1924569 – dscreate error, cannot start ns-slapd with custom db_dir path, incorrect sub dir permissions

Bug 1924569 - dscreate error, cannot start ns-slapd with custom db_dir path, incorrect sub dir permissions

Summary: dscreate error, cannot start ns-slapd with custom db_dir path, incorrect sub ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Directory Server
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	12.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	dirsrv-12.2
Assignee:	Pierre Rogier
QA Contact:	LDAP QA Team
Docs Contact:	Evgenia Martynyuk
URL:
Whiteboard:	sync-to-jira
Duplicates (1):	2121747 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-03 08:32 UTC by Viktor Ashirov
Modified:	2024-03-25 18:06 UTC (History)
CC List:	7 users (show)
Fixed In Version:	redhat-ds-12-9020020221130212339.1674d57
Doc Type:	Bug Fix
Doc Text:	.The `dscreate` utility now works correctly when it uses a custom path with the `db_dir` parameter Previously, an instance that used custom directory paths failed to start because the custom directories had a wrong SELinux label. As a consequence, SELinux denied access to these directories and the instance was not created. With this release, `dscreate` utility sets correct SELinux labels for the custom instance directories.
Clone Of:
Environment:
Last Closed:	2023-05-30 09:40:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 4592	None	open	dscreate error, cannot start ns-slapd with custom db_dir path, incorrect sub dir permissions	2021-02-16 06:54:50 UTC
Red Hat Issue Tracker	IDMDS-2774	None	None	None	2023-02-09 10:19:36 UTC
Red Hat Product Errata	RHBA-2023:3344	None	None	None	2023-05-30 09:40:50 UTC

Description Viktor Ashirov 2021-02-03 08:32:47 UTC

Clone from https://github.com/389ds/389-ds-base/issues/4592

Description of problem:

dscreate fails when using custom path with the db_dir parameter.
Creating the db_dir path and changing permissions, mode, SELinux labels, prior to the dscreate did not seem to help.
It seems the directories are created in /usr/lib/python3.6/site-packages/lib389/instance/setup.py
The ns-slapd process start sequence fails with a permission error on the custom db directory.
CRIT - bdb_start - Can't start because the database directory "/testdata/dirsrv/test/db" either doesn't exist, or is not accessible

permissions and ownership look correct, SELinux labels not correct
have
unconfined_u:object_r:default_t:s0

versus an expected
unconfined_u:object_r:dirsrv_var_lib_t:s0

but permissive mode does not change the behavior.


the problem may be around line 757, when the parent directories owned by root:root are created with mode 770, while they need 775 so that the ns-slapd's uid/group can actually change into those directories:

/usr/lib/python3.6/site-packages/lib389/instance/setup.py
...
    def _install_ds(self, general, slapd, backends):
...
        # Create all the needed paths
        # we should only need to make bak_dir, cert_dir, config_dir, db_dir, ldif_dir, lock_dir, log_dir, run_dir?
        for path in ('backup_dir', 'cert_dir', 'db_dir', 'ldif_dir', 'lock_dir', 'log_dir', 'run_dir'):
            self.log.debug("ACTION: creating %s", slapd[path])
            try:
                os.umask(0o007)  # For parent dirs that get created -> sets 770 for perms
                os.makedirs(slapd[path], mode=0o770)
            except OSError:
                pass
            os.chown(slapd[path], slapd['user_uid'], slapd['group_gid'])


related:
os.makedirs(name, mode=0o777, exist_ok=False)¶
...
Changed in version 3.7: The mode argument no longer affects the file permission bits of newly-created intermediate-level directories.


