Clone from https://github.com/389ds/389-ds-base/issues/4592 Description of problem: dscreate fails when using custom path with the db_dir parameter. Creating the db_dir path and changing permissions, mode, SELinux labels, prior to the dscreate did not seem to help. It seems the directories are created in /usr/lib/python3.6/site-packages/lib389/instance/setup.py The ns-slapd process start sequence fails with a permission error on the custom db directory. CRIT - bdb_start - Can't start because the database directory "/testdata/dirsrv/test/db" either doesn't exist, or is not accessible permissions and ownership look correct, SELinux labels not correct have unconfined_u:object_r:default_t:s0 versus an expected unconfined_u:object_r:dirsrv_var_lib_t:s0 but permissive mode does not change the behavior. the problem may be around line 757, when the parent directories owned by root:root are created with mode 770, while they need 775 so that the ns-slapd's uid/group can actually change into those directories: /usr/lib/python3.6/site-packages/lib389/instance/setup.py ... def _install_ds(self, general, slapd, backends): ... # Create all the needed paths # we should only need to make bak_dir, cert_dir, config_dir, db_dir, ldif_dir, lock_dir, log_dir, run_dir? for path in ('backup_dir', 'cert_dir', 'db_dir', 'ldif_dir', 'lock_dir', 'log_dir', 'run_dir'): self.log.debug("ACTION: creating %s", slapd[path]) try: os.umask(0o007) # For parent dirs that get created -> sets 770 for perms os.makedirs(slapd[path], mode=0o770) except OSError: pass os.chown(slapd[path], slapd['user_uid'], slapd['group_gid']) related: os.makedirs(name, mode=0o777, exist_ok=False)¶ ... Changed in version 3.7: The mode argument no longer affects the file permission bits of newly-created intermediate-level directories. workaround, do before the dscreate command: mkdir -p /testdata/dirsrv/test/db chmod 775 /testdata/ chmod 775 /testdata/dirsrv/ chown root:root /testdata/ chown root:root /testdata/dirsrv/ chmod -R 770 /testdata/dirsrv/test/ chown -R ldapuser1:ldapgroup1 /testdata/dirsrv/test/ chcon -R system_u:object_r:dirsrv_var_lib_t:s0 /testdata/dirsrv/ ls -alRZ /testdata/ /testdata/: total 4 drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 20 Feb 2 19:55 . dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 4096 Feb 2 19:55 .. drwxr-xr-x. 3 root root system_u:object_r:dirsrv_var_lib_t:s0 18 Feb 2 19:55 dirsrv /testdata/dirsrv: total 0 drwxr-xr-x. 3 root root system_u:object_r:dirsrv_var_lib_t:s0 18 Feb 2 19:55 . drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 20 Feb 2 19:55 .. drwxrwx---. 3 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 16 Feb 2 22:15 test /testdata/dirsrv/test: total 0 drwxrwx---. 3 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 16 Feb 2 22:15 . drwxr-xr-x. 3 root root system_u:object_r:dirsrv_var_lib_t:s0 18 Feb 2 19:55 .. drwxrwx---. 2 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 6 Feb 2 22:15 db /testdata/dirsrv/test/db: total 0 drwxrwx---. 2 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 6 Feb 2 22:15 . drwxrwx---. 3 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 16 Feb 2 22:15 .. Version-Release number of selected component (if applicable): redhat-release-8.3-1.0.el8.x86_64 SELinux enforced or permissive 389-ds-base-1.4.3.13-1.module+el8dsrv+8334+69a46a2e.x86_64 How reproducible: on demand Steps to Reproduce: 1. create a config file grep ldap /etc/passwd /etc/group groupadd -r ldapgroup1 useradd -r -g ldapgroup1 ldapuser1 grep ldap /etc/passwd /etc/group cat << EOF > ~/ds11.instance.test.inf [general] full_machine_name = m2.example.test [slapd] backup_dir = /dump/dirsrv/{instance_name} cert_dir = /etc/dirsrv/slapd-{instance_name} config_dir = /etc/dirsrv/slapd-{instance_name} data_dir = /usr/share db_dir = /testdata/dirsrv/{instance_name}/db user = ldapuser1 group = ldapgroup1 instance_name = test port = 1389 secure_port = 1636 root_dn = cn=Directory Manager root_password = password [backend-userroot] EOF 2. create an instance dscreate -v from-file ~/ds11.instance.test.inf 3. review errors log and test grep CRIT /var/log/dirsrv/slapd-test/errors Actual results: DEBUG: PASSED: instance checking DEBUG: INFO: temp root password set to .PttHq45IET43tXes746XQ.RKPEP7WuzBsBCVdxCDoqmNcgZWJtuql1.1TqB7pxsY DEBUG: PASSED: root user checking DEBUG: PASSED: network avaliability checking DEBUG: READY: Beginning installation for test... DEBUG: ACTION: Creating dse.ldif DEBUG: ACTION: creating /dump/dirsrv/test DEBUG: ACTION: creating /etc/dirsrv/slapd-test DEBUG: ACTION: creating /testdata/dirsrv/test/db DEBUG: ACTION: creating /var/lib/dirsrv/slapd-test/ldif DEBUG: ACTION: creating /var/lock/dirsrv/slapd-test DEBUG: ACTION: creating /var/log/dirsrv/slapd-test DEBUG: ACTION: creating /var/run/dirsrv DEBUG: CMD: systemctl enable dirsrv@test ; STDOUT: ; STDERR: Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv → /usr/lib/systemd/system/dirsrv@.service. DEBUG: ACTION: Creating certificate database is /etc/dirsrv/slapd-test DEBUG: Allocate <class 'lib389.DirSrv'> with None DEBUG: Allocate <class 'lib389.DirSrv'> with m2.example.test:1389 DEBUG: Allocate <class 'lib389.DirSrv'> with m2.example.test:1389 DEBUG: nss cmd: /usr/bin/certutil -N -d /etc/dirsrv/slapd-test -f /etc/dirsrv/slapd-test/pwdfile.txt DEBUG: nss output: DEBUG: nss cmd: /usr/bin/certutil -L -n Self-Signed-CA -d /etc/dirsrv/ssca/ DEBUG: CSR subject -> CN=m2.example.test,givenName=fb995d04-c4e4-47bf-a160-30b371b57eb0,O=testing,L=389ds,ST=Queensland,C=AU DEBUG: CSR alt_names -> ['m2.example.test'] DEBUG: nss cmd: /usr/bin/certutil -R --keyUsage digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment --nsCertType sslClient,sslServer --extKeyUsage clientAuth,serverAuth -s CN=m2.example.test,givenName=fb995d04-c4e4-47bf-a160-30b371b57eb0,O=testing,L=389ds,ST=Queensland,C=AU -8 m2.example.test -g 4096 -d /etc/dirsrv/slapd-test -z /etc/dirsrv/slapd-test/noise.txt -f /etc/dirsrv/slapd-test/pwdfile.txt -a -o /etc/dirsrv/slapd-test/Server-Cert.csr DEBUG: nss cmd: /usr/bin/certutil -C -d /etc/dirsrv/ssca/ -f /etc/dirsrv/ssca//pwdfile.txt -v 24 -a -i /etc/dirsrv/slapd-test/Server-Cert.csr -o /etc/dirsrv/slapd-test/Server-Cert.crt -c Self-Signed-CA DEBUG: nss cmd: /usr/bin/c_rehash /etc/dirsrv/slapd-test DEBUG: nss cmd: /usr/bin/certutil -A -n Self-Signed-CA -t CT,, -a -i /etc/dirsrv/slapd-test/ca.crt -d /etc/dirsrv/slapd-test -f /etc/dirsrv/slapd-test/pwdfile.txt DEBUG: nss cmd: /usr/bin/certutil -A -n Server-Cert -t ,, -a -i /etc/dirsrv/slapd-test/Server-Cert.crt -d /etc/dirsrv/slapd-test -f /etc/dirsrv/slapd-test/pwdfile.txt DEBUG: nss cmd: /usr/bin/certutil -V -d /etc/dirsrv/slapd-test -n Server-Cert -u YCV DEBUG: systemd status -> True DEBUG: systemd status -> True Job for dirsrv failed because the control process exited with error code. See "systemctl status dirsrv" and "journalctl -xe" for details. DEBUG: Command '['systemctl', 'start', 'dirsrv@test']' returned non-zero exit status 1. Traceback (most recent call last): File "/usr/sbin/dscreate", line 78, in <module> result = args.func(inst, log, args) File "/usr/lib/python3.6/site-packages/lib389/cli_ctl/instance.py", line 68, in instance_create if sd.create_from_inf(args.file): File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 533, in create_from_inf