Project

Profile

Help

Issue #1253

closed

rpm install on consumer fails with 403 forbidden

Added by pthomas@redhat.com over 8 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
2.7.0 Beta
Platform Release:
2.7.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Trying to install rpm from a pulp repo seems to be failing with 403

[root@mgmt4 ~]# rpm -qa pulp-server
pulp-server-2.7.0-0.4.beta.el7.noarch
[root@mgmt4 ~]# 
[root@mgmt4 ~]# yum install cat
Loaded plugins: product-id, pulp-profile-update, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package cat.noarch 0:1.0-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================
 Package             Arch                   Version                Repository           Size
=============================================================================================
Installing:
 cat                 noarch                 1.0-1                  zoo                 2.4 k

Transaction Summary
=============================================================================================
Install  1 Package

Total download size: 2.4 k
Installed size: 42  
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for zoo
cat-1.0-1.noarch.rpm           FAILED                                          
https://mgmt4.rhq.lab.eng.bos.redhat.com/pulp/repos/repos/pulp/pulp/demo_repos/zoo/cat-1.0-1.noarch.rpm: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.

Error downloading packages:
  cat-1.0-1.noarch: [Errno 256] No more mirrors to try.
Actions #1

Updated by bmbouter over 8 years ago

  • Description updated (diff)
Actions #2

Updated by bmbouter over 8 years ago

This is due to an selinux issue. In 2.7.0 with story #106, working directories moved from /var/lib/pulp/ to /var/cache/pulp/. Throughout Pulp, files are commonly built in the working path and then copied into their locations at /var/lib/pulp/publishes/*. SELinux applies the pulp_var_cache_t label when the files are created in /var/cache/pulp/*, and those selinux security contexts are being incorrectly maintained when the files are copied into /var/lib/pulp/*. I expect the files to receive the httpd_sys_rw_content_t security context in /var/lib/pulp/*.

This needs to be fixed specifically for this test, but I expect we will have problems anywhere we create files in the working directory, move the files into place, and then try to have apache serve those files. We should look to fix this problem more broadly before 2.7.0 is released.

The fix should be to copy the file but without extended attributes. We also need to replace moves with copy commands. Pulp can no longer move files when those files are made in the working directory and then moved into place. Cleanup of the working directory contents should not be necessary since they auto-clean up on worker restart.

After discussion in #selinux, the following advice was given about specific modifications to our Python code from perfinion:

 09:14:23      perfinion | bmbouter: shutil module right? change copy2 to copy1, and copytree has an arg for the copy_func make that copy too, and just change move to
                         | shutil.copy                                                                                                                                            
 09:14:30      perfinion | bmbouter: that should be all thats required                                                                                                            
 09:15:19      perfinion | bmbouter: this is hte problem in copy2: Changed in version 3.3: Added follow_symlinks argument, try to copy extended file system attributes too        
                         | (currently Linux only).                                                                                                                                
 09:15:35      perfinion | bmbouter: copying all the xattrs is exactly the opposite of what you want, so use copy() instead
Actions #3

Updated by bmbouter over 8 years ago

  • Platform Release set to 2.7.0
Actions #4

Updated by bmbouter over 8 years ago

  • Priority changed from Normal to High
  • Severity changed from 2. Medium to 3. High
Actions #5

Updated by mhrivnak over 8 years ago

  • Triaged changed from No to Yes
Actions #6

Updated by ipanova@redhat.com over 8 years ago

  • Assignee set to ipanova@redhat.com
Actions #7

Updated by amacdona@redhat.com over 8 years ago

  • Status changed from NEW to ASSIGNED
Actions #8

Updated by dkliban@redhat.com over 8 years ago

The actual copying of files occurs in each plugin. Here [0] is where it is in RPM. We should probably just change it to copy [1]. You don't have to worry about the removal of the files because it occurs later in the code.

This needs to be done for all the plugins.

[0] https://github.com/pulp/pulp_rpm/blob/2.7-testing/plugins/pulp_rpm/plugins/importers/yum/parse/treeinfo.py#L89

[1] https://docs.python.org/2/library/shutil.html#shutil.move

[2] https://docs.python.org/2/library/shutil.html#shutil.copy

Added by ipanova@redhat.com over 8 years ago

Revision de1895ed | View on GitHub

Wrong SElinux label prevents rpm installation.

closes #1253 https://pulp.plan.io/issues/1253

Actions #9

Updated by ipanova@redhat.com over 8 years ago

We decided in this PR to fix the specific case and open a separate issue that would take care of getting rid of move and copytree where there is need.

Actions #10

Updated by ipanova@redhat.com over 8 years ago

  • Project changed from Pulp to RPM Support
  • Status changed from ASSIGNED to POST
Actions #11

Updated by ipanova@redhat.com over 8 years ago

Brian, issue with copytree is that in python 2.X copytree does not have arg for the copy_func, so you cannot change copy2 to copy1

Actions #12

Updated by ipanova@redhat.com over 8 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #13

Updated by dkliban@redhat.com over 8 years ago

  • Status changed from MODIFIED to 5
Actions #14

Updated by amacdona@redhat.com over 8 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #15

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF