1211305 – sync of imported repositories fails with permission denied

Bug 1211305 - sync of imported repositories fails with permission denied

Summary: sync of imported repositories fails with permission denied

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Docs Transition Guide
Sub Component:
Version:	Nightly
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	David O'Brien
QA Contact:	Brian Bouterse
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-04-13 14:48 UTC by Tomas Lestach
Modified:	2019-09-25 20:35 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-09-03 00:10:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Tomas Lestach 2015-04-13 14:48:58 UTC

Description of problem:
Try to transition objects from Satellite 5 to Satellite 6 according to the
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/Transition_Guide/sect-Red_Hat_Satellite-Transition_Guide-Transferring_Exports_to_Satellite_6.html
The import of content-views
⁠3.7.5. Transitioning Custom and Cloned Channels to Content Views
fails with: [Errno 13] Permission denied:


Version-Release number of selected component (if applicable):
sat6-Satellite-6.1.0-RHEL-7-20150409.0-Satellite-x86_64-dvd1.iso
foreman-selinux-1.7.2.13-1.el7sat.noarch

How reproducible:
always

Steps to Reproduce:
1. proceed transition Sat5 data to Sat6 according to the docs
Just make sure you have at least one custom rpm on Sat5 you're going to transition to Sat6, that means you transition data contains at least on rpm in path:
exports/CHANNELS/*/*/*.rpm
2. # hammer import content-view --verbose --csv-file=exports/CHANNELS/export.csv --synchronize

Actual results:
* click on WebUI - Products - Local-repositories - Tasks
- details of the task show:
[Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'
* WebUI Sync Status - Local-repositories show: 'Sync Incomplete' with output:
[Errno 13] Permission denied: [Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'

Whole task information:
Id: 9e82233a-dc09-415d-bd1a-b88fe6690511
Label: Actions::Katello::Repository::Sync
Name: Synchronize
Owner: admin
Started at: 2015-04-13 14:01:46 UTC
Ended at: 2015-04-13 14:01:52 UTC
State: stopped
Result: warning
Params: repository 'Local repository for zsh-channel'; product 'Local-repositories'; organization 'RED HAT SATELLITE ENGINEERING'
100.0% Complete 100%
Output:
[Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'

