Project

Profile

Help

Issue #1253

rpm install on consumer fails with 403 forbidden

Added by pthomas@redhat.com about 6 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
2.7.0 Beta
Platform Release:
2.7.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Trying to install rpm from a pulp repo seems to be failing with 403

[root@mgmt4 ~]# rpm -qa pulp-server
pulp-server-2.7.0-0.4.beta.el7.noarch
[root@mgmt4 ~]# 
[root@mgmt4 ~]# yum install cat
Loaded plugins: product-id, pulp-profile-update, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package cat.noarch 0:1.0-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================
 Package             Arch                   Version                Repository           Size
=============================================================================================
Installing:
 cat                 noarch                 1.0-1                  zoo                 2.4 k

Transaction Summary
=============================================================================================
Install  1 Package

Total download size: 2.4 k
Installed size: 42  
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for zoo
cat-1.0-1.noarch.rpm           FAILED                                          
https://mgmt4.rhq.lab.eng.bos.redhat.com/pulp/repos/repos/pulp/pulp/demo_repos/zoo/cat-1.0-1.noarch.rpm: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.

Error downloading packages:
  cat-1.0-1.noarch: [Errno 256] No more mirrors to try.

Associated revisions

Revision de1895ed View on GitHub
Added by ipanova@redhat.com about 6 years ago

Wrong SElinux label prevents rpm installation.

closes #1253 https://pulp.plan.io/issues/1253

History

#1 Updated by bmbouter about 6 years ago

  • Description updated (diff)

#2 Updated by bmbouter about 6 years ago

This is due to an selinux issue. In 2.7.0 with story #106, working directories moved from /var/lib/pulp/ to /var/cache/pulp/. Throughout Pulp, files are commonly built in the working path and then copied into their locations at /var/lib/pulp/publishes/*. SELinux applies the pulp_var_cache_t label when the files are created in /var/cache/pulp/*, and those selinux security contexts are being incorrectly maintained when the files are copied into /var/lib/pulp/*. I expect the files to receive the httpd_sys_rw_content_t security context in /var/lib/pulp/*.

This needs to be fixed specifically for this test, but I expect we will have problems anywhere we create files in the working directory, move the files into place, and then try to have apache serve those files. We should look to fix this problem more broadly before 2.7.0 is released.

The fix should be to copy the file but without extended attributes. We also need to replace moves with copy commands. Pulp can no longer move files when those files are made in the working directory and then moved into place. Cleanup of the working directory contents should not be necessary since they auto-clean up on worker restart.

After discussion in #selinux, the following advice was given about specific modifications to our Python code from perfinion:

 09:14:23      perfinion | bmbouter: shutil module right? change copy2 to copy1, and copytree has an arg for the copy_func make that copy too, and just change move to
                         | shutil.copy                                                                                                                                            
 09:14:30      perfinion | bmbouter: that should be all thats required                                                                                                            
 09:15:19      perfinion | bmbouter: this is hte problem in copy2: Changed in version 3.3: Added follow_symlinks argument, try to copy extended file system attributes too        
                         | (currently Linux only).                                                                                                                                
 09:15:35      perfinion | bmbouter: copying all the xattrs is exactly the opposite of what you want, so use copy() instead

#3 Updated by bmbouter about 6 years ago

  • Platform Release set to 2.7.0

#4 Updated by bmbouter about 6 years ago

  • Priority changed from Normal to High
  • Severity changed from 2. Medium to 3. High

#5 Updated by mhrivnak about 6 years ago

  • Triaged changed from No to Yes

#6 Updated by ipanova@redhat.com about 6 years ago

  • Assignee set to ipanova@redhat.com

#7 Updated by amacdona@redhat.com about 6 years ago

  • Status changed from NEW to ASSIGNED

#8 Updated by dkliban@redhat.com about 6 years ago

The actual copying of files occurs in each plugin. Here [0] is where it is in RPM. We should probably just change it to copy [1]. You don't have to worry about the removal of the files because it occurs later in the code.

This needs to be done for all the plugins.

[0] https://github.com/pulp/pulp_rpm/blob/2.7-testing/plugins/pulp_rpm/plugins/importers/yum/parse/treeinfo.py#L89

[1] https://docs.python.org/2/library/shutil.html#shutil.move

[2] https://docs.python.org/2/library/shutil.html#shutil.copy

#9 Updated by ipanova@redhat.com about 6 years ago

We decided in this PR to fix the specific case and open a separate issue that would take care of getting rid of move and copytree where there is need.

#10 Updated by ipanova@redhat.com about 6 years ago

  • Project changed from Pulp to RPM Support
  • Status changed from ASSIGNED to POST

#11 Updated by ipanova@redhat.com about 6 years ago

Brian, issue with copytree is that in python 2.X copytree does not have arg for the copy_func, so you cannot change copy2 to copy1

#12 Updated by ipanova@redhat.com about 6 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#13 Updated by dkliban@redhat.com about 6 years ago

  • Status changed from MODIFIED to 5

#14 Updated by amacdona@redhat.com almost 6 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#15 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF