1906394 – websocket proxy service - [Errno 13] Permission denied

Bug 1906394 - websocket proxy service - [Errno 13] Permission denied

Summary: websocket proxy service - [Errno 13] Permission denied

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	4.4.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ovirt-4.4.6
Target Release:	---
Assignee:	Steve Goodman
QA Contact:	Guilherme Santos
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-12-10 12:27 UTC by Michael Vollmer
Modified:	2021-05-18 06:38 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-12 13:23:22 UTC
oVirt Team:	Integration
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	oVirt ovirt-site pull 2460	0	None	open	updating admin guide for replacing CA	2021-04-08 07:40:24 UTC

Description Michael Vollmer 2020-12-10 12:27:48 UTC

Description of problem:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/administration_guide/index#Replacing_the_Manager_CA_Certificate has a missing step.
In "Replacing the Red Hat Virtualization Manager Apache CA Certificate" step 8 we copy they certificate but don't check ownership nor permission.

Version-Release number of selected component (if applicable):
ovirt-engine-websocket-proxy-4.4.2.6-0.2.el8ev.noarch

How reproducible:
always

Steps to Reproduce:
1. follow the docs

Actual results:
- see that novnc console does not work (something went wrong)
- # journalctl -u ovirt-websocket-proxy.service|grep -i Errno
Dec 09 15:58:02 rhvm1.example.com ovirt-websocket-proxy.py[2136316]: ovirt-websocket-proxy[2137092] INFO msg:887 handler exception: [Errno 13] Permission denied
Dec 09 15:58:02 rhvm1.example.com ovirt-websocket-proxy.py[2136316]: ovirt-websocket-proxy[2137093] INFO msg:887 handler exception: [Errno 13] Permission denied


Expected results:
novnc console works and no errors in journalctl

Additional info: possible solutions to include in step 8:
1. chown root:ovirt /etc/pki/ovirt-engine/certs/apache.cer
OR
2. chmod 644 /etc/pki/ovirt-engine/certs/apache.cer

Comment 1 Yedidyah Bar David 2021-01-10 13:05:13 UTC

(In reply to Michael Vollmer from comment #0)
> Additional info: possible solutions to include in step 8:
> 1. chown root:ovirt /etc/pki/ovirt-engine/certs/apache.cer
> OR
> 2. chmod 644 /etc/pki/ovirt-engine/certs/apache.cer

I agree. IMO we want _both_ (not "OR"). Should be after current step 8's command and before step 9 - can be inside step 8 or as a new step, I don't mind.

These commands might or might not be required, depending on your umask, etc., but I can't see a reason to not always include them.

Thanks!

Comment 2 Steve Goodman 2021-04-08 12:03:11 UTC

I made some edits and merged the branch, but then I realized that this change requires QE verfication, so I created a new merge request with the changes:

https://gitlab.cee.redhat.com/rhci-documentation/docs-Red_Hat_Enterprise_Virtualization/-/merge_requests/1944

Comment 3 Steve Goodman 2021-04-25 13:23:13 UTC

Gui,

Please verify that the procedure works as documented. See comment 2.

Comment 5 Steve Goodman 2021-05-18 06:38:44 UTC

The changes requested have been merged into master and published. Comment 4 indicates that QE does not have resourced to verify the changes are in: https://gitlab.cee.redhat.com/rhci-documentation/docs-Red_Hat_Enterprise_Virtualization/-/merge_requests/1943

Note You need to log in before you can comment on or make changes to this bug.