Bug 1261530 - /etc/opendnssec is not writeable by ods-ksmutil running under ods user
/etc/opendnssec is not writeable by ods-ksmutil running under ods user
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opendnssec (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Paul Wouters
Namita Soman
: TestBlocker
Depends On:
Blocks: 1115294
  Show dependency treegraph
 
Reported: 2015-09-09 10:23 EDT by Kaleem
Modified: 2015-11-19 05:20 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 05:20:18 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
console output with verification steps (5.66 KB, text/plain)
2015-09-14 07:59 EDT, Kaleem
no flags Details

  None (edit)
Description Kaleem 2015-09-09 10:23:28 EDT
Description of problem:
Following crash seen when adding a dnszone with --dnssec=true option.


Sep  9 16:58:13 dhcp207-20 ipa-dnskeysyncd: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO     Zones removed from LDAP: []
Sep  9 16:58:13 dhcp207-20 ipa-dnskeysyncd: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO     Zones added to LDAP: [('d4103682-56e5-11e5-9989-c99194724b35', <DNS name dnssec.test.>)]
Sep  9 16:58:13 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): loaded serial 1441798093
Sep  9 16:58:13 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): receive_secure_serial: unchanged
Sep  9 16:58:13 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): reconfiguring zone keys
Sep  9 16:58:13 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): next key event: 09-Sep-2015 17:58:13.365
Sep  9 16:58:13 dhcp207-20 python2: detected unhandled Python exception in '/usr/libexec/ipa/ipa-dnskeysyncd'
Sep  9 16:58:14 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): serial 1441798094 (unsigned 1441798094)
Sep  9 16:58:14 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): could not get zone keys for secure dynamic update
Sep  9 16:58:14 dhcp207-20 named-pkcs11[15547]: zone dnssec.test/IN (signed): receive_secure_serial: not found
Sep  9 16:58:17 dhcp207-20 dbus[568]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Sep  9 16:58:17 dhcp207-20 dbus-daemon: dbus[568]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Sep  9 16:58:17 dhcp207-20 dbus[568]: [system] Successfully activated service 'org.freedesktop.problems'
Sep  9 16:58:17 dhcp207-20 dbus-daemon: dbus[568]: [system] Successfully activated service 'org.freedesktop.problems'
Sep  9 16:58:17 dhcp207-20 abrt-server: Email address of sender was not specified. Would you like to do so now? If not, 'user@localhost' is to be used [y/N] 
Sep  9 16:58:17 dhcp207-20 abrt-server: Email address of receiver was not specified. Would you like to do so now? If not, 'root@localhost' is to be used [y/N] 
Sep  9 16:58:17 dhcp207-20 abrt-server: Sending an email...
Sep  9 16:58:17 dhcp207-20 abrt-server: Executing: /bin/mailx -s [abrt] full crash report -r user@localhost root@localhost
Sep  9 16:58:17 dhcp207-20 abrt-server: Email was sent to: root@localhost
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: Traceback (most recent call last):
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 112, in <module>
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 376, in syncrepl_poll
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.syncrepl_entry(dn, attrs, c.entryUUID)
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/syncrepl.py", line 77, in syncrepl_entry
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.application_add(uuid, dn, attributes)
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 70, in application_add
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.zone_add(uuid, dn, newattrs)
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 146, in zone_add
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.ods_sync()
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 161, in ods_sync
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.odsmgr.sync()
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/odsmgr.py", line 181, in sync
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: self.add_ods_zone(uuid, name)
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/odsmgr.py", line 141, in add_ods_zone
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: output = self.ksmutil(cmd)
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/odsmgr.py", line 131, in ksmutil
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: return ipautil.run(cmd)[0]
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 373, in run
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, stdout)
Sep  9 16:58:17 dhcp207-20 ipa-dnskeysyncd: subprocess.CalledProcessError: Command ''ods-ksmutil' 'zone' 'add' '--zone' 'dnssec.test.' '--input' '/var/lib/ipa/dns/zone/entryUUID/d4103682-56e5-11e5-9989-c99194724b35'' returned non-zero exit status 1
Sep  9 16:58:17 dhcp207-20 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE
Sep  9 16:58:17 dhcp207-20 systemd: Unit ipa-dnskeysyncd.service entered failed state.
Sep  9 16:58:17 dhcp207-20 systemd: ipa-dnskeysyncd.service failed.


Version-Release number of selected component (if applicable):
[root@dhcp207-20 ~]# rpm -q ipa-server
ipa-server-4.2.0-9.el7.x86_64
[root@dhcp207-20 ~]#

How reproducible:
Always

Steps to Reproduce:
1. Install IPA Server
2. Install DNSSEC master
3. Add a dnszone with --dnssec=true

Actual results:
Crash of ipa-dnskeysyncd seen

Expected results:
No crash of ipa-dnskeysyncd seen
Comment 1 Martin Bašti 2015-09-09 10:25:18 EDT
there is missing write permission for group on /etc/opendnssec directory.
Comment 3 Petr Spacek 2015-09-09 11:02:53 EDT
The daemon fails when executing external command under user ods:

Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa         : DEBUG    Starting external process
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa         : DEBUG    args='ods-ksmutil' 'zonelist' 'export'
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa         : DEBUG    Process finished, return code=0
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa         : DEBUG    stdout=<?xml version="1.0"?>
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: <ZoneList/>
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa         : DEBUG    stderr=
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG    ODS zones: {}
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO     Zones removed from LDAP: []
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO     Zones added to LDAP: [('83510b83-56ee-11e
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa         : DEBUG    Starting external process
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa         : DEBUG    args='ods-ksmutil' 'zone' 'add' '--zone' 'dnssec.test.' '--inpu
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa         : DEBUG    Process finished, return code=1
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ipa         : DEBUG    stdout=WARNING: The input file /var/lib/ipa/dns/zone/entryUUID/
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: zonelist filename set to /etc/opendnssec/zonelist.xml.
Sep 09 18:00:32 dhcp207-20.testrelm.test ipa-dnskeysyncd[6569]: ERROR: The backup file /etc/opendnssec/zonelist.xml.backup can not be written.


The difference between Fedora and RHEL spec is this:
-%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec
+%attr(0750,root,ods) %dir %{_sysconfdir}/opendnssec

I.e. the filesystem permissions prevent the daemon running under ods user from writting to the directory.

This has to be fixed in opendnssec package.
Comment 4 Petr Spacek 2015-09-10 07:34:29 EDT
This bug has to be fixed otherwise the DNSSEC signing feature in FreeIPA will not work at all. Paul, can you get dev_ack for it?
Comment 6 Paul Wouters 2015-09-10 11:44:57 EDT
confirmed
Comment 8 Kaleem 2015-09-14 07:59:18 EDT
Created attachment 1073204 [details]
console output with verification steps

Verified.

opendnssec version:
===================
[root@dhcp207-115 ~]# rpm -q ipa-server opendnssec
ipa-server-4.2.0-9.el7.x86_64
opendnssec-1.4.7-3.el7.x86_64
[root@dhcp207-115 ~]# 

Please find the attached console output for verification steps.
Comment 10 errata-xmlrpc 2015-11-19 05:20:18 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2303.html

Note You need to log in before you can comment on or make changes to this bug.