1432013 – katello-backup does not apply postgres group owner to the whole backup path

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1432013 - katello-backup does not apply postgres group owner to the whole backup path

Summary: katello-backup does not apply postgres group owner to the whole backup path

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Backup & Restore
Sub Component:
Version:	6.2.8
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	Unspecified
Assignee:	Christine Fouant
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1456379
TreeView+	depends on / blocked

Reported:	2017-03-14 10:24 UTC by Dmitry Zhukovski
Modified:	2021-12-10 14:57 UTC (History)
CC List:	9 users (show)
Fixed In Version:	katello-3.4.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1456379 (view as bug list)
Environment:
Last Closed:	2018-02-21 16:54:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	19453	0	High	Closed	katello-backup does not apply postgres group owner to the whole backup path	2021-02-09 16:15:10 UTC

Internal Links: 1444069

Description Dmitry Zhukovski 2017-03-14 10:24:58 UTC

Description of problem:
katello-backup does not apply postgres group owner to the whole backup path

Version-Release number of selected component (if applicable):
katello-common-3.0.0-17.el7sat.noarch

How reproducible:
everytime

Steps to Reproduce:
1. make backup top level directory belonging to root group
# ls -la /backup
total 4
drwxrwx---.  2 root root    6 Mar 14 10:17 .
2. run o# katello-backup --skip-pulp-content --online-backup /backup/db-backup-2017-03-13/
Starting backup: 2017-03-14 10:17:58 +0000
Creating backup folder /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00
Redirecting to /bin/systemctl stop  foreman-tasks.service
Redirecting to /bin/systemctl stop  httpd.service
Redirecting to /bin/systemctl stop  pulp_workers.service
Redirecting to /bin/systemctl stop  foreman-proxy.service
Redirecting to /bin/systemctl stop  pulp_streamer.service
Redirecting to /bin/systemctl stop  pulp_resource_manager.service
Redirecting to /bin/systemctl stop  pulp_celerybeat.service
Redirecting to /bin/systemctl stop  smart_proxy_dynflow_core.service
Redirecting to /bin/systemctl stop  tomcat.service
Redirecting to /bin/systemctl stop  squid.service
Redirecting to /bin/systemctl stop  qdrouterd.service
Redirecting to /bin/systemctl stop  qpidd.service
Redirecting to /bin/systemctl stop  postgresql.service
Redirecting to /bin/systemctl stop  mongod.service
Backing up config files... 
tar: Removing leading `/' from member names
Done.
Backing up postgres db... 
-bash: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00/foreman.dump: Permission denied
-bash: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00/candlepin.dump: Permission denied
Done.
Backing up mongo db... 
couldn't connect to [localhost] couldn't connect to server localhost:27017 (127.0.0.1), connection attempt failed
Done.
**** BACKUP Complete, contents can be found in: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00 ****
nline backup



Actual results:
Top level and intermediate directory belongs to root so postgres user can't dump database
# ls -lRa /backup
/backup:
total 4
drwxrwx---.  3 root root   33 Mar 14 10:17 .
dr-xr-xr-x. 18 root root 4096 Mar 13 13:30 ..
drwxr-xr-x.  3 root root   53 Mar 14 10:17 db-backup-2017-03-13

/backup/db-backup-2017-03-13:
total 0
drwxr-xr-x. 3 root root     53 Mar 14 10:17 .
drwxrwx---. 3 root root     33 Mar 14 10:17 ..
drwxrwx---. 2 root postgres 51 Mar 14 10:17 katello-backup-2017-03-14T10:17:58+00:00


Expected results:
postgres group should be propagated from top to bottom if we wish to write postgres dumps:
  `runuser - postgres -c "pg_dump -Fc foreman > #{@dir}/foreman.dump"`
  `runuser - postgres -c "pg_dump -Fc candlepin > #{@dir}/candlepin.dump"
..or - write dumps to temporary directory and then copy

Additional info:

Comment 2 Christine Fouant 2017-05-03 17:22:28 UTC

Created redmine issue http://projects.theforeman.org/issues/19453 from this bug

Comment 3 Christine Fouant 2017-05-04 14:15:37 UTC

> Expected results:
> postgres group should be propagated from top to bottom if we wish to write
> postgres dumps:
>   `runuser - postgres -c "pg_dump -Fc foreman > #{@dir}/foreman.dump"`
>   `runuser - postgres -c "pg_dump -Fc candlepin > #{@dir}/candlepin.dump"
> ..or - write dumps to temporary directory and then copy
> 
> Additional info:

It would be pretty bad to go in and change permissions all the way up the filesystem. For instance, doing so might give postgresql access to the root's home directory, and that would not be good. Also, creating the necessary files elsewhere and moving them into the backup directory would only cause failure upon attempt to restore. I believe the responsibility of permissions in this case is the user's, so the solution I think best would be to fail with an error message if the path prevents postgres group permissions.

Comment 4 Dmitry Zhukovski 2017-05-04 14:22:27 UTC

i am not asking to change permissions from root top but rather from backup top directory down to the structure. in 6.2.8 you had introduced intermediate directory level as db-backup-<date> but did forget to chgrp to postrgesql as you do on low level backup file.

thats why backup script fails to write to backup file as it's cant traverse via db-backup-<date> directory

Comment 5 Satellite Program 2017-05-11 18:15:34 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/19453 has been resolved.

Comment 6 Peter Ondrejka 2017-09-05 13:29:49 UTC

Verified on satellite-6.3.0-17.0.beta.el7sat.noarch, postgres group rights are applied down the path where needed:

# ll /var/tmp/
drwxrwx---. 3 root postgres 43 Sep  5 08:45 backup

# ll /var/tmp/backup/katello-backup-20170905084527/
total 4980
-rw-r--r--. 1 postgres postgres  267615 Sep  5 08:46 candlepin.dump
-rw-r--r--. 1 root     root      674369 Sep  5 08:45 config_files.tar.gz
-rw-r--r--. 1 postgres postgres 4099807 Sep  5 08:46 foreman.dump
-rw-r--r--. 1 root     root       48812 Sep  5 08:45 metadata.yml
drwxr-xr-x. 5 root     root          52 Sep  5 08:46 mongo_dump
-rw-r--r--. 1 postgres postgres     650 Sep  5 08:46 pg_globals.dump

Comment 7 Satellite Program 2018-02-21 16:54:37 UTC

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> > 
> > For information on the advisory, and where to find the updated files, follow the link below.
> > 
> > If the solution does not work for you, open a new bug report.
> > 
> > https://access.redhat.com/errata/RHSA-2018:0336

Note You need to log in before you can comment on or make changes to this bug.