Issue #1253


rpm install on consumer fails with 403 forbidden

Added by about 7 years ago. Updated over 3 years ago.

Start date:
Due date:
Estimated time:
3. High
2.7.0 Beta
Platform Release:
Sprint Candidate:
Pulp 2


Trying to install rpm from a pulp repo seems to be failing with 403

[root@mgmt4 ~]# rpm -qa pulp-server
[root@mgmt4 ~]# 
[root@mgmt4 ~]# yum install cat
Loaded plugins: product-id, pulp-profile-update, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package cat.noarch 0:1.0-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package             Arch                   Version                Repository           Size
 cat                 noarch                 1.0-1                  zoo                 2.4 k

Transaction Summary
Install  1 Package

Total download size: 2.4 k
Installed size: 42  
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for zoo
cat-1.0-1.noarch.rpm           FAILED                                  [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.

Error downloading packages:
  cat-1.0-1.noarch: [Errno 256] No more mirrors to try.
Actions #1

Updated by bmbouter about 7 years ago

  • Description updated (diff)
Actions #2

Updated by bmbouter about 7 years ago

This is due to an selinux issue. In 2.7.0 with story #106, working directories moved from /var/lib/pulp/ to /var/cache/pulp/. Throughout Pulp, files are commonly built in the working path and then copied into their locations at /var/lib/pulp/publishes/*. SELinux applies the pulp_var_cache_t label when the files are created in /var/cache/pulp/*, and those selinux security contexts are being incorrectly maintained when the files are copied into /var/lib/pulp/*. I expect the files to receive the httpd_sys_rw_content_t security context in /var/lib/pulp/*.

This needs to be fixed specifically for this test, but I expect we will have problems anywhere we create files in the working directory, move the files into place, and then try to have apache serve those files. We should look to fix this problem more broadly before 2.7.0 is released.

The fix should be to copy the file but without extended attributes. We also need to replace moves with copy commands. Pulp can no longer move files when those files are made in the working directory and then moved into place. Cleanup of the working directory contents should not be necessary since they auto-clean up on worker restart.

After discussion in #selinux, the following advice was given about specific modifications to our Python code from perfinion:

 09:14:23      perfinion | bmbouter: shutil module right? change copy2 to copy1, and copytree has an arg for the copy_func make that copy too, and just change move to
                         | shutil.copy                                                                                                                                            
 09:14:30      perfinion | bmbouter: that should be all thats required                                                                                                            
 09:15:19      perfinion | bmbouter: this is hte problem in copy2: Changed in version 3.3: Added follow_symlinks argument, try to copy extended file system attributes too        
                         | (currently Linux only).                                                                                                                                
 09:15:35      perfinion | bmbouter: copying all the xattrs is exactly the opposite of what you want, so use copy() instead
Actions #3

Updated by bmbouter about 7 years ago

  • Platform Release set to 2.7.0
Actions #4

Updated by bmbouter about 7 years ago

  • Priority changed from Normal to High
  • Severity changed from 2. Medium to 3. High
Actions #5

Updated by mhrivnak about 7 years ago

  • Triaged changed from No to Yes
Actions #6

Updated by about 7 years ago

  • Assignee set to
Actions #7

Updated by about 7 years ago

  • Status changed from NEW to ASSIGNED
Actions #8

Updated by about 7 years ago

The actual copying of files occurs in each plugin. Here [0] is where it is in RPM. We should probably just change it to copy [1]. You don't have to worry about the removal of the files because it occurs later in the code.

This needs to be done for all the plugins.




Added by about 7 years ago

Revision de1895ed

Wrong SElinux label prevents rpm installation.

closes #1253

Actions #9

Updated by about 7 years ago

We decided in this PR to fix the specific case and open a separate issue that would take care of getting rid of move and copytree where there is need.

Actions #10

Updated by about 7 years ago

  • Project changed from Pulp to RPM Support
  • Status changed from ASSIGNED to POST
Actions #11

Updated by about 7 years ago

Brian, issue with copytree is that in python 2.X copytree does not have arg for the copy_func, so you cannot change copy2 to copy1

Actions #12

Updated by almost 7 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #13

Updated by almost 7 years ago

  • Status changed from MODIFIED to 5
Actions #14

Updated by almost 7 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #15

Updated by bmbouter over 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF