Description of problem: oo-diagnostics tools throw warning message to complain the permission of config files are incorrect when user add alias cert to app Version-Release number of selected component (if applicable): rubygem-openshift-origin-common-1.22.5.4-1.el6op.noarch How reproducible: Always Steps to Reproduce: 1.create app, and add alias cert to this app. Then the following apache config file is added. # ll /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.* -rw-------. 1 root root 1273 May 20 03:11 /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.crt -rw-------. 1 root root 1679 May 20 03:11 /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.key 2.Run oo-diagnostics 3. Actual results: <--snip--> INFO: running: test_apache_can_read_conf_files WARN: test_apache_can_read_conf_files The following configuration files have names and locations indicating that the apache user should be able to read them, but are not readable by the apache user: /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.crt /var/lib/openshift/.httpd.d/537b2a176892dfdd8c0001fa_jialiu_bar.jialiu.com/bar.jialiu.com.key The host httpd server may malfunction without read access to these files. <--snip--> Expected results: No warning message is seen. Additional info:
*facepalm* OK that was a really misguided test. But should be an easy fix.
Upstream: https://github.com/openshift/origin-server/pull/5444 Adding to OSE cherrypicks: https://github.com/openshift/enterprise-server/pull/283
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/366ef378d8ee735b877c92d6799cc703da0b6bd6 diagnostics: fix errant warning on httpd conf Bug 1100169 - oo-diagnostics tools throw warning message when user add alias cert to app https://bugzilla.redhat.com/show_bug.cgi?id=1100169 also: Bug 1002559 - oo-diagnostics should check the mode on important files https://bugzilla.redhat.com/show_bug.cgi?id=1002559 test_apache_can_read_conf_files is intended to warn when the apache user cannot read files it needs to. The files being checked are overly broad; since httpd reads all of its configuration as root before switching to apache user, none of that needs to be apache-readable. Instead, just check files that apache will actually be reading at runtime. Everything related to Rails apps falls into this category.
Verified this but with rubygem-openshift-origin-common-1.22.5.6-1.el6op.noarch in 2.1.z/2014-06-10.3, and PASS. On broker: # oo-diagnostics -v test_apache_can_read_conf_files INFO: loading list of installed packages INFO: OpenShift broker installed. INFO: Loading the broker rails environment. INFO: running: test_apache_can_read_conf_files NO ERRORS # chown root:root server_pub.pem # oo-diagnostics -v test_apache_can_read_conf_files INFO: loading list of installed packages INFO: OpenShift broker installed. INFO: Loading the broker rails environment. INFO: running: test_apache_can_read_conf_files WARN: test_apache_can_read_conf_files The following configuration files have names and locations indicating that the apache user should be able to read them, but are not readable by the apache user: /etc/openshift/server_pub.pem The broker and console services may malfunction without read access to these files. 1 WARNINGS NO ERRORS On node: # oo-diagnostics -v test_apache_can_read_conf_files INFO: loading list of installed packages INFO: OpenShift node installed. INFO: running: test_apache_can_read_conf_files NO ERRORS # touch xx.db # chmod o-r xx.db # oo-diagnostics -v test_apache_can_read_conf_files INFO: loading list of installed packages INFO: OpenShift node installed. INFO: running: test_apache_can_read_conf_files WARN: test_apache_can_read_conf_files The following configuration files have names and locations indicating that the apache user should be able to read them, but are not readable by the apache user: /var/lib/openshift/.httpd.d/xx.db The host httpd server may malfunction without read access to these files. 1 WARNINGS NO ERRORS
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0781.html