/var/log/foreman/production.log shows:
2015-04-13 10:01:45 [W] Failed to send email notification satellite_sync_errata: No recipients found for Local repository for tml-channel sync report
2015-04-13 10:01:45 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.35/app/views/katello/api/v2/repositories/show.json.rabl within katello/api/v2/layouts/resource (110.7ms)
2015-04-13 10:01:45 [I] Completed 200 OK in 4532ms (Views: 108.4ms | ActiveRecord: 53.5ms)
2015-04-13 10:01:45 [I] Processing by Katello::Api::V2::RepositoriesController#show as application/json;version=2
2015-04-13 10:01:45 [I]   Parameters: {"api_version"=>"v2", "id"=>"24", "repository"=>{}}
2015-04-13 10:01:45 [I] Authorized user admin(Admin User)
2015-04-13 10:01:46 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.35/app/views/katello/api/v2/repositories/show.json.rabl within katello/api/v2/layouts/resource (592.9ms)
2015-04-13 10:01:46 [I] Completed 200 OK in 630ms (Views: 588.5ms | ActiveRecord: 11.6ms)
2015-04-13 10:01:46 [I] Processing by Katello::Api::V2::RepositoriesController#sync as application/json;version=2
2015-04-13 10:01:46 [I]   Parameters: {"api_version"=>"v2", "id"=>"24", "repository"=>{}}
2015-04-13 10:01:46 [I] Authorized user admin(Admin User)
2015-04-13 10:01:46 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.35/app/views/katello/api/v2/repositories/sync.json.rabl within katello/api/v2/layouts/resource (62.9ms)
2015-04-13 10:01:46 [I] Completed 202 Accepted in 362ms (Views: 62.6ms | ActiveRecord: 23.8ms)
2015-04-13 10:01:47 [I] Processing by Katello::Api::V2::RepositoriesController#show as application/json;version=2
2015-04-13 10:01:47 [I]   Parameters: {"api_version"=>"v2", "id"=>"24", "repository"=>{}}
2015-04-13 10:01:47 [I] Authorized user admin(Admin User)
2015-04-13 10:01:47 [I] Processing by Katello::Api::V2::RepositoriesController#sync_complete as JSON
2015-04-13 10:01:47 [I]   Parameters: {"call_report"=>"[FILTERED]", "event_type"=>"repo.sync.finish", "payload"=>{"importer_id"=>"yum_importer", "exception"=>nil, "repo_id"=>"RED_HAT_SATELLITE_ENGINEERING-Local-repositories-Local_repository_for_zsh-channel", "traceback"=>nil, "started"=>"2015-04-13T14:01:47Z", "_ns"=>"repo_sync_results", "completed"=>"2015-04-13T14:01:47Z", "importer_type_id"=>"yum_importer", "error_message"=>nil, "summary"=>{"content"=>{"state"=>"NOT_STARTED"}, "comps"=>{"state"=>"NOT_STARTED"}, "distribution"=>{"state"=>"NOT_STARTED"}, "errata"=>{"state"=>"NOT_STARTED"}, "metadata"=>{"state"=>"FAILED"}}, "added_count"=>0, "result"=>"failed", "updated_count"=>0, "details"=>{"content"=>{"size_total"=>0, "items_left"=>0, "items_total"=>0, "state"=>"NOT_STARTED", "size_left"=>0, "details"=>{"rpm_total"=>0, "rpm_done"=>0, "drpm_total"=>0, "drpm_done"=>0}, "error_details"=>[]}, "comps"=>{"state"=>"NOT_STARTED"}, "distribution"=>{"items_total"=>0, "state"=>"NOT_STARTED", "error_details"=>[], "items_left"=>0}, "errata"=>{"state"=>"NOT_STARTED"}, "metadata"=>{"state"=>"FAILED", "error"=>"[Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'"}}, "id"=>"552bcc4bea349c92b9972ec4", "removed_count"=>0}, "token"=>"", "api_version"=>"v2", "repository"=>{}}
2015-04-13 10:01:47 [I] Sync_complete called for Local repository for zsh-channel, running after_sync.
2015-04-13 10:01:47 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.35/app/views/katello/api/v2/repositories/show.json.rabl within katello/api/v2/layouts/resource (175.2ms)
2015-04-13 10:01:47 [I] Completed 200 OK in 218ms (Views: 171.2ms | ActiveRecord: 15.5ms)
2015-04-13 10:01:47 [I] Completed 200 OK in 82ms (Views: 0.7ms | ActiveRecord: 3.8ms)
2015-04-13 10:01:47 [W] Polling failed, attempt no. 1, retrying in 0.5
2015-04-13 10:01:47 [W] PLP0000: Importer indicated a failed response (Katello::Errors::PulpError)

