Project

General

Profile

Actions

Bug #8378

closed

katello-installer errors if umask too restrictive

Added by Stephen Benjamin over 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
Installer
Target version:
Difficulty:
Triaged:
Yes
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1119910
Description of problem:

A HTB customer attempted to install on their standard RHEL6.5 build, which had a more restrictive umask set for the root user (umask 0027). As a result, some keystore and cert files fail to be placed with appropriate permissions and tomcat has issues during startup. I have duplicated the customers results by simply changing root's umask to 0027 prior to an install.

Version-Release number of selected component (if applicable):

Red Hat Satellite 6.0.3

How reproducible:

Steps to Reproduce:
1. Set umask of root to 0027
2. perform section 2.1 of the install guide to install satellite from the repo.
3. Check the log for errors.

Actual results:

Errors during the install:

Could not start Service[foreman-proxy]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait foreman-proxy start' returned 1: Starting foreman-proxy: Unable to access the SSL keys. Are the values correct in settings.yml and do permissions allow reading?: Permission denied - /etc/foreman-proxy/ssl_cert.pem
/Stage[main]/Foreman_proxy::Service/Service[foreman-proxy]/ensure: change from stopped to running failed: Could not start Service[foreman-proxy]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait foreman-proxy start' returned 1: Starting foreman-proxy: Unable to access the SSL keys. Are the values correct in settings.yml and do permissions allow reading?: Permission denied - /etc/foreman-proxy/ssl_cert.pem
Could not start Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 start' returned 5: Starting tomcat6: [ OK ]
/Stage[main]/Candlepin::Service/Service[tomcat6]/ensure: change from stopped to running failed: Could not start Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 start' returned 5: Starting tomcat6: [ OK ]
/Stage[main]/Candlepin::Service/Service[tomcat6]: Failed to call refresh: Could not restart Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 restart' returned 5: Stopping tomcat6: [ OK ]
/Stage[main]/Candlepin::Service/Service[tomcat6]: Could not restart Service[tomcat6]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait tomcat6 restart' returned 5: Stopping tomcat6: [ OK ]
/Stage[main]/Candlepin::Service/Exec[cpinit]: Failed to call refresh: /usr/bin/wget --timeout=30 --tries=5 --retry-connrefused qO http://localhost:8080/candlepin/admin/init >/var/log/candlepin/cpinit.log 2>&1 && touch /var/lib/candlepin/cpinit_done returned 8 instead of one of [0]
/Stage[main]/Candlepin::Service/Exec[cpinit]: /usr/bin/wget --timeout=30 --tries=5 --retry-connrefused qO http://localhost:8080/candlepin/admin/init >/var/log/candlepin/cpinit.log 2>&1 && touch /var/lib/candlepin/cpinit_done returned 8 instead of one of [0]
Something went wrong! Check the log for ERROR-level output
The full log is at /var/log/katello-installer/katello-installer.log

The installeer is trying to do a wget from tomcat, it looks like, and getting a return code of 8 (a generic "something went wrong on the server side" error")

The first noticeable indication that I saw was in the /var/log/tomcat6/catalina.out log, which is full of exceptions because it cannot read the keystore.

Jul 15, 2014 3:36:36 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Failed to load keystore type PKCS12 with path conf/keystore due to /usr/share/tomcat6/conf/keystore (Permission denied)
java.io.FileNotFoundException: /usr/share/tomcat6/conf/keystore (Permission denied)

  1. ls -la /usr/share/tomcat6/conf/keystore
    lrwxrwxrwx. 1 tomcat foreman 25 Jul 15 15:36 /usr/share/tomcat6/conf/keystore -> /etc/pki/katello/keystore

... and /etc/pki/katello/keystore is restricted to

  1. ls la /etc/pki/katello/keystore
    -rw-r----
    . 1 root root 3010 Jul 15 15:36 /etc/pki/katello/keystore

... instead of the following on a successful install

  1. ls la /etc/pki/katello/keystore
    -rw-r--r-
    . 1 root root 2954 Jul 1 13:26 /etc/pki/katello/keystore

The other resulting permission issue that was apparent was:

(On my deliberately umask-sabotaged katello-installer)
  1. ll /etc/pki/katello/certs/katello-ca-stripped.crt
    rw-r----. 1 root root 1883 Jul 15 15:20 /etc/pki/katello/certs/katello-ca-stripped.crt
(On a successful umask-0022 katello-installer)
  1. ll /etc/pki/katello/certs/katello-ca-stripped.crt
    rw-r--r-. 1 root root 1805 Jul 1 13:20 /etc/pki/katello/certs/katello-ca-stripped.crt

Expected results:

No Errors during the install
/etc/pki/katello/keystore readable by tomcat:foreman

Additional info:

I didn't see anything about a umask requirement in the installation guide. However, I'd suspect that we'd just want to manually set it to 0022 in the early parts of the katello-installer, rather than adding a bit to the documentation. There may be other permissions that are not quite as expected, but customer and I didn't pursue any deeper. Just changed the umask to 0022 and did a re-install without issues.

Actions #1

Updated by The Foreman Bot over 9 years ago

  • Status changed from New to Ready For Testing
  • Target version set to 61
  • Pull request https://github.com/Katello/katello-installer/pull/139 added
  • Pull request deleted ()
Actions #2

Updated by Anonymous over 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #3

Updated by Eric Helms over 9 years ago

  • Triaged changed from No to Yes
Actions #4

Updated by Eric Helms over 9 years ago

  • translation missing: en.field_release set to 14
Actions

Also available in: Atom PDF