Issue #1053
closedExport to USB HDD on RHEL7 Fails
Description
This problem is observed on pulp 2.6.2 final (there is no 2.6.2 tag available in plan.io).
I plugged in a USB HDD and allowed Gnome 3 to auto-mount it for me. On RHEL7, the auto-mount path for hot-pluggable media is
/var/run/media/${USER}/${FS_LABEL}
Then I tried to export a repo to the external drive.
When I run the commands
pulp-admin $RepoType repo export run \
--repo-id=foreman \
--export-dir=/var/run/media/stanb/Linux_Mirrors/pulp_repos/foreman
the following output is obtained:
+----------------------------------------------------------------------+
Publishing Repository [foreman]
+----------------------------------------------------------------------+
The following publish configuration options will be used:
Export Dir: /var/run/media/stanb/Linux_Mirrors/pulp_repos/foreman
This command may be exited via ctrl+c without affecting the request.
Initializing repo metadata
[-]
... completed
Publishing Distribution files
[-]
... completed
Publishing RPMs
[==================================================] 100%
98 of 98 items
... completed
Publishing Delta RPMs
... skipped
Publishing Errata
[-]
... completed
Publishing Comps file
[-]
... completed
Publishing Metadata.
[-]
... completed
Closing repo metadata
[-]
... completed
Generating sqlite files
... skipped
Copying files
[-]
... failed
[Errno 13] Permission denied: '/var/run/media/stanb/Linux_Mirrors'
Task Failed
[Errno 13] Permission denied: '/var/run/media/stanb/Linux_Mirrors'
[stanb@bumblebee ~]$
I have instrumented the code at publish_step.py CopyDirectoryStep.process_main(self), and I have determined that the error is caused by the line
shutil.copytree(self.source_dir, self.target_dir, symlinks=self.preserve_symlinks)
The relevant entries and permissions at the error path are shown below:
[stanb@bumblebee ~]$ ls -al /var/run/media/stanb/Linux_Mirrors
total 68
drwxrwxrwx 7 root root 4096 Jun 11 18:30 .
drwxr-x---+ 3 root root 60 Jun 10 15:27 ..
drwx------ 2 root root 16384 Jun 3 2013 lost+found
drwxrwxrwx 2 stanb stanb 4096 Jun 11 18:31 pulp_repos
[stanb@bumblebee ~]$
mount shows the following mount options:
/dev/sdb1 on /run/media/stanb/Linux_Mirrors type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)
I changed the mount options to remove the nosuid:
mount -o remount,suid /run/media/stanb/Linux_Mirrors/
Mount permissions are now
/dev/sdb1 on /run/media/stanb/Linux_Mirrors type ext4 (rw,nodev,relatime,data=ordered,uhelper=udisks2)
I still get the Errno 13 Permission denied.
I presume that the file copy is running within the context of the server. The server is running as user apache. These directories are writeable by 'other', so why is there a Permission Denied error? Perhaps this is an selinux problem?
Updated by bmbouter almost 9 years ago
Is selinux enabled on this system? You can tell with the output of:
getenforce
If it is, we can confirm that SELinux is causing the denial by tailing audit.log. Please paste the relevant denial output from audit.log here.
Updated by mhrivnak almost 9 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
- Triaged changed from No to Yes
Updated by Ben.Stanley almost 9 years ago
[stanb@bumblebee ~]$ getenforce
Disabled
Updated by Ben.Stanley almost 9 years ago
I did some experimenting outside pulp, and managed to reproduce the problem outside python.
Attempt to create the export directory as the user:
[stanb@bumblebee ~]$ mkdir /var/run/media/stanb/Linux_Mirrors/test_dir_1
[stanb@bumblebee ~]$ rmdir /var/run/media/stanb/Linux_Mirrors/test_dir_1
Attempt to create the export directory as root:
[root@bumblebee ~]# mkdir /var/run/media/stanb/Linux_Mirrors/test_dir_1
[root@bumblebee ~]# ls /var/run/media/stanb/Linux_Mirrors
test_dir_1
[root@bumblebee ~]# rmdir /var/run/media/stanb/Linux_Mirrors/test_dir_1
Attempt to create the export directory as apache:
[root@bumblebee ~]# sudo -u apache mkdir /var/run/media/stanb/Linux_Mirrors/test_dir_1
mkdir: cannot create directory ‘/var/run/media/stanb/Linux_Mirrors/test_dir_1’: Permission denied
[root@bumblebee ~]# echo $?
1
Why does it fail? Check the permissions up the path:
[root@bumblebee ~]# ls -al /var/run/media/stanb/Linux_Mirrors/
drwxrwxrwx 7 root root 4096 Jun 15 11:27 .
drwxr-x---+ 3 root root 60 Jun 10 15:27 ..
[root@bumblebee ~]# ls -al /var/run/media/stanb
drwxr-x---+ 3 root root 60 Jun 10 15:27 .
drwxr-xr-x 3 root root 60 Jun 10 15:27 ..
Can we make it work by hook or by crook?