journalctl SYSLOG_IDENTIFIER=pulp says:
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:INFO: Downloading metadata from file:///tmp/exports/CHANNELS/1/108/.
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: nectar.downloaders.local:ERROR: (37561-78688) [Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: nectar.downloaders.local:ERROR: (37561-78688) Traceback (most recent call last):
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: nectar.downloaders.local:ERROR: (37561-78688)   File "/usr/lib/python2.7/site-packages/nectar/downloaders/local.py", line 144, in _copy
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: nectar.downloaders.local:ERROR: (37561-78688)     src_handle = open(src_path, 'rb')
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: nectar.downloaders.local:ERROR: (37561-78688) IOError: [Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688) sync failed
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688) Traceback (most recent call last):
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688)   File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/importers/yum/sync.py", line 104, in run
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688)     metadata_files = self.get_metadata()
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688)   File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/importers/yum/sync.py", line 198, in get_metadata
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688)     raise FailedException(str(e))
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp_rpm.plugins.importers.yum.sync:ERROR: (37561-78688) FailedException: [Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp.server.event.http:INFO: (37561-78688) {'call_report': {u'exception': None, u'task_type': u'pulp.server.managers.repo.sync.sync', u'task_id': u'3e1d2456-5662-4972-9b3a-aea40500ab85', u'tags': [u'pulp:repository:RED_HAT_SATELLITE_ENGINEERING-Local-repositories-Local_repository_for_zsh-channel', u'pulp:action:sync'], u'finish_time': None, u'_ns': u'task_status', u'start_time': u'2015-04-13T14:01:47Z', u'traceback': None, u'spawned_tasks': [], u'progress_report': {u'yum_importer': {u'content': {u'size_total': 0, u'items_left': 0, u'items_total': 0, u'state': u'NOT_STARTED', u'size_left': 0, u'details': {u'rpm_total': 0, u'rpm_done': 0, u'drpm_total': 0, u'drpm_done': 0}, u'error_details': []}, u'comps': {u'state': u'NOT_STARTED'}, u'distribution': {u'items_total': 0, u'state': u'NOT_STARTED', u'error_details': [], u'items_left': 0}, u'errata': {u'state': u'NOT_STARTED'}, u'metadata': {u'state': u'FAILED', u'error': u"[Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'"}}}, u'state': u'running', u'worker_name': u'reserved_resource_worker-0.eng.bos.redhat.com', u'result': None, u'error': None, u'_id': ObjectId('552bcc4b785ce3294e1c15f2'), u'id': u'552bcc4bea349c92a338aa74'}, 'event_type': 'repo.sync.finish', 'payload': {'importer_id': u'yum_importer', 'exception': None, 'repo_id': u'RED_HAT_SATELLITE_ENGINEERING-Local-repositories-Local_repository_for_zsh-channel', 'traceback': None, 'started': '2015-04-13T14:01:47Z', '_ns': u'repo_sync_results', 'completed': '2015-04-13T14:01:47Z', 'importer_type_id': u'yum_importer', 'error_message': None, 'summary': {'content': {'state': 'NOT_STARTED'}, 'comps': {'state': 'NOT_STARTED'}, 'distribution': {'state': 'NOT_STARTED'}, 'errata': {'state': 'NOT_STARTED'}, 'metadata': {'state': 'FAILED'}}, 'added_count': 0, 'result': 'failed', 'updated_count': 0, 'details': {'content': {'size_total': 0, 'items_left': 0, 'items_total': 0, 'state': 'NOT_STARTED', 'size_left': 0, 'details': {'rpm_total': 0, 'rpm_done': 0, 'drpm_
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37561]: pulp.server.event.http:INFO: (37561-78688) total': 0, 'drpm_done': 0}, 'error_details': []}, 'comps': {'state': 'NOT_STARTED'}, 'distribution': {'items_total': 0, 'state': 'NOT_STARTED', 'error_details': [], 'items_left': 0}, 'errata': {'state': 'NOT_STARTED'}, 'metadata': {'state': 'FAILED', 'error': "[Errno 13] Permission denied: u'///tmp/exports/CHANNELS/1/108/repodata/repomd.xml'"}}, 'id': '552bcc4bea349c92b9972ec4', 'removed_count': 0}}
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) Task pulp.server.managers.repo.sync.sync[3e1d2456-5662-4972-9b3a-aea40500ab85] raised unexpected: PulpExecutionException('Importer indicated a failed response',)
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) Traceback (most recent call last):
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688)   File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 240, in trace_task
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688)     R = retval = fun(*args, **kwargs)
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688)   File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 328, in __call__
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688)     return super(Task, self).__call__(*args, **kwargs)
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688)   File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 437, in __protected_call__
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688)     return self.run(*args, **kwargs)
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688)   File "/usr/lib/python2.7/site-packages/pulp/server/managers/repo/sync.py", line 114, in sync
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688)     raise PulpExecutionException(_('Importer indicated a failed response'))
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:ERROR: (37248-78688) PulpExecutionException: Importer indicated a failed response
Apr 13 10:01:47 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:INFO: Task pulp.server.async.tasks._release_resource[b980358d-b185-47cd-9a65-59132ccf95af] succeeded in 0.0148130779999s: None
Apr 13 10:01:51 gs-per720-01.rhts.eng.bos.redhat.com pulp[37231]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._queue_reserved_task[42f3f47f-25c3-4558-8c31-403ef91734a1]
Apr 13 10:01:51 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.strategy:INFO: Received task: pulp.server.managers.consumer.applicability.regenerate_applicability_for_repos[b636cead-f2d3-4f44-bb4b-89abf6a6ca0d]
Apr 13 10:01:51 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._release_resource[f92aca33-50f3-42ff-a9ad-1e88bf7a9934]
Apr 13 10:01:51 gs-per720-01.rhts.eng.bos.redhat.com pulp[37231]: celery.worker.job:INFO: Task pulp.server.async.tasks._queue_reserved_task[42f3f47f-25c3-4558-8c31-403ef91734a1] succeeded in 0.0408246360003s: None
Apr 13 10:01:51 gs-per720-01.rhts.eng.bos.redhat.com pulp[37248]: celery.worker.job:INFO: Task pulp.server.managers.consumer.applicability.regenerate_applicability_for_repos[b636cead-f2d3-4f44-bb4b-89abf6a6ca0d] succeeded in 0.0482850650005s: None



Expected results:
Successful sync and re-creation of conten views

Additional info:
# grep denied /var/log/audit/audit.log 
# 
# getenforce 
Enforcing
# setenforce 0

Another synchronization triggered by the hammer import command succeeds:

# hammer import content-view --verbose --csv-file=exports/CHANNELS/export.csv --synchronize

webUI (Sync Status) shows "Syncing Complete." with output" "New packages: 7 (35.5 MB)."

dont audit rules?