self.create_from_args(general, slapd, backends, self.extra) File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 669, in create_from_args self._install_ds(general, slapd, backends) File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 888, in _install_ds ds_instance.start(timeout=60) File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 1129, in start "dirsrv@%s" % self.serverid]) File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['systemctl', 'start', 'dirsrv@test']' returned non-zero exit status 1. ERROR: Error: Command '['systemctl', 'start', 'dirsrv@test']' returned non-zero exit status 1. the dse.ldif got the custom path: grep testdata /etc/dirsrv/slapd-test/dse.ldif nsslapd-directory: /testdata/dirsrv/test/db nsslapd-db-logdirectory: /testdata/dirsrv/test/db less /var/log/dirsrv/slapd-test/errors 389-Directory/1.4.2.12 B2021.029.2040 m2.example.test:1389 (/etc/dirsrv/slapd-test) [02/Feb/2021:17:54:42.454458825 -0800] - INFO - main - 389-Directory/1.4.2.12 B2021.029.2040 starting up [02/Feb/2021:17:54:42.457603853 -0800] - INFO - main - Setting the maximum file descriptor limit to: 262144 [02/Feb/2021:17:54:43.008425092 -0800] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds [02/Feb/2021:17:54:43.015806960 -0800] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [02/Feb/2021:17:54:43.019459291 -0800] - INFO - bdb_config_upgrade_dse_info - create config entry from old config [02/Feb/2021:17:54:43.027048488 -0800] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [02/Feb/2021:17:54:43.030485385 -0800] - NOTICE - ldbm_back_start - found 1870824k physical memory [02/Feb/2021:17:54:43.033408626 -0800] - NOTICE - ldbm_back_start - found 1115964k available [02/Feb/2021:17:54:43.036323091 -0800] - NOTICE - ldbm_back_start - cache autosizing: db cache: 46770k [02/Feb/2021:17:54:43.039575161 -0800] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [02/Feb/2021:17:54:43.043020082 -0800] - NOTICE - ldbm_back_start - total cache size: 38314475 B; [02/Feb/2021:17:54:43.046258626 -0800] - ERR - bdb_version_write - Could not open file "%s" for writing Netscape Portable Runtime %d (%s) - /testdata/dirsrv/test/db/DBVERSION[02/Feb/2021:17:54:43.049417611 -0800] - ERR - mkdir_p - /testdata/dirsrv: error -5966 (Access Denied.) [02/Feb/2021:17:54:43.052351412 -0800] - CRIT - bdb_start - Can't start because the database directory "/testdata/dirsrv/test/db" either doesn't exist, or is not accessible [02/Feb/2021:17:54:43.055624040 -0800] - ERR - ldbm_back_start - Failed to init database, err=-1 BDB0092 Unknown error: -1 [02/Feb/2021:17:54:43.058984644 -0800] - ERR - plugin_dependency_startall - Failed to start database plugin ldbm database [02/Feb/2021:17:54:43.066593297 -0800] - CRIT - dblayer_setup - dblayer_init failed [02/Feb/2021:17:54:43.070416830 -0800] - ERR - ldbm_back_start - Failed to setup dblayer [02/Feb/2021:17:54:43.073265352 -0800] - ERR - plugin_dependency_startall - Failed to start database plugin ldbm database [02/Feb/2021:17:54:43.076862239 -0800] - ERR - plugin_dependency_startall - Failed to resolve plugin dependencies [02/Feb/2021:17:54:43.079920654 -0800] - ERR - plugin_dependency_startall - object plugin Roles Plugin is not started [02/Feb/2021:17:54:43.082900803 -0800] - ERR - plugin_dependency_startall - accesscontrol plugin ACL Plugin is not started [02/Feb/2021:17:54:43.085902582 -0800] - ERR - plugin_dependency_startall - preoperation plugin ACL preoperation is not started [02/Feb/2021:17:54:43.089347403 -0800] - ERR - plugin_dependency_startall - object plugin Class of Service is not started [02/Feb/2021:17:54:43.092701535 -0800] - ERR - plugin_dependency_startall - object