Description of problem: After generating a client configuration RPM with a Red Hat repo (the HA for RHEL 7 repo in my test case) and installing it on a client, the following problem occurs: # yum repolist Loaded plugins: search-disabled-repos Could not retrieve mirrorlist https://cds.example.com/pulp/mirror//content/dist/rhel/rhui/server/7/7Server/x86_64/highavailability/os error was 14: HTTPS Error 404 - Not Found repo id repo name status rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64 Red Hat Enterprise Linux High Availability (for RHEL 7 S 0 repolist: 0 The cds.example.com host is the HAProxy instance, which is set up to perform load balancing between cds01.example.com and cds02.example.com. The following error message can be observed in /var/log/httpd/cds.example.com_access_ssl.log on both CDS instances after two attempts to run the yum command: IP - - [DATE:TIME] "GET /pulp/mirror//content/dist/rhel/rhui/server/7/7Server/x86_64/highavailability/os HTTP/1.1" 404 277 "-" "urlgrabber/3.10 yum/3.4.3" I might add that /etc/httpd/conf.d/25-cds.example.com.conf contains: WSGIScriptAlias /pulp/mirror "/usr/share/pulp/wsgi/mirrorlist.wsgi" But there's no such file as /usr/share/pulp/wsgi/mirrorlist.wsgi. Also, in /var/log/httpd/cds.example.com_error_ssl.log, I see: [DATE TIME] [:error] [pid PID] [client IP:PORT] Target WSGI script not found or unable to stat: /usr/share/pulp/wsgi/mirrorlist.wsgi There's /srv/pulp/mirrorlist.wsgi, FWIW, but if I put that into the Apache conf file instead of the wrong (?) path, I get: [DATE TIME] [core:error] [pid PID] (13)Permission denied: [client IP:PORT] AH00035: access to /pulp/mirror/content/dist/rhel/rhui/server/7/7Server/x86_64/highavailability/os denied (filesystem path '/srv/pulp/mirrorlist.wsgi') because search permissions are missing on a component of the path FWIW #2, the path is comprised of directories owned by apache:apache with the following permissions: # ll -d `find /var/lib/pulp/published/yum/https/repos/ | grep -v listing` | awk '{print $1 $9}'drwxr-x---./var/lib/pulp/published/yum/https/repos/ drwxr-x---./var/lib/pulp/published/yum/https/repos/content drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server/7 drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server/7/7Server drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server/7/7Server/x86_64 drwxr-x---./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server/7/7Server/x86_64/highavailability lrwxrwxrwx./var/lib/pulp/published/yum/https/repos/content/dist/rhel/rhui/server/7/7Server/x86_64/highavailability/os Version-Release number of selected component (if applicable): RHUI-3.0-RHEL-7-20160830.n.0-RHUI-x86_64-dvd1.iso How reproducible: Always Steps to Reproduce: 1. Prepare a set of machines: one RHUA, two CDS, and one HAProxy instance. 2. Run rhui-manager to upload an RH cert, add a repo, set up the loadbalancer and the two CDS machines, sync the repo. 3. Create a client configuration RPM and install in on yet another machine. 4. Run `yum repolist' on that machine, or any other yum command which communicates with configured repo servers. Actual results: Yum fails with the 404 error above. Expected results: Yum works.
After some more digging, I see it's SELinux that causes the permission issues. With SELinux in permissive mode, Yum does work as expected: # yum repolist Loaded plugins: search-disabled-repos rhui-rhel-ha-for-rhel-7-server-rhui-rpms | 2.0 kB 00:00:00 (1/3): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64/updateinfo | 42 kB 00:00:00 (2/3): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64/group | 11 kB 00:00:00 (3/3): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64/primary | 51 kB 00:00:00 rhui-rhel-ha-for-rhel-7-server-rhui-rpms 224/224 repo id repo name status rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64 Red Hat Enterprise Linux High Availability (for RHEL 7 S 224 The 'grep httpd /var/log/audit/audit.log | audit2allow -M cds' command has produced the cds.te file with the following content: module cds 1.0; require { type httpd_t; type var_t; class file { read getattr open }; } #============= httpd_t ============== allow httpd_t var_t:file { read getattr open }; I can see some detailed information when I search for httpd in the auditd log: type=SYSCALL msg=audit(09/08/2016 07:50:38.031:3556) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7eff6f5b7688 a1=0x7fff0b9865d0 a2=0x7fff0b9865d0 a3=0x0 items=0 ppid=20142 pid=20291 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(09/08/2016 07:50:38.031:3556) : avc: denied { getattr } for pid=20291 comm=httpd path=/srv/pulp/mirrorlist.wsgi dev="xvda2" ino=9291215 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file So, AIUI, what needs to be done for this bug is: 1 - Ensure that the correct path is put into /etc/httpd/conf.d/25-cds.example.com.conf for WSGIScriptAlias /pulp/mirror. 2 - Tweak SELinux rules accordingly.
Fix confirmed in RHUI-3.0-RHEL-6-20160921.n.0. Thanks Patrick!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0367