Description of problem: The ACL /var/lib/qpidd/.qpidd/qpid_acls.acl gets removed with certain procedures ~~~ qpidd.conf:acl-file=qpid_acls.acl ~~~ Results in failure to start the qpidd service: ~~~ Redirecting to /bin/systemctl status qpidd.service ● qpidd.service - An AMQP message broker daemon. Loaded: loaded (/usr/lib/systemd/system/qpidd.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2019-06-04 12:07:27 CEST; 36s ago Docs: man:qpidd(1) http://qpid.apache.org/ Process: 9002 ExecStart=/usr/sbin/qpidd --config /etc/qpid/qpidd.conf (code=exited, status=1/FAILURE) Main PID: 9002 (code=exited, status=1/FAILURE) Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: Started An AMQP message broker daemon.. Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Security] error Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl": eof=F; fail=T; bad=F Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Security] error Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl": eof=F; fail=T; bad=F Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Broker (pid=9002) start-up failed: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpi...fail=T; bad=F Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Broker (pid=9002) start-up failed: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpi...fail=T; bad=F Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Unexpected error: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl"...fail=T; bad=F Jun 04 12:07:27 provisioning.sysmgmt.lan qpidd[9002]: 2019-06-04 12:07:27 [Broker] critical Unexpected error: Could not read ACL file Unable to open ACL file "/var/lib/qpidd/.qpidd/qpid_acls.acl"...fail=T; bad=F Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: qpidd.service: main process exited, code=exited, status=1/FAILURE Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: Unit qpidd.service entered failed state. Jun 04 12:07:27 provisioning.sysmgmt.lan systemd[1]: qpidd.service failed. ~~~ Example of running https://access.redhat.com/solutions/3157651 will result in the ACL file being removed Version-Release number of selected component (if applicable): # rpm -qa | grep qpid ~~~ provisioning.sysmgmt.lan-qpid-router-client-1.0-1.noarch qpid-cpp-client-1.36.0-19.el7.x86_64 qpid-dispatch-router-0.8.0-19.el7.x86_64 tfm-rubygem-qpid_messaging-1.36.0-8.el7sat.x86_64 qpid-java-common-0.30-3.el7.noarch qpid-cpp-client-devel-1.36.0-19.el7.x86_64 python-qpid-1.35.0-5.el7.noarch python-gofer-qpid-2.12.3-1.el7.noarch qpid-cpp-server-linearstore-1.36.0-19.el7.x86_64 provisioning.sysmgmt.lan-qpid-broker-1.0-2.noarch provisioning.sysmgmt.lan-qpid-router-server-1.0-1.noarch qpid-cpp-debuginfo-1.36.0-19.el7.x86_64 qpid-proton-c-0.16.0-13.el7sat.x86_64 python-qpid-proton-0.16.0-13.el7sat.x86_64 qpid-tools-1.36.0-19.el7.noarch provisioning.sysmgmt.lan-qpid-client-cert-1.0-1.noarch qpid-cpp-server-1.36.0-19.el7.x86_64 qpid-dispatch-tools-0.8.0-19.el7.x86_64 qpid-qmf-1.36.0-19.el7.x86_64 qpid-java-client-0.30-3.el7.noarch qpid-proton-debuginfo-0.16.0-13.el7sat.x86_64 python-qpid-qmf-1.36.0-19.el7.x86_64 ~~~ How reproducible: 100% Steps to Reproduce: 1. Run the steps from KCS 3157651 with same qpid version as mentioned above 2. qpidd service will fail to start as ACL file is gone 3. Actual results: qpid service fails to start Expected results: No failure Additional info: I would recommend to move the acl file to /etc/qpid/ instead of keeping it in /var/lib/qpidd/.qpidd/ Workaround is to create the acl manually: # cat /var/lib/qpidd/.qpidd/qpid_acls.acl ~~~ # allow the actions needed by katello_agent acl allow katello_agent@QPID create queue acl allow katello_agent@QPID consume queue acl allow katello_agent@QPID access exchange acl allow katello_agent@QPID access queue acl allow katello_agent@QPID publish exchange routingkey=pulp.task acl allow katello_agent@QPID publish exchange name=qmf.default.direct acl allow katello_agent@QPID access method name=create acl deny-log katello_agent@QPID access method name=* acl deny-log katello_agent@QPID all all # allow anything else acl allow all all ~~~ With correct permissions: # ls -lZ /var/lib/qpidd/.qpidd/qpid_acls.acl ~~~ -rw-------. qpidd qpidd system_u:object_r:qpidd_var_lib_t:s0 /var/lib/qpidd/.qpidd/qpid_acls.acl ~~~
Moving the acl to /etc/qpid/ worked fine for me and would avoid the file from being deleted when any actions are taken for the journal file. # grep acl qpidd.conf ~~~ acl-file=/etc/qpid/qpid_acls.acl ~~~
Checked on Satellite 6.6 Snap 17 using steps provided by Jan in comment #4. root@sat66 ~]# grep acl /etc/qpid/qpidd.conf acl-file=/etc/qpid/qpid.acl [root@sat66 ~]# cat /etc/qpid/qpid.acl # allow the actions needed by katello_agent acl allow katello_agent@QPID create queue acl allow katello_agent@QPID consume queue acl allow katello_agent@QPID access exchange acl allow katello_agent@QPID access queue acl allow katello_agent@QPID publish exchange routingkey=pulp.task acl allow katello_agent@QPID publish exchange name=qmf.default.direct acl allow katello_agent@QPID access method name=create acl deny-log katello_agent@QPID access method name=* acl deny-log katello_agent@QPID all all # allow anything else acl allow all all The location of acl file in the config is changed to /etc/qpid/qpid.acl, the file is present and contains required info. VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3172