747661 – Content Certificate permission errors in an AWS guest

Bug 747661 - Content Certificate permission errors in an AWS guest

Summary: Content Certificate permission errors in an AWS guest

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	rel-eng
Sub Component:
Version:	1.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	John Matthews
QA Contact:	Preethi Thomas
Docs Contact:
URL:
Whiteboard:
Depends On:	760683
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-20 16:37 UTC by Mike McCune
Modified:	2012-02-24 20:18 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mike McCune 2011-10-20 16:37:04 UTC

When using Katello and Candlepin together on an AWS guest we create content which ends up creating a directory here:

 /etc/pki/content/ACME_Corporation

the problem is that on hosts that allow calls to setfacl we grant access to apache to write to this dir but on the AWS host this fails:

# setfacl -m u:apache:rwx content
setfacl: content: Operation not supported

so Candlepin is not able to setup directory properly and blocks Katello's ability to create custom products and repos.

Comment 1 Bryan Kearney 2011-10-20 16:55:53 UTC

Not candlepin proper. Katello is writing to this locatoin so that grinder can use the certs to download content. Moving this to the appropriate project, and changing the title to reflect this.

Comment 2 Lukas Zapletal 2011-12-07 15:22:28 UTC

So what is the task for this one? To set this during configuration?

Comment 3 Lukas Zapletal 2011-12-07 16:07:57 UTC

Okay this is Pulp issue most likely, this is set during pulp installation and as the system is not mounted with ACL, it fails.

Comment 4 Lukas Zapletal 2011-12-07 16:13:03 UTC

Looks like an issue in the Pulp RPM. There must be some constriant.

Comment 5 John Matthews 2011-12-07 17:28:21 UTC

We are planning to make a change to the location of content certs Pulp uses, this will help clean up the SELinux policy.  As part of that we will remove the ACL dependency and use chown/chmod to allow pulp to read/write to this directory.

Relates to bz 760683

Comment 6 John Matthews 2011-12-16 15:02:22 UTC

We removed the setfacl and changed it to apache owning those files.

Commit is here:
http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=3f7636356e43815272714e085037cd22b75a0f7f


QE:
Use getfacl -a /etc/pki/pulp/content  and verify that no special rules are in place

Note that /etc/pki/content has changed to /etc/pki/pulp/content

Comment 7 Jeff Ortel 2012-01-04 21:48:37 UTC

build: 0.256

Comment 8 Preethi Thomas 2012-01-09 16:06:22 UTC

verified that the cert locations have been moved
[root@katello-test ~]# rpm -q pulp
pulp-0.0.256-1.el6.noarch
[root@katello-test ~]# 

[root@katello-test ~]# ls -l /etc/pki/pulp/content/
total 12
drwxr-xr-x. 2 apache apache 4096 Jan  6 14:56 bad_url
drwxr-xr-x. 2 apache apache 4096 Jan  6 14:57 pulp
-rw-r--r--. 1 apache apache    0 Jan  5 13:07 pulp-protected-repos
drwxr-xr-x. 2 apache apache 4096 Jan  5 13:09 rhel6_x86_64_preserve
[root@katello-test ~]# 


[root@katello-test ~]# getfacl -a /etc/pki/pulp/conten/
getfacl: /etc/pki/pulp/conten/: No such file or directory
[root@katello-test ~]# getfacl -a /etc/pki/pulp/content/
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/pulp/content/
# owner: apache
# group: apache
user::rwx
group::r-x
other::r-x

Comment 9 Preethi Thomas 2012-02-24 20:17:46 UTC

Pulp v1.0 is released
Closed Current Release.

Comment 10 Preethi Thomas 2012-02-24 20:18:36 UTC

Pulp v1.0 is released.

Note You need to log in before you can comment on or make changes to this bug.