workaround, do before the dscreate command:

mkdir -p /testdata/dirsrv/test/db
chmod 775 /testdata/
chmod 775 /testdata/dirsrv/
chown root:root /testdata/
chown root:root /testdata/dirsrv/
chmod -R 770 /testdata/dirsrv/test/
chown -R ldapuser1:ldapgroup1 /testdata/dirsrv/test/
chcon -R system_u:object_r:dirsrv_var_lib_t:s0 /testdata/dirsrv/
ls -alRZ /testdata/
/testdata/:
total 4
drwxr-xr-x.  3 root root unconfined_u:object_r:default_t:s0      20 Feb  2 19:55 .
dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0           4096 Feb  2 19:55 ..
drwxr-xr-x.  3 root root system_u:object_r:dirsrv_var_lib_t:s0   18 Feb  2 19:55 dirsrv

/testdata/dirsrv:
total 0
drwxr-xr-x. 3 root      root       system_u:object_r:dirsrv_var_lib_t:s0 18 Feb  2 19:55 .
drwxr-xr-x. 3 root      root       unconfined_u:object_r:default_t:s0    20 Feb  2 19:55 ..
drwxrwx---. 3 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 16 Feb  2 22:15 test

/testdata/dirsrv/test:
total 0
drwxrwx---. 3 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 16 Feb  2 22:15 .
drwxr-xr-x. 3 root      root       system_u:object_r:dirsrv_var_lib_t:s0 18 Feb  2 19:55 ..
drwxrwx---. 2 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0  6 Feb  2 22:15 db

/testdata/dirsrv/test/db:
total 0
drwxrwx---. 2 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0  6 Feb  2 22:15 .
drwxrwx---. 3 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 16 Feb  2 22:15 ..



Version-Release number of selected component (if applicable):

redhat-release-8.3-1.0.el8.x86_64
SELinux enforced or permissive
389-ds-base-1.4.3.13-1.module+el8dsrv+8334+69a46a2e.x86_64


How reproducible:
on demand


Steps to Reproduce:

1. create a config file

grep ldap /etc/passwd /etc/group
groupadd -r ldapgroup1
useradd -r -g  ldapgroup1 ldapuser1
grep ldap /etc/passwd /etc/group

cat << EOF > ~/ds11.instance.test.inf
[general]
full_machine_name = m2.example.test
[slapd]
backup_dir = /dump/dirsrv/{instance_name}
cert_dir = /etc/dirsrv/slapd-{instance_name}
config_dir = /etc/dirsrv/slapd-{instance_name}
data_dir = /usr/share
db_dir = /testdata/dirsrv/{instance_name}/db
user = ldapuser1
group = ldapgroup1
instance_name = test
port = 1389
secure_port = 1636
root_dn = cn=Directory Manager
root_password = password
[backend-userroot]
EOF


2. create an instance

dscreate -v from-file ~/ds11.instance.test.inf


3. review errors log and test

grep CRIT /var/log/dirsrv/slapd-test/errors



Actual results:

DEBUG: PASSED: instance checking
DEBUG: INFO: temp root password set to .PttHq45IET43tXes746XQ.RKPEP7WuzBsBCVdxCDoqmNcgZWJtuql1.1TqB7pxsY
DEBUG: PASSED: root user checking
DEBUG: PASSED: network avaliability checking
DEBUG: READY: Beginning installation for test...
DEBUG: ACTION: Creating dse.ldif
DEBUG: ACTION: creating /dump/dirsrv/test
DEBUG: ACTION: creating /etc/dirsrv/slapd-test
DEBUG: ACTION: creating /testdata/dirsrv/test/db
DEBUG: ACTION: creating /var/lib/dirsrv/slapd-test/ldif
DEBUG: ACTION: creating /var/lock/dirsrv/slapd-test
DEBUG: ACTION: creating /var/log/dirsrv/slapd-test
DEBUG: ACTION: creating /var/run/dirsrv
DEBUG: CMD: systemctl enable dirsrv@test ; STDOUT:  ; STDERR: Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv → /usr/lib/systemd/system/dirsrv@.service.

