Description of problem: Online backup will fail if the backup directory is set under * /var/tmp * /tmp * /root Since RHEL 8.3, RHDS uses its own private /tmp and /var/tmp directories. Thus online backups under those directories will fail unless the systemd directive "PrivateTmp" is disabled. More details in https://access.redhat.com/solutions/5707881 For sub-directories under /root/ there is a permission issue for the "dirsrv" user. Even when SELinux is disabled, the "dirsrv" user cannot access to the sub-directory: # getenforce Disabled # # ls -ldZ /root/backup_ds/ drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0 6 Apr 14 13:44 /root/backup_ds/ # # runuser -u dirsrv stat /root/backup_ds/ stat: cannot statx '/root/backup_ds/': Permission denied # # stat /root/backup_ds/ File: /root/backup_ds/ Size: 6 Blocks: 0 IO Block: 4096 directory Device: fd00h/64768d Inode: 33554571 Links: 2 Access: (0770/drwxrwx---) Uid: ( 389/ dirsrv) Gid: ( 389/ dirsrv) Access: 2022-04-14 13:45:24.751973552 +0200 Modify: 2022-04-14 13:44:14.160216960 +0200 Change: 2022-04-14 13:45:56.686863436 +0200 Birth: 2022-04-14 13:44:14.160216960 +0200 # Version-Release number of selected component (if applicable): # cat /etc/redhat-release Red Hat Enterprise Linux release 8.5 (Ootpa) # # rpm -qa | grep 389-ds-base-1 389-ds-base-1.4.3.27-2.module+el8dsrv+12690+c6df6d1b.x86_64 # How reproducible: Always. Steps to Reproduce: # mkdir /root/backup_ds # # semanage fcontext -a -t dirsrv_var_lib_t /root/backup_ds # restorecon -Rv /root/backup_ds Relabeled /root/backup_ds from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:dirsrv_var_lib_t:s0 # # chown dirsrv:dirsrv /root/backup_ds/ # chmod 770 /root/backup_ds/ # # ls -ldZ /root/backup_ds/ drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0 6 Apr 14 13:44 /root/backup_ds/ # # dsconf -D "cn=Directory Manager" ldap://localhost:389 config replace nsslapd-bakdir=/root/backup_ds/ Enter password for cn=Directory Manager on ldap://localhost:389: Successfully replaced "nsslapd-bakdir" # # dsconf -v -D "cn=Directory Manager" ldap://localhost:389 backup create ... DEBUG: complete status: -1 -> Backup failed (error -1) DEBUG: cn=backup_2022-04-14T13:50:08.752081,cn=backup,cn=tasks,cn=config getVal('nsTaskExitCode') DEBUG: cn=backup_2022-04-14T13:50:08.752081,cn=backup,cn=tasks,cn=config getVal('nsTaskLog') DEBUG: cn=backup_2022-04-14T13:50:08.752081,cn=backup,cn=tasks,cn=config getVal('nsTaskWarning') DEBUG: cn=backup_2022-04-14T13:50:08.752081,cn=backup,cn=tasks,cn=config getVal('nsTaskStatus') DEBUG: complete status: -1 -> Backup failed (error -1) DEBUG: The backup create task has failed with the error code: (-1) Traceback (most recent call last): File "/usr/sbin/dsconf", line 134, in <module> result = args.func(inst, None, log, args) File "/usr/lib/python3.6/site-packages/lib389/cli_conf/backup.py", line 20, in backup_create raise ValueError("The backup create task has failed with the error code: ({})".format(result)) ValueError: The backup create task has failed with the error code: (-1) ERROR: Error: The backup create task has failed with the error code: (-1) # Actual results: Failing backup. Expected results: Successful backup. Additional info: It might be a good idea to prevent users setting the value of "nsslapd-bakdir" to a directory under /var/tmp, /tmp and /root
Perhaps this is better documented in the release notes then trying to add these checks internally (might not be portable/unnecessary with other distributions)...
Changing to doc bug, once documented we can then look at enhancing the CLI
Assigning this bug to @Mugdha Soni.
Maria Pershina has kindly agreed to review the KI test. Thanks Masha!