Bug 1716900 - The ACL /var/lib/qpidd/.qpidd/qpid_acls.acl gets removed with certain procedures
Summary: The ACL /var/lib/qpidd/.qpidd/qpid_acls.acl gets removed with certain procedures
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Qpid
Version: 6.4
Hardware: x86_64
OS: Linux
high
high vote
Target Milestone: 6.6.0
Assignee: Mike Cressman
QA Contact: Radovan Drazny
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-04 11:16 UTC by Kenny Tordeurs
Modified: 2019-10-22 12:47 UTC (History)
3 users (show)

Fixed In Version: foreman-installer-1.22.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-22 12:47:37 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4196061 None None None 2019-06-04 11:33:26 UTC
Red Hat Product Errata RHSA-2019:3172 None None None 2019-10-22 12:47:46 UTC

Description Kenny Tordeurs 2019-06-04 11:16:00 UTC
Description of problem:
The ACL /var/lib/qpidd/.qpidd/qpid_acls.acl gets removed with certain procedures


~~~
qpidd.conf:acl-file=qpid_acls.acl
~~~

Results in failure to start the qpidd service:
~~~
Redirecting to /bin/systemctl status qpidd.service
● qpidd.service - An AMQP message broker daemon.
   Loaded: loaded (/usr/lib/systemd/system/qpidd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2019-06-04 12:07:27 CEST; 36s ago
     Docs: man:qpidd(1)
           http://qpid.apache.org/
  Process: 9002 ExecStart=/usr/sbin/qpidd --config /etc/qpid/qpidd.conf (code=exited, status=1/FAILURE)
 Main PID: 9002 (code=exited, status=1/FAILURE)

Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: Started An AMQP message broker daemon..
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Security] error Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl": eof=F; fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Security] error Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl": eof=F; fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Broker (pid=9002) start-up failed: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpi...fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Broker (pid=9002) start-up failed: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpi...fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Unexpected error: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl"...fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Unexpected error: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl"...fail=T; bad=F
Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: qpidd.service: main process exited, code=exited, status=1/FAILURE
Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: Unit qpidd.service entered failed state.
Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: qpidd.service failed.
~~~

Example of running https://access.redhat.com/solutions/3157651 will result in the ACL file being removed

Version-Release number of selected component (if applicable):
# rpm -qa | grep qpid
~~~
provisioning.sysmgmt.lan-qpid-router-client-1.0-1.noarch
qpid-cpp-client-1.36.0-19.el7.x86_64
qpid-dispatch-router-0.8.0-19.el7.x86_64
tfm-rubygem-qpid_messaging-1.36.0-8.el7sat.x86_64
qpid-java-common-0.30-3.el7.noarch
qpid-cpp-client-devel-1.36.0-19.el7.x86_64
python-qpid-1.35.0-5.el7.noarch
python-gofer-qpid-2.12.3-1.el7.noarch
qpid-cpp-server-linearstore-1.36.0-19.el7.x86_64
provisioning.sysmgmt.lan-qpid-broker-1.0-2.noarch
provisioning.sysmgmt.lan-qpid-router-server-1.0-1.noarch
qpid-cpp-debuginfo-1.36.0-19.el7.x86_64
qpid-proton-c-0.16.0-13.el7sat.x86_64
python-qpid-proton-0.16.0-13.el7sat.x86_64
qpid-tools-1.36.0-19.el7.noarch
provisioning.sysmgmt.lan-qpid-client-cert-1.0-1.noarch
qpid-cpp-server-1.36.0-19.el7.x86_64
qpid-dispatch-tools-0.8.0-19.el7.x86_64
qpid-qmf-1.36.0-19.el7.x86_64
qpid-java-client-0.30-3.el7.noarch
qpid-proton-debuginfo-0.16.0-13.el7sat.x86_64
python-qpid-qmf-1.36.0-19.el7.x86_64
~~~

How reproducible:
100%

Steps to Reproduce:
1. Run the steps from KCS 3157651 with same qpid version as mentioned above
2. qpidd service will fail to start as ACL file is gone
3.

Actual results:
qpid service fails to start

Expected results:
No failure

Additional info:
I would recommend to move the acl file to /etc/qpid/ instead of keeping it in /var/lib/qpidd/.qpidd/


Workaround is to create the acl manually:

# cat /var/lib/qpidd/.qpidd/qpid_acls.acl
~~~
# allow the actions needed by katello_agent
acl allow katello_agent@QPID create queue
acl allow katello_agent@QPID consume queue
acl allow katello_agent@QPID access exchange
acl allow katello_agent@QPID access queue
acl allow katello_agent@QPID publish exchange routingkey=pulp.task
acl allow katello_agent@QPID publish exchange name=qmf.default.direct
acl allow katello_agent@QPID access method name=create

acl deny-log katello_agent@QPID access method name=*
acl deny-log katello_agent@QPID all all

# allow anything else
acl allow all all
~~~

With correct permissions:

# ls -lZ /var/lib/qpidd/.qpidd/qpid_acls.acl
~~~
-rw-------. qpidd qpidd system_u:object_r:qpidd_var_lib_t:s0 /var/lib/qpidd/.qpidd/qpid_acls.acl
~~~

Comment 3 Kenny Tordeurs 2019-06-04 11:18:54 UTC
Moving the acl to /etc/qpid/ worked fine for me and would avoid the file from being deleted when any actions are taken for the journal file.

# grep acl qpidd.conf
~~~
acl-file=/etc/qpid/qpid_acls.acl
~~~

Comment 9 Radovan Drazny 2019-08-30 10:15:06 UTC
Checked on Satellite 6.6 Snap 17 using steps provided by Jan in comment #4.

root@sat66 ~]# grep acl /etc/qpid/qpidd.conf 
acl-file=/etc/qpid/qpid.acl
[root@sat66 ~]# cat /etc/qpid/qpid.acl
# allow the actions needed by katello_agent
acl allow katello_agent@QPID create queue
acl allow katello_agent@QPID consume queue
acl allow katello_agent@QPID access exchange
acl allow katello_agent@QPID access queue
acl allow katello_agent@QPID publish exchange routingkey=pulp.task
acl allow katello_agent@QPID publish exchange name=qmf.default.direct
acl allow katello_agent@QPID access method name=create

acl deny-log katello_agent@QPID access method name=*
acl deny-log katello_agent@QPID all all

# allow anything else
acl allow all all

The location of acl file in the config is changed to /etc/qpid/qpid.acl, the file is present and contains required info.

VERIFIED

Comment 11 errata-xmlrpc 2019-10-22 12:47:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172


Note You need to log in before you can comment on or make changes to this bug.