DEBUG: ACTION: Creating certificate database is /etc/dirsrv/slapd-test
DEBUG: Allocate <class 'lib389.DirSrv'> with None
DEBUG: Allocate <class 'lib389.DirSrv'> with m2.example.test:1389
DEBUG: Allocate <class 'lib389.DirSrv'> with m2.example.test:1389
DEBUG: nss cmd: /usr/bin/certutil -N -d /etc/dirsrv/slapd-test -f /etc/dirsrv/slapd-test/pwdfile.txt
DEBUG: nss output:
DEBUG: nss cmd: /usr/bin/certutil -L -n Self-Signed-CA -d /etc/dirsrv/ssca/
DEBUG: CSR subject -> CN=m2.example.test,givenName=fb995d04-c4e4-47bf-a160-30b371b57eb0,O=testing,L=389ds,ST=Queensland,C=AU
DEBUG: CSR alt_names -> ['m2.example.test']
DEBUG: nss cmd: /usr/bin/certutil -R --keyUsage digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment --nsCertType sslClient,sslServer --extKeyUsage clientAuth,serverAuth -s CN=m2.example.test,givenName=fb995d04-c4e4-47bf-a160-30b371b57eb0,O=testing,L=389ds,ST=Queensland,C=AU -8 m2.example.test -g 4096 -d /etc/dirsrv/slapd-test -z /etc/dirsrv/slapd-test/noise.txt -f /etc/dirsrv/slapd-test/pwdfile.txt -a -o /etc/dirsrv/slapd-test/Server-Cert.csr
DEBUG: nss cmd: /usr/bin/certutil -C -d /etc/dirsrv/ssca/ -f /etc/dirsrv/ssca//pwdfile.txt -v 24 -a -i /etc/dirsrv/slapd-test/Server-Cert.csr -o /etc/dirsrv/slapd-test/Server-Cert.crt -c Self-Signed-CA
DEBUG: nss cmd: /usr/bin/c_rehash /etc/dirsrv/slapd-test
DEBUG: nss cmd: /usr/bin/certutil -A -n Self-Signed-CA -t CT,, -a -i /etc/dirsrv/slapd-test/ca.crt -d /etc/dirsrv/slapd-test -f /etc/dirsrv/slapd-test/pwdfile.txt
DEBUG: nss cmd: /usr/bin/certutil -A -n Server-Cert -t ,, -a -i /etc/dirsrv/slapd-test/Server-Cert.crt -d /etc/dirsrv/slapd-test -f /etc/dirsrv/slapd-test/pwdfile.txt
DEBUG: nss cmd: /usr/bin/certutil -V -d /etc/dirsrv/slapd-test -n Server-Cert -u YCV
DEBUG: systemd status -> True
DEBUG: systemd status -> True
Job for dirsrv failed because the control process exited with error code.
See "systemctl status dirsrv" and "journalctl -xe" for details.
DEBUG: Command '['systemctl', 'start', 'dirsrv@test']' returned non-zero exit status 1.
Traceback (most recent call last):
  File "/usr/sbin/dscreate", line 78, in <module>
    result = args.func(inst, log, args)
  File "/usr/lib/python3.6/site-packages/lib389/cli_ctl/instance.py", line 68, in instance_create
    if sd.create_from_inf(args.file):
  File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 533, in create_from_inf
    self.create_from_args(general, slapd, backends, self.extra)
  File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 669, in create_from_args
    self._install_ds(general, slapd, backends)
  File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 888, in _install_ds
    ds_instance.start(timeout=60)
  File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 1129, in start
    "dirsrv@%s" % self.serverid])
  File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['systemctl', 'start', 'dirsrv@test']' returned non-zero exit status 1.
ERROR: Error: Command '['systemctl', 'start', 'dirsrv@test']' returned non-zero exit status 1.


the dse.ldif got the custom path:
grep testdata /etc/dirsrv/slapd-test/dse.ldif
nsslapd-directory: /testdata/dirsrv/test/db
nsslapd-db-logdirectory: /testdata/dirsrv/test/db



less /var/log/dirsrv/slapd-test/errors
        389-Directory/1.4.2.12 B2021.029.2040
        m2.example.test:1389 (/etc/dirsrv/slapd-test)

