Description of problem: Try to transition objects from Satellite 5 to Satellite 6 according to the https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/Transition_Guide/sect-Red_Hat_Satellite-Transition_Guide-Transferring_Exports_to_Satellite_6.html The import of content-views 3.7.5. Transitioning Custom and Cloned Channels to Content Views fails with: [Errno 13] Permission denied: Version-Release number of selected component (if applicable): sat6-Satellite-6.1.0-RHEL-7-20150409.0-Satellite-x86_64-dvd1.iso foreman-selinux-1.7.2.13-1.el7sat.noarch How reproducible: always Steps to Reproduce: 1. proceed transition Sat5 data to Sat6 according to the docs Just make sure you have at least one custom rpm on Sat5 you're going to transition to Sat6, that means you transition data contains at least on rpm in path: exports/CHANNELS/*/*/*.rpm 2. # hammer import content-view --verbose --csv-file=exports/CHANNELS/export.csv --synchronize Actual results: * click on WebUI - Products - Local-repositories - Tasks - details of the task show: [Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml' * WebUI Sync Status - Local-repositories show: 'Sync Incomplete' with output: [Errno 13] Permission denied: [Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml' Whole task information: Id: 9e82233a-dc09-415d-bd1a-b88fe6690511 Label: Actions::Katello::Repository::Sync Name: Synchronize Owner: admin Started at: 2015-04-13 14:01:46 UTC Ended at: 2015-04-13 14:01:52 UTC State: stopped Result: warning Params: repository 'Local repository for zsh-channel'; product 'Local-repositories'; organization 'RED HAT SATELLITE ENGINEERING' 100.0% Complete 100% Output: [Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml' /var/log/foreman/production.log shows: 2015-04-13 10:01:45 [W] Failed to send email notification satellite_sync_errata: No recipients found for Local repository for tml-channel sync report 2015-04-13 10:01:45 [I] Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.35/app/views/katello/api/v2/repositories/show.json.rabl within katello/api/v2/layouts/resource (110.7ms) 2015-04-13 10:01:45 [I] Completed 200 OK in 4532ms (Views: 108.4ms | ActiveRecord: 53.5ms) 2015-04-13 10:01:45 [I] Processing by Katello::Api::V2::RepositoriesController#show as application/json;version=2 2015-04-13 10:01:45 [I] Parameters: {"api_version"=>"v2", "id"=>"24", "repository"=>{}} 2015-04-13 10:01:45 [I] Authorized user admin(Admin User) 2015-04-13 10:01:46 [I] Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.35/app/views/katello/api/v2/repositories/show.json.rabl within katello/api/v2/layouts/resource (592.9ms) 2015-04-13 10:01:46 [I] Completed 200 OK in 630ms (Views: 588.5ms | ActiveRecord: 11.6ms) 2015-04-13 10:01:46 [I] Processing by Katello::Api::V2::RepositoriesController#sync as application/json;version=2 2015-04-13 10:01:46 [I] Parameters: {"api_version"=>"v2", "id"=>"24", "repository"=>{}} 2015-04-13 10:01:46 [I] Authorized user admin(Admin User) 2015-04-13 10:01:46 [I] Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.35/app/views/katello/api/v2/repositories/sync.json.rabl within katello/api/v2/layouts/resource (62.9ms) 2015-04-13 10:01:46 [I] Completed 202 Accepted in 362ms (Views: 62.6ms | ActiveRecord: 23.8ms) 2015-04-13 10:01:47 [I] Processing by Katello::Api::V2::RepositoriesController#show as application/json;version=2 2015-04-13 10:01:47 [I] Parameters: {"api_version"=>"v2", "id"=>"24", "repository"=>{}} 2015-04-13 10:01:47 [I] Authorized user admin(Admin User) 2015-04-13 10:01:47 [I] Processing by Katello::Api::V2::RepositoriesController#sync_complete as JSON 2015-04-13 10:01:47 [I] Parameters: {"call_report"=>"[FILTERED]", "event_type"=>"repo.sync.finish", "payload"=>{"importer_id"=>"yum_importer", "exception"=>nil, "repo_id"=>"RED_HAT_SATELLITE_ENGINEERING-Local-repositories-Local_repository_for_zsh-channel", "traceback"=>nil, "started"=>"2015-04-13T14:01:47Z", "_ns"=>"repo_sync_results", "completed"=>"2015-04-13T14:01:47Z", "importer_type_id"=>"yum_importer", "error_message"=>nil, "summary"=>{"content"=>{"state"=>"NOT_STARTED"}, "comps"=>{"state"=>"NOT_STARTED"}, "distribution"=>{"state"=>"NOT_STARTED"}, "errata"=>{"state"=>"NOT_STARTED"}, "metadata"=>{"state"=>"FAILED"}}, "added_count"=>0, "result"=>"failed", "updated_count"=>0, "details"=>{"content"=>{"size_total"=>0, "items_left"=>0, "items_total"=>0, "state"=>"NOT_STARTED", "size_left"=>0, "details"=>{"rpm_total"=>0, "rpm_done"=>0, "drpm_total"=>0, "drpm_done"=>0}, "error_details"=>[]}, "comps"=>{"state"=>"NOT_STARTED"}, "distribution"=>{"items_total"=>0, "state"=>"NOT_STARTED", "error_details"=>[], "items_left"=>0}, "errata"=>{"state"=>"NOT_STARTED"}, "metadata"=>{"state"=>"FAILED", "error"=>"[Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'"}}, "id"=>"552bcc4bea349c92b9972ec4", "removed_count"=>0}, "token"=>"", "api_version"=>"v2", "repository"=>{}} 2015-04-13 10:01:47 [I] Sync_complete called for Local repository for zsh-channel, running after_sync. 2015-04-13 10:01:47 [I] Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.35/app/views/katello/api/v2/repositories/show.json.rabl within katello/api/v2/layouts/resource (175.2ms) 2015-04-13 10:01:47 [I] Completed 200 OK in 218ms (Views: 171.2ms | ActiveRecord: 15.5ms) 2015-04-13 10:01:47 [I] Completed 200 OK in 82ms (Views: 0.7ms | ActiveRecord: 3.8ms) 2015-04-13 10:01:47 [W] Polling failed, attempt no. 1, retrying in 0.5 2015-04-13 10:01:47 [W] PLP0000: Importer indicated a failed response (Katello::Errors::PulpError) journalctl SYSLOG_IDENTIFIER=pulp says: Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:INFO: Downloading metadata from file:///tmp/exports/CHANNELS/1/108/. Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: nectar.downloaders.local:ERROR: (37561-78688) [Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml' Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: nectar.downloaders.local:ERROR: (37561-78688) Traceback (most recent call last): Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: nectar.downloaders.local:ERROR: (37561-78688) File "/usr/lib/python2.7/site-packages/nectar/downloaders/local.py", line 144, in _copy Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: nectar.downloaders.local:ERROR: (37561-78688) src_handle = open(src_path, 'rb') Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: nectar.downloaders.local:ERROR: (37561-78688) IOError: [Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml' Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688) sync failed Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688) Traceback (most recent call last): Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688) File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/importers/yum/sync.py", line 104, in run Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688) metadata_files = self.get_metadata() Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688) File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/importers/yum/sync.py", line 198, in get_metadata Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688) raise FailedException(str(e)) Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688) FailedException: [Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml' Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp.server.event.http:INFO: (37561-78688) {'call_report': {u'exception': None, u'task_type': u'pulp.server.managers.repo.sync.sync', u'task_id': u'3e1d2456-5662-4972-9b3a-aea40500ab85', u'tags': [u'pulp:repository:RED_HAT_SATELLITE_ENGINEERING-Local-repositories-Local_repository_for_zsh-channel', u'pulp:action:sync'], u'finish_time': None, u'_ns': u'task_status', u'start_time': u'2015-04-13T14:01:47Z', u'traceback': None, u'spawned_tasks': [], u'progress_report': {u'yum_importer': {u'content': {u'size_total': 0, u'items_left': 0, u'items_total': 0, u'state': u'NOT_STARTED', u'size_left': 0, u'details': {u'rpm_total': 0, u'rpm_done': 0, u'drpm_total': 0, u'drpm_done': 