Description of problem: Currently, subscription-splice-checkin must run as root in order to access splice log files along with katello log files. Version-Release number of selected component (if applicable): 0.19 How reproducible: every time Steps to Reproduce: 1. attempt to run spacewalk-splice-checkin as splice user Actual results: [root@dhcp129-162 ~]# su - splice -s /bin/bash -bash-4.1$ spacewalk-splice-checkin --splice-sync Traceback (most recent call last): File "/usr/bin/spacewalk-splice-checkin", line 21, in <module> from spacewalk_splice_tool import checkin, utils, constants File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/checkin.py", line 33, in <module> from spacewalk_splice_tool.katello_connect import KatelloConnection, NotFoundException File "/usr/lib/python2.6/site-packages/spacewalk_splice_tool/katello_connect.py", line 16, in <module> from katello.client.api.organization import OrganizationAPI File "/usr/lib/python2.6/site-packages/katello/client/api/organization.py", line 16, in <module> from katello.client.api.base import KatelloAPI File "/usr/lib/python2.6/site-packages/katello/client/api/base.py", line 16, in <module> from katello.client import server File "/usr/lib/python2.6/site-packages/katello/client/server.py", line 48, in <module> class AuthenticationStrategy(object): File "/usr/lib/python2.6/site-packages/katello/client/server.py", line 50, in AuthenticationStrategy _log = getLogger('katello') File "/usr/lib/python2.6/site-packages/katello/client/logutil.py", line 62, in getLogger os.mkdir(logdir) OSError: [Errno 13] Permission denied: '/var/lib/splice/.katello' Expected results: successful run of sst Additional info: this may requires changes to katello-cli to support using the API bindings as users besides katello and root, not sure.
commit f0caa010762b5a13387da4eae05c8e8f20442cc7 i fixed the packaging to also set the owner and permissions on /var/lib/splice so that sst can run as a different user. Additionally, if it is running as a different user, I updated the ssh connection to always connect as root to the satellite (previously it was using the current user). However, spacewalk-splice-tool is still configured to run as root.
I'm still having permission issues running sst under 'splice' user: [Errno 13] Permission denied: '/var/log/splice/report_server.log'
BTW in spacewalk-splice-tool-0.24-1.el6sam.x86_64 cron jobs are still running under 'root' user: # cat /etc/cron.d/sp* # Sync data from spacewalk to candlepin every 4 hours, 9 min past the hour 9 */4 * * * root /usr/bin/spacewalk-splice-checkin --spacewalk-sync # Sync data from candlepin to splice every 10 minutes */10 * * * * root /usr/bin/spacewalk-splice-checkin --splice-sync maybe they're responsible for screwing the permissions.
commit 31106c110bc8636c05c97ed5e51a8c899ffb6883 switched sst to run as splice user. this should resolve the issue.
Verified in spacewalk-splice-tool-0.25-1.el6sam: # sudo -u splice /usr/bin/spacewalk-splice-checkin 2013-06-24 10:11:13,973 INFO splice.common.connect connect:_request: Sending 'POST' to '/splice/api//v1/spliceserver/' with headers '{'Content-type': 'application/json', 'Accept': 'application/json'}' 2013-06-24 10:11:14,073 INFO splice.common.connect connect:_request: Received '204' from 'POST /splice/api//v1/spliceserver/' 2013-06-24 10:11:14,075 INFO splice.common.connect connect:_request: Sending 'POST' to '/splice/api//v1/marketingproductusage/' with headers '{'Content-type': 'application/json', 'Accept': 'application/json'}' 2013-06-24 10:11:14,174 INFO splice.common.connect connect:_request: Received '204' from 'POST /splice/api//v1/marketingproductusage/' Upload was successful # cat /etc/cron.d/sp* # Sync data from spacewalk to candlepin every 4 hours, 9 min past the hour 9 */4 * * * splice /usr/bin/spacewalk-splice-checkin --spacewalk-sync # Sync data from candlepin to splice every 10 minutes */10 * * * * splice /usr/bin/spacewalk-splice-checkin --splice-sync Nothing suspicious in /var/log/splice/spacewalk_splice_tool.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1390.html