[02/Feb/2021:17:54:42.454458825 -0800] - INFO - main - 389-Directory/1.4.2.12 B2021.029.2040 starting up
[02/Feb/2021:17:54:42.457603853 -0800] - INFO - main - Setting the maximum file descriptor limit to: 262144
[02/Feb/2021:17:54:43.008425092 -0800] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
[02/Feb/2021:17:54:43.015806960 -0800] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ...
[02/Feb/2021:17:54:43.019459291 -0800] - INFO - bdb_config_upgrade_dse_info - create config entry from old config
[02/Feb/2021:17:54:43.027048488 -0800] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ...
[02/Feb/2021:17:54:43.030485385 -0800] - NOTICE - ldbm_back_start - found 1870824k physical memory
[02/Feb/2021:17:54:43.033408626 -0800] - NOTICE - ldbm_back_start - found 1115964k available
[02/Feb/2021:17:54:43.036323091 -0800] - NOTICE - ldbm_back_start - cache autosizing: db cache: 46770k
[02/Feb/2021:17:54:43.039575161 -0800] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ...
[02/Feb/2021:17:54:43.043020082 -0800] - NOTICE - ldbm_back_start - total cache size: 38314475 B;
[02/Feb/2021:17:54:43.046258626 -0800] - ERR - bdb_version_write - Could not open file "%s" for writing Netscape Portable Runtime %d (%s)
 - /testdata/dirsrv/test/db/DBVERSION[02/Feb/2021:17:54:43.049417611 -0800] - ERR - mkdir_p - /testdata/dirsrv: error -5966 (Access Denied.)
[02/Feb/2021:17:54:43.052351412 -0800] - CRIT - bdb_start - Can't start because the database directory "/testdata/dirsrv/test/db" either doesn't exist, or is not accessible
[02/Feb/2021:17:54:43.055624040 -0800] - ERR - ldbm_back_start - Failed to init database, err=-1 BDB0092 Unknown error: -1
[02/Feb/2021:17:54:43.058984644 -0800] - ERR - plugin_dependency_startall - Failed to start database plugin ldbm database
[02/Feb/2021:17:54:43.066593297 -0800] - CRIT - dblayer_setup - dblayer_init failed
[02/Feb/2021:17:54:43.070416830 -0800] - ERR - ldbm_back_start - Failed to setup dblayer
[02/Feb/2021:17:54:43.073265352 -0800] - ERR - plugin_dependency_startall - Failed to start database plugin ldbm database
[02/Feb/2021:17:54:43.076862239 -0800] - ERR - plugin_dependency_startall - Failed to resolve plugin dependencies
[02/Feb/2021:17:54:43.079920654 -0800] - ERR - plugin_dependency_startall - object plugin Roles Plugin is not started
[02/Feb/2021:17:54:43.082900803 -0800] - ERR - plugin_dependency_startall - accesscontrol plugin ACL Plugin is not started
[02/Feb/2021:17:54:43.085902582 -0800] - ERR - plugin_dependency_startall - preoperation plugin ACL preoperation is not started
[02/Feb/2021:17:54:43.089347403 -0800] - ERR - plugin_dependency_startall - object plugin Class of Service is not started
[02/Feb/2021:17:54:43.092701535 -0800] - ERR - plugin_dependency_startall - object plugin Views is not started
[02/Feb/2021:17:54:43.095761713 -0800] - ERR - plugin_dependency_startall - betxnpreoperation plugin 7-bit check is not started
[02/Feb/2021:17:54:43.098684284 -0800] - ERR - plugin_dependency_startall - preoperation plugin Account Usability Plugin is not started
[02/Feb/2021:17:54:43.102333339 -0800] - ERR - plugin_dependency_startall - betxnpreoperation plugin Auto Membership Plugin is not started
[02/Feb/2021:17:54:43.105615976 -0800] - ERR - plugin_dependency_startall - preoperation plugin deref is not started
[02/Feb/2021:17:54:43.109015111 -0800] - ERR - plugin_dependency_startall - preoperation plugin HTTP Client is not started
[02/Feb/2021:17:54:43.112206577 -0800] - ERR - plugin_dependency_startall - betxnpreoperation plugin Linked Attributes is not started
[02/Feb/2021:17:54:43.115890468 -0800] - ERR - plugin_dependency_startall - betxnpreoperation plugin Managed Entries is not started
[02/Feb/2021:17:54:43.119210915 -0800] - ERR - plugin_dependency_startall - object plugin Multimaster Replication Plugin is not started
[02/Feb/2021:17:54:43.122747970 -0800] - ERR - plugin_dependency_startall - extendedop plugin whoami is not started
[02/Feb/2021:17:54:43.125953111 -0800] - ERR - plugin_dependency_startall - database plugin ldbm database is not started
(END)


