Description of problem: A HTB customer attempted to install on their standard RHEL6.5 build, which had a more restrictive umask set for the root user (umask 0027). As a result, some keystore and cert files fail to be placed with appropriate permissions and tomcat has issues during startup. I have duplicated the customers results by simply changing root's umask to 0027 prior to an install. Version-Release number of selected component (if applicable): Red Hat Satellite 6.0.3 How reproducible: Steps to Reproduce: 1. Set umask of root to 0027 2. perform section 2.1 of the install guide to install satellite from the repo. 3. Check the log for errors. Actual results: Errors during the install: Could not start Service[foreman-proxy]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait foreman-proxy start' returned 1: Starting foreman-proxy: Unable to access the SSL keys. Are the values correct in settings.yml and do permissions allow reading?: Permission denied - /etc/foreman-proxy/ssl_cert.pem /Stage[main]/Foreman_proxy::Service/Service[foreman-proxy]/ensure: change from stopped to running failed: Could not start Service[foreman-proxy]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait foreman-proxy start' returned 1: Starting foreman-proxy: Unable to access the SSL keys. Are the values correct in settings.yml and do permissions allow reading?: Permission denied - /etc/foreman-proxy/ssl_cert.pem Could not start Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 start' returned 5: Starting tomcat6: [ OK ] /Stage[main]/Candlepin::Service/Service[tomcat6]/ensure: change from stopped to running failed: Could not start Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 start' returned 5: Starting tomcat6: [ OK ] /Stage[main]/Candlepin::Service/Service[tomcat6]: Failed to call refresh: Could not restart Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 restart' returned 5: Stopping tomcat6: [ OK ] /Stage[main]/Candlepin::Service/Service[tomcat6]: Could not restart Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 restart' returned 5: Stopping tomcat6: [ OK ] /Stage[main]/Candlepin::Service/Exec[cpinit]: Failed to call refresh: /usr/bin/wget --timeout=30 --tries=5 --retry-connrefused -qO- http://localhost:8080/candlepin/admin/init >/var/log/candlepin/cpinit.log 2>&1 && touch /var/lib/candlepin/cpinit_done returned 8 instead of one of [0] /Stage[main]/Candlepin::Service/Exec[cpinit]: /usr/bin/wget --timeout=30 --tries=5 --retry-connrefused -qO- http://localhost:8080/candlepin/admin/init >/var/log/candlepin/cpinit.log 2>&1 && touch /var/lib/candlepin/cpinit_done returned 8 instead of one of [0] Something went wrong! Check the log for ERROR-level output The full log is at /var/log/katello-installer/katello-installer.log The installeer is trying to do a wget from tomcat, it looks like, and getting a return code of 8 (a generic "something went wrong on the server side" error") The first noticeable indication that I saw was in the /var/log/tomcat6/catalina.out log, which is full of exceptions because it cannot read the keystore. Jul 15, 2014 3:36:36 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore SEVERE: Failed to load keystore type PKCS12 with path conf/keystore due to /usr/share/tomcat6/conf/keystore (Permission denied) java.io.FileNotFoundException: /usr/share/tomcat6/conf/keystore (Permission denied) # ls -la /usr/share/tomcat6/conf/keystore lrwxrwxrwx. 1 tomcat foreman 25 Jul 15 15:36 /usr/share/tomcat6/conf/keystore -> /etc/pki/katello/keystore ... and /etc/pki/katello/keystore is restricted to # ls -la /etc/pki/katello/keystore -rw-r-----. 1 root root 3010 Jul 15 15:36 /etc/pki/katello/keystore ... instead of the following on a successful install # ls -la /etc/pki/katello/keystore -rw-r--r--. 1 root root 2954 Jul 1 13:26 /etc/pki/katello/keystore The other resulting permission issue that was apparent was: (On my deliberately umask-sabotaged katello-installer) # ll /etc/pki/katello/certs/katello-ca-stripped.crt -rw-r-----. 1 root root 1883 Jul 15 15:20 /etc/pki/katello/certs/katello-ca-stripped.crt (On a successful umask-0022 katello-installer) # ll /etc/pki/katello/certs/katello-ca-stripped.crt -rw-r--r--. 1 root root 1805 Jul 1 13:20 /etc/pki/katello/certs/katello-ca-stripped.crt Expected results: No Errors during the install /etc/pki/katello/keystore readable by tomcat:foreman Additional info: I didn't see anything about a umask requirement in the installation guide. However, I'd suspect that we'd just want to manually set it to 0022 in the early parts of the katello-installer, rather than adding a bit to the documentation. There may be other permissions that are not quite as expected, but customer and I didn't pursue any deeper. Just changed the umask to 0022 and did a re-install without issues.
Seems like I may have opened a duplicate. Bug 1117265 *may* be the exact same. Describing the symptoms of incorrect permissions.
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
Minimum is a docs addition Ideally we can add a pre-install check that will dump the installer if the umask is incompat with our installer.
DOCS: Customers need to have a umask of 0022 before executing the installation program. WORKAROUND: Ensure that the root user's umask is set to 0022 before executing katello-installer.
*** Bug 1163018 has been marked as a duplicate of this bug. ***
Created redmine issue http://projects.theforeman.org/issues/8378 from this bug
Moving to POST since upstream bug http://projects.theforeman.org/issues/8378 has been closed ------------- Anonymous Applied in changeset commit:katello-installer|96373329c7d528b1786514e546caa4cbfee6e3bb.
Change is upstream. To test this, 1. Set umask to something restrictive, like 027: umask 027 2. Run katello-installer 3. Ensure install completes successfully
temp move to MOD for ET
VERIFIED: # umask 0027 # umask 0027 # tail -f /var/log/katello-installer/katello-installer.log [DEBUG 2015-01-01 22:23:53 main] Finishing transaction 49036620 [DEBUG 2015-01-01 22:23:53 main] Received report to process from intel-piketon-01.lab.bos.redhat.com [DEBUG 2015-01-01 22:23:53 main] Processing report from intel-piketon-01.lab.bos.redhat.com with processor Puppet::Reports::Store [ INFO 2015-01-01 22:23:56 main] Puppet has finished, bye! [ INFO 2015-01-01 22:23:56 main] Executing hooks in group post [DEBUG 2015-01-01 22:23:56 main] Hook /usr/share/katello-installer/hooks/post/10-post_install.rb returned nil [ INFO 2015-01-01 22:23:56 main] All hooks in group post finished [DEBUG 2015-01-01 22:23:56 main] Exit with status code: 2 (signal was 2) [DEBUG 2015-01-01 22:23:56 main] Cleaning /etc/katello-installer/d20150101-20238-zh2yjt [DEBUG 2015-01-01 22:23:56 main] Cleaning /tmp/default_values.yaml # ls -la /etc/pki/katello/keystore -rw-r--r--. 1 root root 2962 Dec 30 06:35 /etc/pki/katello/keystore # ls -la /etc/pki/katello/keystore -rw-r--r--. 1 root root 2962 Dec 30 06:35 /etc/pki/katello/keystore
verified in upstream,moving it back to ON_QA
QE Verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2015:0054