Red Hat Bugzilla – Bug 1432013
katello-backup does not apply postgres group owner to the whole backup path
Last modified: 2018-02-21 11:54:37 EST
Description of problem: katello-backup does not apply postgres group owner to the whole backup path Version-Release number of selected component (if applicable): katello-common-3.0.0-17.el7sat.noarch How reproducible: everytime Steps to Reproduce: 1. make backup top level directory belonging to root group # ls -la /backup total 4 drwxrwx---. 2 root root 6 Mar 14 10:17 . 2. run o# katello-backup --skip-pulp-content --online-backup /backup/db-backup-2017-03-13/ Starting backup: 2017-03-14 10:17:58 +0000 Creating backup folder /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00 Redirecting to /bin/systemctl stop foreman-tasks.service Redirecting to /bin/systemctl stop httpd.service Redirecting to /bin/systemctl stop pulp_workers.service Redirecting to /bin/systemctl stop foreman-proxy.service Redirecting to /bin/systemctl stop pulp_streamer.service Redirecting to /bin/systemctl stop pulp_resource_manager.service Redirecting to /bin/systemctl stop pulp_celerybeat.service Redirecting to /bin/systemctl stop smart_proxy_dynflow_core.service Redirecting to /bin/systemctl stop tomcat.service Redirecting to /bin/systemctl stop squid.service Redirecting to /bin/systemctl stop qdrouterd.service Redirecting to /bin/systemctl stop qpidd.service Redirecting to /bin/systemctl stop postgresql.service Redirecting to /bin/systemctl stop mongod.service Backing up config files... tar: Removing leading `/' from member names Done. Backing up postgres db... -bash: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00/foreman.dump: Permission denied -bash: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00/candlepin.dump: Permission denied Done. Backing up mongo db... couldn't connect to [localhost] couldn't connect to server localhost:27017 (127.0.0.1), connection attempt failed Done. **** BACKUP Complete, contents can be found in: /backup/db-backup-2017-03-13/katello-backup-2017-03-14T10:17:58+00:00 **** nline backup Actual results: Top level and intermediate directory belongs to root so postgres user can't dump database # ls -lRa /backup /backup: total 4 drwxrwx---. 3 root root 33 Mar 14 10:17 . dr-xr-xr-x. 18 root root 4096 Mar 13 13:30 .. drwxr-xr-x. 3 root root 53 Mar 14 10:17 db-backup-2017-03-13 /backup/db-backup-2017-03-13: total 0 drwxr-xr-x. 3 root root 53 Mar 14 10:17 . drwxrwx---. 3 root root 33 Mar 14 10:17 .. drwxrwx---. 2 root postgres 51 Mar 14 10:17 katello-backup-2017-03-14T10:17:58+00:00 Expected results: postgres group should be propagated from top to bottom if we wish to write postgres dumps: `runuser - postgres -c "pg_dump -Fc foreman > #{@dir}/foreman.dump"` `runuser - postgres -c "pg_dump -Fc candlepin > #{@dir}/candlepin.dump" ..or - write dumps to temporary directory and then copy Additional info:
Created redmine issue http://projects.theforeman.org/issues/19453 from this bug
> Expected results: > postgres group should be propagated from top to bottom if we wish to write > postgres dumps: > `runuser - postgres -c "pg_dump -Fc foreman > #{@dir}/foreman.dump"` > `runuser - postgres -c "pg_dump -Fc candlepin > #{@dir}/candlepin.dump" > ..or - write dumps to temporary directory and then copy > > Additional info: It would be pretty bad to go in and change permissions all the way up the filesystem. For instance, doing so might give postgresql access to the root's home directory, and that would not be good. Also, creating the necessary files elsewhere and moving them into the backup directory would only cause failure upon attempt to restore. I believe the responsibility of permissions in this case is the user's, so the solution I think best would be to fail with an error message if the path prevents postgres group permissions.
i am not asking to change permissions from root top but rather from backup top directory down to the structure. in 6.2.8 you had introduced intermediate directory level as db-backup-<date> but did forget to chgrp to postrgesql as you do on low level backup file. thats why backup script fails to write to backup file as it's cant traverse via db-backup-<date> directory
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/19453 has been resolved.
Verified on satellite-6.3.0-17.0.beta.el7sat.noarch, postgres group rights are applied down the path where needed: # ll /var/tmp/ drwxrwx---. 3 root postgres 43 Sep 5 08:45 backup # ll /var/tmp/backup/katello-backup-20170905084527/ total 4980 -rw-r--r--. 1 postgres postgres 267615 Sep 5 08:46 candlepin.dump -rw-r--r--. 1 root root 674369 Sep 5 08:45 config_files.tar.gz -rw-r--r--. 1 postgres postgres 4099807 Sep 5 08:46 foreman.dump -rw-r--r--. 1 root root 48812 Sep 5 08:45 metadata.yml drwxr-xr-x. 5 root root 52 Sep 5 08:46 mongo_dump -rw-r--r--. 1 postgres postgres 650 Sep 5 08:46 pg_globals.dump
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. > > > > For information on the advisory, and where to find the updated files, follow the link below. > > > > If the solution does not work for you, open a new bug report. > > > > https://access.redhat.com/errata/RHSA-2018:0336