0}, u'error_details': []}, u'comps': {u'state': u'NOT_STARTED'}, u'distribution': {u'items_total': 0, u'state': u'NOT_STARTED', u'error_details': [], u'items_left': 0}, u'errata': {u'state': u'NOT_STARTED'}, u'metadata': {u'state': u'FAILED', u'error': u"[Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'"}}}, u'state': u'running', u'worker_name': u'reserved_resource_worker-0.eng.bos.redhat.com', u'result': None, u'error': None, u'_id': ObjectId('552bcc4b785ce3294e1c15f2'), u'id': u'552bcc4bea349c92a338aa74'}, 'event_type': 'repo.sync.finish', 'payload': {'importer_id': u'yum_importer', 'exception': None, 'repo_id': u'RED_HAT_SATELLITE_ENGINEERING-Local-repositories-Local_repository_for_zsh-channel', 'traceback': None, 'started': '2015-04-13T14:01:47Z', '_ns': u'repo_sync_results', 'completed': '2015-04-13T14:01:47Z', 'importer_type_id': u'yum_importer', 'error_message': None, 'summary': {'content': {'state': 'NOT_STARTED'}, 'comps': {'state': 'NOT_STARTED'}, 'distribution': {'state': 'NOT_STARTED'}, 'errata': {'state': 'NOT_STARTED'}, 'metadata': {'state': 'FAILED'}}, 'added_count': 0, 'result': 'failed', 'updated_count': 0, 'details': {'content': {'size_total': 0, 'items_left': 0, 'items_total': 0, 'state': 'NOT_STARTED', 'size_left': 0, 'details': {'rpm_total': 0, 'rpm_done': 0, 'drpm_ Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp.server.event.http:INFO: (37561-78688) total': 0, 'drpm_done': 0}, 'error_details': []}, 'comps': {'state': 'NOT_STARTED'}, 'distribution': {'items_total': 0, 'state': 'NOT_STARTED', 'error_details': [], 'items_left': 0}, 'errata': {'state': 'NOT_STARTED'}, 'metadata': {'state': 'FAILED', 'error': "[Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'"}}, 'id': '552bcc4bea349c92b9972ec4', 'removed_count': 0}} Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) Task pulp.server.managers.repo.sync.sync[3e1d2456-5662-4972-9b3a-aea40500ab85] raised unexpected: PulpExecutionException('Importer indicated a failed response',) Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) Traceback (most recent call last): Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 240, in trace_task Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) R = retval = fun(*args, **kwargs) Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 328, in __call__ Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) return super(Task, self).__call__(*args, **kwargs) Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 437, in __protected_call__ Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) return self.run(*args, **kwargs) Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) File "/usr/lib/python2.7/site-packages/pulp/server/managers/repo/sync.py", line 114, in sync Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) raise PulpExecutionException(_('Importer indicated a failed response')) Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) PulpExecutionException: Importer indicated a failed response Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:INFO: Task pulp.server.async.tasks._release_resource[b980358d-b185-47cd-9a65-59132ccf95af] succeeded in 0.0148130779999s: None Apr 13 10:01:51 gs-per720-01.rhts.eng.bos.redhat.com pulp[37231]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._queue_reserved_task[42f3f47f-25c3-4558-8c31-403ef91734a1] Apr 13 10:01:51 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.strategy:INFO: Received task: pulp.server.managers.consumer.applicability.regenerate_applicability_for_repos[b636cead-f2d3-4f44-bb4b-89abf6a6ca0d] Apr 13 10:01:51 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._release_resource[f92aca33-50f3-42ff-a9ad-1e88bf7a9934] Apr 13 10:01:51 gs-per720-01.rhts.eng.bos.redhat.com pulp[37231]: celery.worker.job:INFO: Task pulp.server.async.tasks._queue_reserved_task[42f3f47f-25c3-4558-8c31-403ef91734a1] succeeded in 0.0408246360003s: None Apr 13 10:01:51 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:INFO: Task