Expected results:
yes


Additional info:

got incorrect sub directory permissions after the dscreate, 770 instead of 775, in this example with /testdata/ and /testdata/dirsrv/

ls -laRZ /testdata/
/testdata/:
total 4
drwxrwx---.  3 root root unconfined_u:object_r:default_t:s0   20 Feb  2 19:55 .
dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0        4096 Feb  2 19:55 ..
drwxrwx---.  3 root root unconfined_u:object_r:default_t:s0   18 Feb  2 19:55 dirsrv

/testdata/dirsrv:
total 0
drwxrwx---. 3 root      root       unconfined_u:object_r:default_t:s0 18 Feb  2 19:55 .
drwxrwx---. 3 root      root       unconfined_u:object_r:default_t:s0 20 Feb  2 19:55 ..
drwxrwx---. 3 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 16 Feb  2 19:55 test

/testdata/dirsrv/test:
total 0
drwxrwx---. 3 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 16 Feb  2 19:55 .
drwxrwx---. 3 root      root       unconfined_u:object_r:default_t:s0 18 Feb  2 19:55 ..
drwxrwx---. 2 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0  6 Feb  2 19:55 db

/testdata/dirsrv/test/db:
total 0
drwxrwx---. 2 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0  6 Feb  2 19:55 .
drwxrwx---. 3 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 16 Feb  2 19:55 ..

Comment 9 Pierre Rogier 2022-08-26 14:07:02 UTC

*** Bug 2121747 has been marked as a duplicate of this bug. ***

Comment 12 Viktor Ashirov 2023-02-21 09:55:13 UTC

============================================ test session starts =============================================
platform linux -- Python 3.9.16, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: .pytest_cache
389-ds-base: 2.2.6-1.module+el9dsrv+17949+63c5b04e
nss: 3.79.0-14.el9_0
nspr: 4.34.0-14.el9_0
openldap: 2.6.2-3.el9
cyrus-sasl: not installed
FIPS: disabled
rootdir: /mnt/tests/rhds/install/ds/dirsrvtests, configfile: pytest.ini
collected 1 item

dirsrvtests/tests/suites/setup_ds/dscreate_test.py::test_setup_ds_custom_db_dir PASSED                 [100%]

============================================= 1 passed in 38.72s ============================================

WebUI also works with this custom setup. Marking as VERIFIED.

Comment 13 Evgenia Martynyuk 2023-05-10 15:47:53 UTC

Hi Viktor, 

Could you please review the RN text in the DocText field. 


Thanks,
Evgenia

Comment 14 Viktor Ashirov 2023-05-10 16:36:33 UTC

Hi Evgenia,

Minor capitalization issue: seLinux -> SELinux

The rest looks good to me.
Thanks.

Comment 16 Evgenia Martynyuk 2023-05-16 20:51:57 UTC

Peer comments were applied, RN text is release pending

Comment 18 errata-xmlrpc 2023-05-30 09:40:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (redhat-ds:12 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:3344

Note You need to log in before you can comment on or make changes to this bug.