1183175 – changing to a different rhsm.productcertdir configuration throws OSError: [Errno 17] File exists

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1183175 - changing to a different rhsm.productcertdir configuration throws OSError: [Errno 17] File exists

Summary: changing to a different rhsm.productcertdir configuration throws OSError: [Er...

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	candlepin-bugs
QA Contact:	John Sefler
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	rhsm-rhel71
TreeView+	depends on / blocked

Reported:	2015-01-16 22:58 UTC by John Sefler
Modified:	2015-01-21 21:17 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-01-21 20:28:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description John Sefler 2015-01-16 22:58:10 UTC

Description of problem:
After changing the rhsm.conf configuration for productcertdir to a different but valid path, various subscription-manager modules are encountering a traceback.

There is a regression here because many of the automated tests have relied on alterations to the productcertdir configuration for many many past releases.


Version-Release number of selected component (if applicable):
[root@jsefler-os7 ~]# rpm -q subscription-manager python-rhsm selinux-policy python dbus
subscription-manager-1.13.16-1.el7.x86_64
python-rhsm-1.13.10-1.el7.x86_64
selinux-policy-3.13.1-16.el7.noarch
python-2.7.5-16.el7.x86_64
dbus-1.6.12-11.el7.x86_64

How reproducible:


Steps to Reproduce:
[root@jsefler-os7 ~]# subscription-manager config | grep certdir
   consumercertdir = [/etc/pki/consumer]
   entitlementcertdir = [/etc/pki/entitlement]
   productcertdir = [/etc/pki/product]
[root@jsefler-os7 ~]# subscription-manager register --username=testuser1 --password=password --org=admin
The system has been registered with ID: 9460e3e1-3296-4aa9-a8d9-74361d667a9d 
[root@jsefler-os7 ~]# subscription-manager unregister
This system is currently not registered.

REGISTRATION WAS GOOD AS EXPECTED.
NOW, LET'S CHANGE THE DEFAULT rhsm.productcertdir AND ATTEMPT TO REGISTER AGAIN...

[root@jsefler-os7 ~]# mkdir /tmp/productcertdir
[root@jsefler-os7 ~]# cp /etc/pki/product/69.pem /tmp/productcertdir
[root@jsefler-os7 ~]# subscription-manager config --rhsm.productcertdir=/tmp/productcertdir
[root@jsefler-os7 ~]# subscription-manager config | grep certdir
   consumercertdir = [/etc/pki/consumer]
   entitlementcertdir = [/etc/pki/entitlement]
   productcertdir = /tmp/productcertdir       <======== NOTICE THE EXPECTED CONFIG CHANGE
[root@jsefler-os7 ~]# subscription-manager register --username=testuser1 --password=password --org=admin
The system has been registered with ID: 1fc8d794-dd79-40ff-a0d0-c79e38c86ace 
Traceback (most recent call last):
  File "/usr/share/rhsm/subscription_manager/dbus_interface.py", line 59, in emit_status
    self.validity_iface.emit_status()
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Python.OSError: Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/dbus/service.py", line 707, in _message_cb
    retval = candidate_method(self, *args, **keywords)
  File "/usr/libexec/rhsmd", line 227, in emit_status
    refresh_compliance_status(self._dbus_properties)
  File "/usr/libexec/rhsmd", line 125, in refresh_compliance_status
    sorter = require(CERT_SORTER)
  File "/usr/share/rhsm/subscription_manager/injection.py", line 103, in require
    return FEATURES.require(feature, *args, **kwargs)
  File "/usr/share/rhsm/subscription_manager/injection.py", line 77, in require
    self.providers[feature] = provider()
  File "/usr/share/rhsm/subscription_manager/cert_sorter.py", line 314, in __init__
    self.installed_mgr = inj.require(inj.INSTALLED_PRODUCTS_MANAGER)
  File "/usr/share/rhsm/subscription_manager/injection.py", line 103, in require
    return FEATURES.require(feature, *args, **kwargs)
  File "/usr/share/rhsm/subscription_manager/injection.py", line 77, in require
    self.providers[feature] = provider()
  File "/usr/share/rhsm/subscription_manager/cache.py", line 414, in __init__
    self.product_dir = inj.require(inj.PROD_DIR)
  File "/usr/share/rhsm/subscription_manager/injection.py", line 103, in require
    return FEATURES.require(feature, *args, **kwargs)
  File "/usr/share/rhsm/subscription_manager/injection.py", line 77, in require
    self.providers[feature] = provider()
  File "/usr/share/rhsm/subscription_manager/certdirectory.py", line 224, in __init__
    self.installed_prod_dir = ProductCertificateDirectory(path=installed_prod_path)
  File "/usr/share/rhsm/subscription_manager/certdirectory.py", line 106, in __init__
    self.create()
  File "/usr/share/rhsm/subscription_manager/certdirectory.py", line 70, in create
    os.makedirs(self.path)
  File "/usr/lib64/python2.7/os.py", line 157, in makedirs
    mkdir(name, mode)
OSError: [Errno 17] File exists: '/tmp/productcertdir'

[root@jsefler-os7 ~]# 
[root@jsefler-os7 ~]# tail /var/log/rhsm/rhsm.log
2015-01-16 17:52:59,657 [DEBUG] subscription-manager:20642 @cert_sorter.py:195 - partially entitled products: []
2015-01-16 17:52:59,657 [DEBUG] subscription-manager:20642 @cert_sorter.py:196 - unentitled products: ['69']
2015-01-16 17:52:59,657 [DEBUG] subscription-manager:20642 @cert_sorter.py:197 - future products: []
2015-01-16 17:52:59,658 [DEBUG] subscription-manager:20642 @cert_sorter.py:198 - partial stacks: []
2015-01-16 17:52:59,658 [DEBUG] subscription-manager:20642 @cert_sorter.py:199 - entitlements valid until: None
2015-01-16 17:52:59,962 [INFO] rhsmd:20673 @rhsmd:302 - rhsmd started
2015-01-16 17:52:59,974 [INFO] rhsmd:20673 @rhsmd:211 - D-Bus interface com.redhat.SubscriptionManager.EntitlementStatus.update_status called with status = 1
2015-01-16 17:53:00,077 [DEBUG] rhsmd:20673 @identity.py:131 - Loading consumer info from identity certificates.
2015-01-16 17:53:00,086 [INFO] rhsmd:20673 @rhsmd:178 - D-Bus signal com.redhat.SubscriptionManager.EntitlementStatus.entitlement_status_changed emitted
2015-01-16 17:53:00,087 [INFO] rhsmd:20673 @rhsmd:226 - D-Bus interface com.redhat.SubscriptionManager.EntitlementStatus.emit_status called 


Actual results:


Expected results:


Additional info:

Comment 2 Adrian Likins 2015-01-19 23:14:37 UTC

as odd as it sounds, I think this may be a selinux os systemd service related. I think the os.stat on /tmp/productcertdir for rhsnd fails for some reason. Will diff further.

Comment 3 John Sefler 2015-01-20 01:51:00 UTC

I'd like to resolve this for rhel7.1.

Comment 4 Adrian Likins 2015-01-20 01:56:01 UTC

by default, on rhel7.1ish, a:

sudo mkdir /tmp/productcertdir

ends up:

ls -larZ /tmp/productcertdir
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 37060.pem
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       ..
drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 .

while /etc/pki/product is:

[subscription-manager (alikins/1183122_productid_keyerror %)]$ ls -larZ /etc/pki/product
-rw-r--r--. root root unconfined_u:object_r:cert_t:s0  37060.pem
drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
drwxr-xr-x. root root system_u:object_r:cert_t:s0      .

Copying the /etc/pki/product context:

sudo chcon --reference=/etc/pki/product /tmp/productcertdir/
sudo chcon --reference=/etc/pki/product/37060.pem /tmp/productcertdir/37060.pem

Seems to fix it.

Spewing the rhsmd stdout to the console is pretty ugly though.

Comment 5 John Sefler 2015-01-21 20:28:38 UTC

Offending implementation of RFE Bug 884285 was reverted for RHEL7.1 which in turn fixes this bug.

[root@jsefler-os7 ~]# rpm -q --changelog subscription-manager | head -5
* Tue Jan 20 2015 William Poteat <wpoteat> 1.13.17-1
- Revert "884285: Needs to maintain loop for dbus calls" (alikins)
- Revert "1159266: rhsm-icon -i fails with "TypeError: 'NoneType' object has no attribute '__getitem__'""
- Revert "Send list of compliance reasons on dbus"

[root@jsefler-os7 ~]# rpm -q subscription-manager
subscription-manager-1.13.17-1.el7.x86_64

[root@jsefler-os7 ~]# mkdir /tmp/productcertdir
[root@jsefler-os7 ~]# cp /etc/pki/product/69.pem /tmp/productcertdir
[root@jsefler-os7 ~]# subscription-manager config --rhsm.productcertdir=/tmp/productcertdir
[root@jsefler-os7 ~]# subscription-manager config | grep certdir
   consumercertdir = [/etc/pki/consumer]
   entitlementcertdir = [/etc/pki/entitlement]
   productcertdir = /tmp/productcertdir
[root@jsefler-os7 ~]# subscription-manager register --username=testuser1 --password=password --org=admin
The system has been registered with ID: 38d8bed9-2aa3-481f-b91c-757d5a3be7ca 
[root@jsefler-os7 ~]# 
[root@jsefler-os7 ~]# 
[root@jsefler-os7 ~]# tail -f /var/log/rhsm/rhsm.log
2015-01-21 15:20:12,465 [DEBUG] subscription-manager @cert_sorter.py:194 - expired entitled products: []
2015-01-21 15:20:12,466 [DEBUG] subscription-manager @cert_sorter.py:195 - partially entitled products: []
2015-01-21 15:20:12,466 [DEBUG] subscription-manager @cert_sorter.py:196 - unentitled products: ['69']
2015-01-21 15:20:12,466 [DEBUG] subscription-manager @cert_sorter.py:197 - future products: []
2015-01-21 15:20:12,466 [DEBUG] subscription-manager @cert_sorter.py:198 - partial stacks: []
2015-01-21 15:20:12,466 [DEBUG] subscription-manager @cert_sorter.py:199 - entitlements valid until: None
2015-01-21 15:20:12,640 [INFO] rhsmd @rhsmd:226 - rhsmd started
2015-01-21 15:20:12,647 [INFO] rhsmd @rhsmd:181 - D-Bus interface com.redhat.SubscriptionManager.EntitlementStatus.update_status called with status = 1
2015-01-21 15:20:12,696 [DEBUG] rhsmd @identity.py:131 - Loading consumer info from identity certificates.
2015-01-21 15:20:12,701 [INFO] rhsmd @rhsmd:149 - D-Bus signal com.redhat.SubscriptionManager.EntitlementStatus.entitlement_status_changed emitted


VERIFIED: subscription-manager-1.13.17-1.el7.x86_64 WORKSFORME

Note You need to log in before you can comment on or make changes to this bug.