Bug 1209281 - [pki] pki-pkcs12-extract.sh fails with /dev/fd is not mounted
Summary: [pki] pki-pkcs12-extract.sh fails with /dev/fd is not mounted
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ovirt-3.6.0-rc
: 3.6.0
Assignee: Yaniv Kaul
QA Contact: Jiri Belka
URL:
Whiteboard:
Depends On:
Blocks: 1213288
TreeView+ depends on / blocked
 
Reported: 2015-04-07 00:01 UTC by Perry Clegg
Modified: 2019-07-16 11:59 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, the pki-pkcs12-extract.sh script relied on the existence of the /dev/fd directory. In Linux, this is normally symbolically linked to the /proc/self/fd directory, allowing processes to access its STDIN, STDOUT, etc as named files. If the /dev/fd directory did not exist, the script failed. This includes, for example, trying to run engine-setup during installation from a kickstart file. With this update, the script was updated to use the /proc/self/fd directly. Now the script only requires that the /proc direcory is mounted, and does not fail if the /dev/fd directory does not exist.
Clone Of:
: 1213288 (view as bug list)
Environment:
Last Closed: 2016-03-09 21:02:01 UTC
oVirt Team: Integration
ylavi: Triaged+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:0376 normal SHIPPED_LIVE Red Hat Enterprise Virtualization Manager 3.6.0 2016-03-10 01:20:52 UTC
oVirt gerrit 39870 master MERGED pki: do not use /dev/fd Never
oVirt gerrit 40036 None None None Never
oVirt gerrit 40042 ovirt-engine-3.5 MERGED pki: do not use /dev/fd Never
oVirt gerrit 40082 master MERGED pki: backup only if file is not '-' Never
oVirt gerrit 40089 ovirt-engine-3.5 MERGED pki: backup only if file is not '-' Never

Description Perry Clegg 2015-04-07 00:01:17 UTC
Description of problem:

When kickstarting a RHEV system the following error occurs in the ovirt logs:

Traceback in ovirt-engine-setup-20150302232315-a4ccw1.log
~~~
2015-03-02 23:23:59 DEBUG otopi.context context._executeMethod:138 Stage misc METHOD otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ssh.Plugin._misc
2015-03-02 23:23:59 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ssh plugin.executeRaw:785 execute: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=engine', '--passin=**FILTERED**', '--key=-'), executable='None', cwd='None', env=None
2015-03-02 23:23:59 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ssh plugin.executeRaw:803 execute-result: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=engine', '--passin=**FILTERED**', '--key=-'), rc=1
2015-03-02 23:23:59 DEBUG otopi.context context._executeMethod:152 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/otopi/context.py", line 142, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ssh.py", line 115, in _misc
    logStreams=False,
  File "/usr/lib/python2.6/site-packages/otopi/plugin.py", line 871, in execute
    command=args[0],
RuntimeError: Command '/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh' failed to execute
2015-03-02 23:23:59 ERROR otopi.context context._executeMethod:161 Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh' failed to execute
2015-03-02 23:23:59 DEBUG otopi.transaction transaction.abort:131 aborting 'Yum Transaction'
~~~


Version-Release number of selected component (if applicable): RHEV 5.6


How reproducible: Very reproducible, Roman Hodain  reproduced the issue with extra logging adding:

   #/bin/sh -x
   exec &>/root/pki.out

to /usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh and reproducing the issue. The openssl complains about /dev/fd/1 which is not available during the installation:

/root/pki.out:
   openssl pkcs12 -in /etc/pki/ovirt-engine/keys/engine.p12 -passin pass:mypass -passout pass: -nocerts -out /dev/fd/1 -nodes
   Error opening output file /dev/fd/1
   /dev/fd/1: No such file or directory

To fix the issue:

As it turns out the device is missing during the installation. A workaround can be achieve by adding the following in the post script of the kickstart:

    mkdir /dev/fd
    ln -s /proc/self/fd/0 /dev/fd/0
    ln -s /proc/self/fd/1 /dev/fd/1

Related code:
=========================================================================
/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh:

        if [ "${key}" = - ]; then
                key=/dev/fd/1
        else
                touch "${key}"
                chmod go-rwx "${key}" || die "Cannot set key permissions"
        fi

        openssl \
                pkcs12 \
                -in "${pkcs12}" \
                -passin "pass:${passin}" \
                -passout "pass:${passout}" \
                -nocerts \
                -out "${key}" \
                ${extra_args} \
                || die "Cannot create key"

        return 0
=========================================================================

All credit for reproducing and solving the issue goes to: Roman.Hodain++

Comment 1 Alon Bar-Lev 2015-04-15 11:34:09 UTC
this utility should not have been added, bug#1133421.

anyway, fixed.

Comment 4 Jiri Belka 2015-05-26 09:50:23 UTC
ok, ovirt-engine-backend-3.6.0-0.0.master.20150519172219.git9a2e2b3.el6.noarch

verification based on https://bugzilla.redhat.com/show_bug.cgi?id=1213288#c1

Comment 8 errata-xmlrpc 2016-03-09 21:02:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html


Note You need to log in before you can comment on or make changes to this bug.