1119910 – katello-installer errors if umask too restrictive

Bug 1119910 - katello-installer errors if umask too restrictive

Summary: katello-installer errors if umask too restrictive

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.0.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Stephen Benjamin
QA Contact:	Corey Welton
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Duplicates (1):	1163018 (view as bug list)
Depends On:
Blocks:	GSS_Sat6Beta_Tracker, GSS_Sat6_Tracker
TreeView+	depends on / blocked

Reported:	2014-07-15 20:06 UTC by Dylan Gross
Modified:	2019-09-25 20:48 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	katello-installer fails to execute when the host system has restrictive umasks. The restrictive umasks affects permissions and access to the keystore and certain cert files. This fix will set the umask to the required value for installation to make sure that the installation goes through properly.
Clone Of:
Environment:
Last Closed:	2015-01-16 21:07:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0054	0	normal	SHIPPED_LIVE	Red Hat Satellite 6 server bug fix update	2015-01-17 02:04:45 UTC

Description Dylan Gross 2014-07-15 20:06:31 UTC

Description of problem:

A HTB customer attempted to install on their standard RHEL6.5 build, which had a more restrictive umask set for the root user (umask 0027).  As a result, some keystore and cert files fail to be placed with appropriate permissions and tomcat has issues during startup.   I have duplicated the customers results by simply changing root's umask to 0027 prior to an install.

Version-Release number of selected component (if applicable):

  Red Hat Satellite 6.0.3

How reproducible:

Steps to Reproduce:
1.  Set umask of root to 0027
2.  perform section 2.1 of the install guide to install satellite from the repo.
3.  Check the log for errors.

Actual results:

Errors during the install:

 Could not start Service[foreman-proxy]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait foreman-proxy start' returned 1: Starting foreman-proxy: Unable to access the SSL keys. Are the values correct in settings.yml and do permissions allow reading?: Permission denied - /etc/foreman-proxy/ssl_cert.pem
 /Stage[main]/Foreman_proxy::Service/Service[foreman-proxy]/ensure: change from stopped to running failed: Could not start Service[foreman-proxy]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait foreman-proxy start' returned 1: Starting foreman-proxy: Unable to access the SSL keys. Are the values correct in settings.yml and do permissions allow reading?: Permission denied - /etc/foreman-proxy/ssl_cert.pem
 Could not start Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 start' returned 5: Starting tomcat6: [  OK  ]
 /Stage[main]/Candlepin::Service/Service[tomcat6]/ensure: change from stopped to running failed: Could not start Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 start' returned 5: Starting tomcat6: [  OK  ]                                    
 /Stage[main]/Candlepin::Service/Service[tomcat6]: Failed to call refresh: Could not restart Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 restart' returned 5: Stopping tomcat6: [  OK  ]
 /Stage[main]/Candlepin::Service/Service[tomcat6]: Could not restart Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 restart' returned 5: Stopping tomcat6: [  OK  ]
 /Stage[main]/Candlepin::Service/Exec[cpinit]: Failed to call refresh: /usr/bin/wget --timeout=30 --tries=5 --retry-connrefused -qO- http://localhost:8080/candlepin/admin/init >/var/log/candlepin/cpinit.log 2>&1 && touch /var/lib/candlepin/cpinit_done returned 8 instead of one of [0]
 /Stage[main]/Candlepin::Service/Exec[cpinit]: /usr/bin/wget --timeout=30 --tries=5 --retry-connrefused -qO- http://localhost:8080/candlepin/admin/init >/var/log/candlepin/cpinit.log 2>&1 && touch /var/lib/candlepin/cpinit_done returned 8 instead of one of [0]
  Something went wrong! Check the log for ERROR-level output
  The full log is at /var/log/katello-installer/katello-installer.log

The installeer is trying to do a wget from tomcat, it looks like, and getting a return code of 8 (a generic "something went wrong on the server side" error")

The first noticeable indication that I saw was in the /var/log/tomcat6/catalina.out log, which is full of exceptions because it cannot read the keystore.

Jul 15, 2014 3:36:36 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Failed to load keystore type PKCS12 with path conf/keystore due to /usr/share/tomcat6/conf/keystore (Permission denied)
java.io.FileNotFoundException: /usr/share/tomcat6/conf/keystore (Permission denied)


# ls -la /usr/share/tomcat6/conf/keystore
lrwxrwxrwx. 1 tomcat foreman 25 Jul 15 15:36 /usr/share/tomcat6/conf/keystore -> /etc/pki/katello/keystore

