Bug 1432013 - katello-backup does not apply postgres group owner to the whole backup path
Summary: katello-backup does not apply postgres group owner to the whole backup path
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Backup & Restore
Version: 6.2.8
Hardware: All
OS: Linux
high
high vote
Target Milestone: Unspecified
Assignee: Christine Fouant
QA Contact:
URL:
Whiteboard:
Keywords: Triaged
Depends On:
Blocks: 1456379
TreeView+ depends on / blocked
 
Reported: 2017-03-14 10:24 UTC by Dmitry Zhukovski
Modified: 2019-04-01 20:27 UTC (History)
9 users (show)

(edit)
Clone Of:
: 1456379 (view as bug list)
(edit)
Last Closed: 2018-02-21 16:54:37 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 19453 None None None 2017-05-03 17:22 UTC

Internal Trackers: 1444069

Description Dmitry Zhukovski 2017-03-14 10:24:58 UTC
Description of problem:
katello-backup does not apply postgres group owner to the whole backup path

Version-Release number of selected component (if applicable):
katello-common-3.0.0-17.el7sat.noarch

How reproducible:
everytime

Steps to Reproduce:
1. make backup top level directory belonging to root group
# ls -la /backup
total 4
drwxrwx---.  2 root root    6 Mar 14 10:17 .
2. run o# katello-backup --skip-pulp-content --online-backup /backup/db-backup-2017-03-13/
Starting backup: 2017-03-14 10:17:58 +0000
Creating backup folder /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00
Redirecting to /bin/systemctl stop  foreman-tasks.service
Redirecting to /bin/systemctl stop  httpd.service
Redirecting to /bin/systemctl stop  pulp_workers.service
Redirecting to /bin/systemctl stop  foreman-proxy.service
Redirecting to /bin/systemctl stop  pulp_streamer.service
Redirecting to /bin/systemctl stop  pulp_resource_manager.service
Redirecting to /bin/systemctl stop  pulp_celerybeat.service
Redirecting to /bin/systemctl stop  smart_proxy_dynflow_core.service
Redirecting to /bin/systemctl stop  tomcat.service
Redirecting to /bin/systemctl stop  squid.service
Redirecting to /bin/systemctl stop  qdrouterd.service
Redirecting to /bin/systemctl stop  qpidd.service
Redirecting to /bin/systemctl stop  postgresql.service
Redirecting to /bin/systemctl stop  mongod.service
Backing up config files... 
tar: Removing leading `/' from member names
Done.
Backing up postgres db... 
-bash: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00/foreman.dump: Permission denied
-bash: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00/candlepin.dump: Permission denied
Done.
Backing up mongo db... 
couldn't connect to [localhost] couldn't connect to server localhost:27017 (127.0.0.1), connection attempt failed
Done.
**** BACKUP Complete, contents can be found in: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00 ****
nline backup



Actual results:
Top level and intermediate directory belongs to root so postgres user can't dump database
# ls -lRa /backup
/backup:
total 4
drwxrwx---.  3 root root   33 Mar 14 10:17 .
dr-xr-xr-x. 18 root root 4096 Mar 13 13:30 ..
drwxr-xr-x.  3 root root   53 Mar 14 10:17 db-backup-2017-03-13

/backup/db-backup-2017-03-13:
total 0
drwxr-xr-x. 3 root root     53 Mar 14 10:17 .
drwxrwx---. 3 root root     33 Mar 14 10:17 ..
drwxrwx---. 2 root postgres 51 Mar 14 10:17 katello-backup-2017-03-14T10:17:58+00:00


Expected results:
postgres group should be propagated from top to bottom if we wish to write postgres dumps:
  `runuser - postgres -c "pg_dump -Fc foreman > #{@dir}/foreman.dump"`
  `runuser - postgres -c "pg_dump -Fc candlepin > #{@dir}/candlepin.dump"
..or - write dumps to temporary directory and then copy

Additional info:

Comment 2 Christine Fouant 2017-05-03 17:22:28 UTC
Created redmine issue http://projects.theforeman.org/issues/19453 from this bug

Comment 3 Christine Fouant 2017-05-04 14:15:37 UTC
> Expected results:
> postgres group should be propagated from top to bottom if we wish to write
> postgres dumps:
>   `runuser - postgres -c "pg_dump -Fc foreman > #{@dir}/foreman.dump"`
>   `runuser - postgres -c "pg_dump -Fc candlepin > #{@dir}/candlepin.dump"
> ..or - write dumps to temporary directory and then copy
> 
> Additional info:

It would be pretty bad to go in and change permissions all the way up the filesystem. For instance, doing so might give postgresql access to the root's home directory, and that would not be good. Also, creating the necessary files elsewhere and moving them into the backup directory would only cause failure upon attempt to restore. I believe the responsibility of permissions in this case is the user's, so the solution I think best would be to fail with an error message if the path prevents postgres group permissions.

Comment 4 Dmitry Zhukovski 2017-05-04 14:22:27 UTC
i am not asking to change permissions from root top but rather from backup top directory down to the structure. in 6.2.8 you had introduced intermediate directory level as db-backup-<date> but did forget to chgrp to postrgesql as you do on low level backup file.

thats why backup script fails to write to backup file as it's cant traverse via db-backup-<date> directory

Comment 5 pm-sat@redhat.com 2017-05-11 18:15:34 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/19453 has been resolved.

Comment 6 Peter Ondrejka 2017-09-05 13:29:49 UTC
Verified on satellite-6.3.0-17.0.beta.el7sat.noarch, postgres group rights are applied down the path where needed:

# ll /var/tmp/
drwxrwx---. 3 root postgres 43 Sep  5 08:45 backup

# ll /var/tmp/backup/katello-backup-20170905084527/
total 4980
-rw-r--r--. 1 postgres postgres  267615 Sep  5 08:46 candlepin.dump
-rw-r--r--. 1 root     root      674369 Sep  5 08:45 config_files.tar.gz
-rw-r--r--. 1 postgres postgres 4099807 Sep  5 08:46 foreman.dump
-rw-r--r--. 1 root     root       48812 Sep  5 08:45 metadata.yml
drwxr-xr-x. 5 root     root          52 Sep  5 08:46 mongo_dump
-rw-r--r--. 1 postgres postgres     650 Sep  5 08:46 pg_globals.dump

Comment 7 pm-sat@redhat.com 2018-02-21 16:54:37 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> > 
> > For information on the advisory, and where to find the updated files, follow the link below.
> > 
> > If the solution does not work for you, open a new bug report.
> > 
> > https://access.redhat.com/errata/RHSA-2018:0336


Note You need to log in before you can comment on or make changes to this bug.