names and locations indicating
        that the apache user should be able to read them, but are not readable
        by the apache user:
          
          /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.crt
          /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.key
          
        
        The host httpd server may malfunction without read access to these files.
<--snip-->

Expected results:
No warning message is seen.

Additional info:

Comment 2 Luke Meyer 2014-05-22 11:31:32 EDT

*facepalm* OK that was a really misguided test. But should be an easy fix.

Comment 3 Luke Meyer 2014-05-23 11:12:29 EDT

Upstream:
https://github.com/openshift/origin-server/pull/5444
Adding to OSE cherrypicks:
https://github.com/openshift/enterprise-server/pull/283

Comment 4 openshift-github-bot 2014-05-23 12:10:48 EDT

Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/366ef378d8ee735b877c92d6799cc703da0b6bd6
diagnostics: fix errant warning on httpd conf

Bug 1100169 - oo-diagnostics tools throw warning message when user add
alias cert to app
https://bugzilla.redhat.com/show_bug.cgi?id=1100169

also:
Bug 1002559 - oo-diagnostics should check the mode on important files
https://bugzilla.redhat.com/show_bug.cgi?id=1002559

test_apache_can_read_conf_files is intended to warn when the apache user
cannot read files it needs to. The files being checked are overly broad;
since httpd reads all of its configuration as root before switching to
apache user, none of that needs to be apache-readable. Instead, just
check files that apache will actually be reading at runtime. Everything
related to Rails apps falls into this category.

Comment 7 Johnny Liu 2014-06-11 03:35:19 EDT

Verified this but with rubygem-openshift-origin-common-1.22.5.6-1.el6op.noarch in 2.1.z/2014-06-10.3, and PASS.


On broker:
# oo-diagnostics -v test_apache_can_read_conf_files
INFO: loading list of installed packages
INFO: OpenShift broker installed.
INFO: Loading the broker rails environment.
INFO: running: test_apache_can_read_conf_files
NO ERRORS

# chown root:root server_pub.pem
# oo-diagnostics -v test_apache_can_read_conf_files
INFO: loading list of installed packages
INFO: OpenShift broker installed.
INFO: Loading the broker rails environment.
INFO: running: test_apache_can_read_conf_files
WARN: test_apache_can_read_conf_files
        The following configuration files have names and locations indicating
        that the apache user should be able to read them, but are not readable
        by the apache user:
          
          /etc/openshift/server_pub.pem
          
        The broker and console services may malfunction without read access to these files.
        

1 WARNINGS
NO ERRORS

On node:
# oo-diagnostics -v test_apache_can_read_conf_files
INFO: loading list of installed packages
INFO: OpenShift node installed.
INFO: running: test_apache_can_read_conf_files
NO ERRORS


# touch xx.db
# chmod o-r xx.db
# oo-diagnostics -v test_apache_can_read_conf_files
INFO: loading list of installed packages
INFO: OpenShift node installed.
INFO: running: test_apache_can_read_conf_files
WARN: test_apache_can_read_conf_files
        The following configuration files have names and locations indicating
        that the apache user should be able to read them, but are not readable
        by the apache user:
          
          /var/lib/openshift/.httpd.d/xx.db
          
        
        The host httpd server may malfunction without read access to these files.

1 WARNINGS
NO ERRORS

Comment 9 errata-xmlrpc 2014-06-23 03:37:48 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0781.html

Note You need to log in before you can comment on or make changes to this bug.