... and /etc/pki/katello/keystore is restricted to 

# ls -la /etc/pki/katello/keystore
-rw-r-----. 1 root root 3010 Jul 15 15:36 /etc/pki/katello/keystore

... instead of the following on a successful install

# ls -la /etc/pki/katello/keystore
-rw-r--r--. 1 root root 2954 Jul  1 13:26 /etc/pki/katello/keystore


The other resulting permission issue that was apparent was:

(On my deliberately umask-sabotaged katello-installer)
# ll /etc/pki/katello/certs/katello-ca-stripped.crt
-rw-r-----. 1 root root 1883 Jul 15 15:20 /etc/pki/katello/certs/katello-ca-stripped.crt

(On a successful umask-0022 katello-installer)
# ll /etc/pki/katello/certs/katello-ca-stripped.crt
-rw-r--r--. 1 root root 1805 Jul  1 13:20 /etc/pki/katello/certs/katello-ca-stripped.crt



Expected results:

No Errors during the install
/etc/pki/katello/keystore readable by tomcat:foreman

Additional info:

I didn't see anything about a umask requirement in the installation guide.  However, I'd suspect that we'd just want to manually set it to 0022 in the early parts of the katello-installer, rather than adding a bit to the documentation.  There may be other permissions that are not quite as expected, but customer and I didn't pursue any deeper.   Just changed the umask to 0022 and did a re-install without issues.

Comment 1 Dylan Gross 2014-07-15 20:11:26 UTC

Seems like I may have opened a duplicate.   Bug 1117265 *may* be the exact same.  Describing the symptoms of incorrect permissions.

Comment 2 RHEL Program Management 2014-07-15 20:24:19 UTC

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 4 Mike McCune 2014-08-07 13:28:48 UTC

Minimum is a docs addition

Ideally we can add a pre-install check that will dump the installer if the umask is incompat with our installer.

Comment 5 Mike McCune 2014-08-26 05:19:35 UTC

DOCS:

Customers need to have a umask of 0022 before executing the installation program.

WORKAROUND:

Ensure that the root user's umask is set to 0022 before executing katello-installer.

Comment 7 Dominic Cleal 2014-11-12 13:10:53 UTC

*** Bug 1163018 has been marked as a duplicate of this bug. ***

Comment 9 Stephen Benjamin 2014-11-12 18:43:19 UTC

Created redmine issue http://projects.theforeman.org/issues/8378 from this bug

Comment 11 Bryan Kearney 2014-11-17 23:02:39 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/8378 has been closed
-------------
Anonymous
Applied in changeset commit:katello-installer|96373329c7d528b1786514e546caa4cbfee6e3bb.

Comment 12 Stephen Benjamin 2014-11-18 16:21:11 UTC

Change is upstream. To test this,

1. Set umask to something restrictive, like 027:
        umask 027
2. Run katello-installer
3. Ensure install completes successfully

Comment 17 Mike McCune 2014-12-11 17:24:34 UTC

temp move to MOD for ET

Comment 19 Tazim Kolhar 2015-01-02 03:28:10 UTC

VERIFIED:

# umask 0027
# umask
0027


# tail -f /var/log/katello-installer/katello-installer.log
[DEBUG 2015-01-01 22:23:53 main]  Finishing transaction 49036620
[DEBUG 2015-01-01 22:23:53 main]  Received report to process from intel-piketon-01.lab.bos.redhat.com
[DEBUG 2015-01-01 22:23:53 main]  Processing report from intel-piketon-01.lab.bos.redhat.com with processor Puppet::Reports::Store
[ INFO 2015-01-01 22:23:56 main] Puppet has finished, bye!
[ INFO 2015-01-01 22:23:56 main] Executing hooks in group post
[DEBUG 2015-01-01 22:23:56 main] Hook /usr/share/katello-installer/hooks/post/10-post_install.rb returned nil
[ INFO 2015-01-01 22:23:56 main] All hooks in group post finished
[DEBUG 2015-01-01 22:23:56 main] Exit with status code: 2 (signal was 2)
[DEBUG 2015-01-01 22:23:56 main] Cleaning /etc/katello-installer/d20150101-20238-zh2yjt
[DEBUG 2015-01-01 22:23:56 main] Cleaning /tmp/default_values.yaml

#  ls -la /etc/pki/katello/keystore
-rw-r--r--. 1 root root 2962 Dec 30 06:35 /etc/pki/katello/keystore

# ls -la /etc/pki/katello/keystore
-rw-r--r--. 1 root root 2962 Dec 30 06:35 /etc/pki/katello/keystore

Comment 20 Tazim Kolhar 2015-01-03 13:26:20 UTC

verified in upstream,moving it back
to ON_QA

Comment 22 Corey Welton 2015-01-08 19:59:41 UTC

QE Verified.

Comment 24 errata-xmlrpc 2015-01-16 21:07:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:0054

Note You need to log in before you can comment on or make changes to this bug.