Bug 1477545 - Upgrade of dhcpd always breaks permissions
Upgrade of dhcpd always breaks permissions
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer (Show other bugs)
6.3.0
Unspecified Unspecified
high Severity high (vote)
: Beta
: --
Assigned To: Eric Helms
Lukas Pramuk
: PrioBumpGSS, PrioBumpPM, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-02 07:27 EDT by Lukas Zapletal
Modified: 2018-05-18 07:34 EDT (History)
16 users (show)

See Also:
Fixed In Version: foreman-installer-1.15.5
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-21 12:11:08 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3137221 None None None 2017-08-07 11:56 EDT
Foreman Issue Tracker 20683 None None None 2017-08-21 14:32 EDT
Foreman Issue Tracker 21419 None None None 2017-10-23 03:01 EDT

  None (edit)
Description Lukas Zapletal 2017-08-02 07:27:47 EDT
We need to set

setfacl -R -m u:foreman:rwx /etc/dhcp /var/lib/dhcpd

via our puppet installer instead of modifying standard UNIX owner and permissions. Overtime dhcp package is upgraded, RPM returns the original permission and owner which leads to DHCP issues (foreman-proxy is unable to modify files).

We should keep the old UNIX method and add setfacl as additional step, it will not work on filesystems without FACL, in that case skip it.
Comment 10 Lukas Zapletal 2017-08-07 10:18:01 EDT
Nagoor, I can confirm my typo. The correct form is indeed:

setfacl -R -m u:foreman-proxy:rwx /etc/dhcp /var/lib/dhcpd
Comment 15 Eric Helms 2017-08-21 14:32:00 EDT
Created redmine issue http://projects.theforeman.org/issues/20683 from this bug
Comment 16 pm-sat@redhat.com 2017-09-06 10:05:40 EDT
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/20683 has been resolved.
Comment 17 Lukas Pramuk 2017-10-20 13:24:10 EDT
FailedQA.

@satellite-6.3.0-21.0.beta.el7sat.noarch
foreman-installer-1.15.6.1-1.el7sat.noarch

# getfacl -p /etc/dhcp /var/lib/dhcpd
# file: /etc/dhcp
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

# file: /var/lib/dhcpd
# owner: dhcpd
# group: dhcpd
user::rwx
group::r-x
other::r-x


>>> no special acl set on the dhcp directories
Comment 18 Eric Helms 2017-10-20 17:04:49 EDT
Lukas,

Do you have both --foreman-proxy-dhcp and --foreman-proxy-dhcp-managed set to true? Be warned, this will enable DHCP server and management so you need to do it in an isolated network. These are not true in a default installation for that reason. The management of DHCP ACLs are only relevant in the case that DHCP is being managed by the Capsule so you will not see this present without the above. Flipping back to ON_QA for further analysis.
Comment 19 Lukas Pramuk 2017-10-22 05:35:13 EDT
Eric,

Yes I have Internal Capsule having DHCP, DNS, Discovery, Dynflow, Openscap, Pulp, Puppet, Puppet CA, SSH, and TFTP features

# satellite-installer -h | grep -E "dhcp( |-manage)"
    --foreman-proxy-dhcp          Enable DHCP feature (current: true)
    --foreman-proxy-dhcp-manage-acls  Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750. (current: true)
    --foreman-proxy-dhcp-managed  DHCP is managed by Foreman proxy (current: true)
Comment 20 Lukas Pramuk 2017-10-22 07:26:16 EDT
setfacl installer code is working but with reverse logic, see: 

1. Set ACL
# setfacl -R -m u:foreman-proxy:rx /var/lib/dhcpd /etc/dhcp

# satellite-installer -v 
...
[ WARN 2017-10-22 06:48:16 verbose]  /Stage[main]/Foreman_proxy::Proxydhcp/Exec[setfacl_etc_dhcp]/returns: executed successfully
[ WARN 2017-10-22 06:48:16 verbose]  /Stage[main]/Dhcp/Concat[/etc/dhcp/dhcpd.conf]/File[/etc/dhcp/dhcpd.conf]/mode: mode changed '0654' to '0644'
[ INFO 2017-10-22 06:48:16 verbose]  Concat[/etc/dhcp/dhcpd.conf]: Scheduling refresh of Service[dhcpd]
...

>>> when acl is present installer sets it !!!

2. Remove ACL
# setfacl -R -x u:foreman-proxy /var/lib/dhcpd /etc/dhcp

# satellite-installer -v 
...
<no exec of setfacl_etc_dhcp>
... 

>>> when acl is not set installer doesn't set it !!!
Comment 21 Lukas Pramuk 2017-10-22 07:33:52 EDT
While setfacl_var_lib_dhcp has typo!!! 

onlyif  => "getfacl -p /var/lib/dhcp | grep user:${::foreman_proxy::user}:r-x"

>>> /var/lib/dhcp doesn't exist it should be /var/lib/dhcpd
Comment 22 Lukas Pramuk 2017-11-01 12:01:37 EDT
VERIFIED.

@satellite-6.3.0-21.0.beta.el7sat.noarch
foreman-installer-1.15.6.4-1.el7sat.noarch


1. Have a capsule with DHCP feature, i.e. all these installer options are enabled

# satellite-installer -h | grep -E "dhcp( |-manage)"
    --foreman-proxy-dhcp          Enable DHCP feature (current: true)
    --foreman-proxy-dhcp-manage-acls  Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750. (current: true)
    --foreman-proxy-dhcp-managed  DHCP is managed by Foreman proxy (current: true)

2. Check for file ACLs of dhcp files (after installation)

# getfacl -p /etc/dhcp /var/lib/dhcpd
# file: /etc/dhcp
# owner: root
# group: root
user::rwx
user:foreman-proxy:r-x    <<< OK
group::r-x
mask::r-x
other::r-x

# file: /var/lib/dhcpd
# owner: dhcpd
# group: dhcpd
user::rwx
user:foreman-proxy:r-x    <<< OK
group::r-x
mask::r-x
other::r-x

>>> foreman will be able to access dhcp files
Comment 23 Lukas Pramuk 2017-11-01 12:05:28 EDT
Wait, comment#0 and comment#10 are talking about rwx for foreman-proxy and I se just r-x

So foreman won't be able to modify/write to dhcp files. Is write access needed?
Comment 24 Lukas Zapletal 2017-11-02 06:23:29 EDT
Yes, only read access for all DHCP files is needed as Foreman calls "omapi" tool to do the updates as external process and I believe this talks to the server via network.
Comment 25 Bryan Kearney 2018-02-21 12:11:08 EST
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336
Comment 26 Lukas Zapletal 2018-05-18 07:34:15 EDT
For googlers, the correct command is again:

setfacl -R -m u:foreman-proxy:rx /etc/dhcp /var/lib/dhcpd

No write permission needed!

Note You need to log in before you can comment on or make changes to this bug.