pulp.server.managers.consumer.applicability.regenerate_applicability_for_repos[b636cead-f2d3-4f44-bb4b-89abf6a6ca0d] succeeded in 0.0482850650005s: None Expected results: Successful sync and re-creation of conten views Additional info: # grep denied /var/log/audit/audit.log # # getenforce Enforcing # setenforce 0 Another synchronization triggered by the hammer import command succeeds: # hammer import content-view --verbose --csv-file=exports/CHANNELS/export.csv --synchronize webUI (Sync Status) shows "Syncing Complete." with output" "New packages: 7 (35.5 MB)." dont audit rules? # ll -Z /tmp/exports/CHANNELS/1/108/repodata/repomd.xml -rwxr-x---. apache apache unconfined_u:object_r:user_tmp_t:s0 /tmp/exports/CHANNELS/1/108/repodata/repomd.xml
I was asked to run the part with 'semodule -DB' So, permissive mode logs into /var/log/audit/audit.log: type=AVC msg=audit(1433767462.332:1210): avc: denied { open } for pid=11242 comm="celery" path="/tmp/exports/CHANNELS/1/109/repodata/repomd.xml" dev="dm-1" ino=204070166 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1433767462.332:1210): arch=c000003e syscall=2 success=yes exit=17 a0=3c1ac10 a1=0 a2=1b6 a3=2 items=0 ppid=11005 pid=11242 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null) Not sure, if this is relevant, but, when I delete the relevant local repository and product, I'm getting: type=AVC msg=audit(1433768953.225:1234): avc: denied { read } for pid=21646 comm="id" name="mls" dev="selinuxfs" ino=12 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1433768953.225:1234): avc: denied { open } for pid=21646 comm="id" path="/sys/fs/selinux/mls" dev="selinuxfs" ino=12 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1433768953.225:1234): arch=c000003e syscall=2 success=yes exit=4 a0=7fff4af61400 a1=0 a2=7fff4af61413 a3=7fff4af61160 items=0 ppid=21643 pid=21646 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="id" exe="/usr/bin/id" subj=system_u:system_r:passenger_t:s0 key=(null)
TL;DR: whatever put the files in /tmp/exports/* needs to label them with the tmp_t security context. You can use chcon to do it one time, or use `semanage fcontext` and then `restorecon` to set the files on a permanent basis. Perform the relabel and try the Sat6 operation again. From the audit.log output in comment 4, the file Pulp is being denied on (/tmp/exports/CHANNELS/1/109/repodata/repomd.xml) carries the SELinux context user_tmp_t. Pulp is allowed to read from files with the context tmp_t [0] but is not allowed to read from user_tmp_t. user_tmp_t is the default type that is used for files created by a user_t process, in a directory with a tmp_t type. Whatever is creating this file is running in a process labeled with user_t. The relevant upstream Pulp policy [0]: https://github.com/pulp/pulp/blob/2.6-release/server/selinux/server/pulp-celery.te#L40
Brian, you somehow need to say it to the customers. The thing is - when I follow the official documentation, I end up with 'Permission denied.' As this is a regression against Sat6.0, you: * either need to allow syncing repositories labeled with user_tmp_t * or to ensure the online documentation gets properly updated with the proper chcon command
moving to a docs bug to detail that we need to indicate the user has to set the selinux context properly so Pulp can sync the content.
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
I think the docs should say something like: ========================== If SELinux is enabled, ensure the tmp_t SELinux file context is applied to the /tmp/exports/ directory. If necessary, apply the label manually: sudo chcon -R system_u:object_r:tmp_t:s0 /tmp/exports/ ========================== I verified that command will set the expected label but someone should retry the operation that failed to ensure that it does resolve the issue. That is a step in addition to the documentation add/verify.
I confirm, that setting recursively the selinux content of /tmp/exports/ according to Comment#11 allows pulp to sync from this directory.