# ll -Z /tmp/exports/CHANNELS/1/108/repodata/repomd.xml
-rwxr-x---. apache apache unconfined_u:object_r:user_tmp_t:s0 /tmp/exports/CHANNELS/1/108/repodata/repomd.xml

Comment 4 Tomas Lestach 2015-06-08 13:12:20 UTC

I was asked to run the part with 'semodule -DB'
So, permissive mode logs into /var/log/audit/audit.log:

type=AVC msg=audit(1433767462.332:1210): avc:  denied  { open } for  pid=11242 comm="celery" path="/tmp/exports/CHANNELS/1/109/repodata/repomd.xml" dev="dm-1" ino=204070166 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1433767462.332:1210): arch=c000003e syscall=2 success=yes exit=17 a0=3c1ac10 a1=0 a2=1b6 a3=2 items=0 ppid=11005 pid=11242 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)

Not sure, if this is relevant, but, when I delete the relevant local repository and product, I'm getting:

type=AVC msg=audit(1433768953.225:1234): avc:  denied  { read } for  pid=21646 comm="id" name="mls" dev="selinuxfs" ino=12 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1433768953.225:1234): avc:  denied  { open } for  pid=21646 comm="id" path="/sys/fs/selinux/mls" dev="selinuxfs" ino=12 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1433768953.225:1234): arch=c000003e syscall=2 success=yes exit=4 a0=7fff4af61400 a1=0 a2=7fff4af61413 a3=7fff4af61160 items=0 ppid=21643 pid=21646 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="id" exe="/usr/bin/id" subj=system_u:system_r:passenger_t:s0 key=(null)

Comment 6 Brian Bouterse 2015-06-09 15:37:18 UTC

TL;DR: whatever put the files in /tmp/exports/* needs to label them with the tmp_t security context.  You can use chcon to do it one time, or use `semanage fcontext` and then `restorecon` to set the files on a permanent basis. Perform the relabel and try the Sat6 operation again.

From the audit.log output in comment 4, the file Pulp is being denied on (/tmp/exports/CHANNELS/1/109/repodata/repomd.xml) carries the SELinux context user_tmp_t. Pulp is allowed to read from files with the context tmp_t [0] but is not allowed to read from user_tmp_t. user_tmp_t is the default type that is used for files created by a user_t process, in a directory with a tmp_t type. Whatever is creating this file is running in a process labeled with user_t.

The relevant upstream Pulp policy
[0]: https://github.com/pulp/pulp/blob/2.6-release/server/selinux/server/pulp-celery.te#L40

Comment 7 Tomas Lestach 2015-06-10 09:29:24 UTC

Brian, you somehow need to say it to the customers.
The thing is - when I follow the official documentation, I end up with 'Permission denied.'
As this is a regression against Sat6.0, you:
* either need to allow syncing repositories labeled with user_tmp_t
* or to ensure the online documentation gets properly updated with the proper chcon command

Comment 8 Mike McCune 2015-06-10 14:19:44 UTC

moving to a docs bug to detail that we need to indicate the user has to set the selinux context properly so Pulp can sync the content.

Comment 9 RHEL Program Management 2015-06-10 14:33:04 UTC

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 11 Brian Bouterse 2015-06-10 17:34:21 UTC

I think the docs should say something like:


==========================

If SELinux is enabled, ensure the tmp_t SELinux file context is applied to the /tmp/exports/ directory. If necessary, apply the label manually:

sudo chcon -R system_u:object_r:tmp_t:s0 /tmp/exports/

==========================


I verified that command will set the expected label but someone should retry the operation that failed to ensure that it does resolve the issue. That is a step in addition to the documentation add/verify.

Comment 12 Tomas Lestach 2015-06-11 14:20:38 UTC

I confirm, that setting recursively the selinux content of /tmp/exports/ according to Comment#11 allows pulp to sync from this directory.

Note You need to log in before you can comment on or make changes to this bug.