[root@bumblebee ~]# chmod o+rwx /var/run/media/stanb/
[root@bumblebee ~]# ls -al /var/run/media/stanb
drwxr-xrwx+ 3 root root 60 Jun 10 15:27 .
drwxr-xr-x 3 root root 60 Jun 10 15:27 ..
[root@bumblebee ~]# sudo -u apache mkdir /var/run/media/stanb/Linux_Mirrors/test_dir_1
[root@bumblebee ~]# chmod o-rwx /var/run/media/stanb
Yes, it can be worked around.
Testing it with pulp repo export:
pulp-admin rpm repo export run \
--repo-id=foreman \
--export-dir=/var/run/media/stanb/Linux_Mirrors/pulp_repos/foreman
+----------------------------------------------------------------------+
Publishing Repository [foreman]
+----------------------------------------------------------------------+
The following publish configuration options will be used:
Export Dir: /var/run/media/stanb/Linux_Mirrors/pulp_repos/foreman
This command may be exited via ctrl+c without affecting the request.
Initializing repo metadata
[-]
... completed
Publishing Distribution files
[-]
... completed
Publishing RPMs
[==================================================] 100%
98 of 98 items
... completed
Publishing Delta RPMs
... skipped
Publishing Errata
[-]
... completed
Publishing Comps file
[-]
... completed
Publishing Metadata.
[-]
... completed
Closing repo metadata
[-]
... completed
Generating sqlite files
... skipped
Copying files
[\]
... completed
Writing Listings File
[-]
... completed
Task Succeeded
[stanb@bumblebee ~]$
In summary:
- user can access the external disk export path
- root can access the external disk export path
- apache cannot access the external disk export path, unless o+rwx permissions are granted to /var/run/media/${USER} .
If this use case is to work as expected in RHEL7, the process writing the data to the export disk must belong to the user or root, not to apache. This is a significant architectural change.
Updated by Ben.Stanley almost 9 years ago
When I export the repo, I observe the following:
- Everything is owned by apache.
- Files have permissions
rw-r--r- - repodata directory has permissions drwxr-x---
It would seem to be more useful if the exported files were owned by the user who executed the export command. As it is, the user cannot access the repodata directory!
Updated by Ben.Stanley almost 9 years ago
I have started exporting my 613 repos to an external drive.
I can't believe how long it takes to publish a repo.
When pulp is exporting, the following steps are performed:
- Initializing repo metadata
- Publishing Distribution files
- Publishing RPMs <---- publishes to an internal location, seems to take a long time. Is it checking the checksums, or just placing a symlink?
- Publishing Delta RPMs
- Publishing Errata
- Publishing Comps file
- Publishing Metadata.
- Closing repo metadata
- Generating sqlite files
- Copying files <---- copies to export path
- Writing Listings File
- Task Succeeded
If the files are being copied bit-for-bit twice, could the second copy be eliminated to gain efficiency?
I might have to break out systemtap [0] and produce a flame graph [1] to figure out what it is really spending its time on.
[0] [[https://en.wikipedia.org/wiki/SystemTap]]
[1] [[http://www.brendangregg.com/FlameGraphs/cpuflamegraphs.html ]]
Updated by Ben.Stanley almost 9 years ago
I have now tried this a few different ways, and it looks like pulp-admin export is the worst of them.
In summary, there are several practical problems to exporting a collection of repos to another machine:
- Writing the files to an HDD media (apache trying to write to /var/run/media/${USER}/${FS_LABEL}, owned by ${USER}
- The large data size presented when viewed as a collection of repos (without sharing identical files)
- The problem of re-creating the repos on the destination machine.
Due to the slowness of using pulp-admin export, I attempted to rsync /var/lib/pulp/published/yum/http/repos directly to my HDD. I found I had to use --copy-links, which de-references the links while copying, otherwise it copied links to the files on the main system instead of copying the RPMs over to the external HDD. This ended up badly, as RHEL 5.10 alone consumed 400Gb. The 2Tb sync HDD will not contain even the RHEL5 series by itself, let alone everything else I have.
After some poking around, I considered rsyncing the following two directories:
/var/lib/pulp
/var/lib/mongodb
Consider this as transfer by backup/restore.
Some care is required to preserve permissions, ownership and links. Also, the target machine must have the same numeric UIDs/GIDs for mongodb, qpid and apache (and maybe others?).
However, it is possible to fit these directories completely on to a 2Tb external HDD to perform the sync.
This method has the advantage that it also transfers the repo information, although the sync feed is wrong. However, I don't plan to sync the disconnected pulp server. I think I will maintain it by rsync.
The downside of this technique is that I must stop pulp and mongod before performing the final sync, and while restoring on the other end.
I have also found that attempting to load a page on the secondary pulp server causes the qpidd server on the primary machine to go crazy (the two machines are temporarily connected to the same network for setup purposes). So something is referencing the primary machine. If I can find out what that is and change it to reference the secondary machine instead, then I hope it will all work.
Updated by bmbouter about 8 years ago
- Status changed from ASSIGNED to NEW
- Assignee deleted (
bmbouter)
I'm not actively working on this so I'm setting back to NEW.
Updated by bmbouter about 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
Updated by bmbouter about 5 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.