plugin Views is not started [02/Feb/2021:17:54:43.095761713 -0800] - ERR - plugin_dependency_startall - betxnpreoperation plugin 7-bit check is not started [02/Feb/2021:17:54:43.098684284 -0800] - ERR - plugin_dependency_startall - preoperation plugin Account Usability Plugin is not started [02/Feb/2021:17:54:43.102333339 -0800] - ERR - plugin_dependency_startall - betxnpreoperation plugin Auto Membership Plugin is not started [02/Feb/2021:17:54:43.105615976 -0800] - ERR - plugin_dependency_startall - preoperation plugin deref is not started [02/Feb/2021:17:54:43.109015111 -0800] - ERR - plugin_dependency_startall - preoperation plugin HTTP Client is not started [02/Feb/2021:17:54:43.112206577 -0800] - ERR - plugin_dependency_startall - betxnpreoperation plugin Linked Attributes is not started [02/Feb/2021:17:54:43.115890468 -0800] - ERR - plugin_dependency_startall - betxnpreoperation plugin Managed Entries is not started [02/Feb/2021:17:54:43.119210915 -0800] - ERR - plugin_dependency_startall - object plugin Multimaster Replication Plugin is not started [02/Feb/2021:17:54:43.122747970 -0800] - ERR - plugin_dependency_startall - extendedop plugin whoami is not started [02/Feb/2021:17:54:43.125953111 -0800] - ERR - plugin_dependency_startall - database plugin ldbm database is not started (END) Expected results: yes Additional info: got incorrect sub directory permissions after the dscreate, 770 instead of 775, in this example with /testdata/ and /testdata/dirsrv/ ls -laRZ /testdata/ /testdata/: total 4 drwxrwx---. 3 root root unconfined_u:object_r:default_t:s0 20 Feb 2 19:55 . dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 4096 Feb 2 19:55 .. drwxrwx---. 3 root root unconfined_u:object_r:default_t:s0 18 Feb 2 19:55 dirsrv /testdata/dirsrv: total 0 drwxrwx---. 3 root root unconfined_u:object_r:default_t:s0 18 Feb 2 19:55 . drwxrwx---. 3 root root unconfined_u:object_r:default_t:s0 20 Feb 2 19:55 .. drwxrwx---. 3 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 16 Feb 2 19:55 test /testdata/dirsrv/test: total 0 drwxrwx---. 3 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 16 Feb 2 19:55 . drwxrwx---. 3 root root unconfined_u:object_r:default_t:s0 18 Feb 2 19:55 .. drwxrwx---. 2 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 6 Feb 2 19:55 db /testdata/dirsrv/test/db: total 0 drwxrwx---. 2 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 6 Feb 2 19:55 . drwxrwx---. 3 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 16 Feb 2 19:55 ..
*** Bug 2121747 has been marked as a duplicate of this bug. ***
============================================ test session starts ============================================= platform linux -- Python 3.9.16, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3 cachedir: .pytest_cache 389-ds-base: 2.2.6-1.module+el9dsrv+17949+63c5b04e nss: 3.79.0-14.el9_0 nspr: 4.34.0-14.el9_0 openldap: 2.6.2-3.el9 cyrus-sasl: not installed FIPS: disabled rootdir: /mnt/tests/rhds/install/ds/dirsrvtests, configfile: pytest.ini collected 1 item dirsrvtests/tests/suites/setup_ds/dscreate_test.py::test_setup_ds_custom_db_dir PASSED [100%] ============================================= 1 passed in 38.72s ============================================ WebUI also works with this custom setup. Marking as VERIFIED.
Hi Viktor, Could you please review the RN text in the DocText field. Thanks, Evgenia
Hi Evgenia, Minor capitalization issue: seLinux -> SELinux The rest looks good to me. Thanks.
Peer comments were applied, RN text is release pending
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (redhat-ds:12 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3344