Actions
Issue #1688
closed
Delete of ISO repo failing due to Permission Denied exception
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.8.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:
Description
pulp_smash.tests.rpm.api_v2.test_iso_crud.AddImporterDistributorTestCase test case experiences failures during tearDown with the following exception:
TaskReportError: Task report /pulp/api/v2/tasks/8ab2c1e3-49fc-4be7-a041-e0a878a44c10/ contains a error: {u'code': u'PLP0000', u'data': {}, u'description': u'Pulp exception occurred: PulpExecutionException', u'sub_errors': [{u'code': u'PLP0000', u'data': {}, u'description': u"[Errno 13] Permission denied: '/etc/pki/pulp/content/pulp-protected-repos'", u'sub_errors': []}]}
Full task report: {u'exception': None, u'task_type': u'pulp.server.tasks.repository.delete', u'_href': u'/pulp/api/v2/tasks/8ab2c1e3-49fc-4be7-a041-e0a878a44c10/', u'task_id': u'8ab2c1e3-49fc-4be7-a041-e0a878a44c10', u'tags': [u'pulp:repository:b7930128-a473-401e-83e0-956345739475', u'pulp:action:delete'], u'finish_time': u'2016-02-18T08:08:48Z', u'_ns': u'task_status', u'start_time': u'2016-02-18T08:08:48Z', u'traceback': u'Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 240, in trace_task
R = retval = fun(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 473, in __call__
return super(Task, self).__call__(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 103, in __call__
return super(PulpTask, self).__call__(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 437, in __protected_call__
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 547, in delete
raise pe
PulpExecutionException: Pulp exception occurred: PulpExecutionException
', u'spawned_tasks': [], u'progress_report': {}, u'queue': u'reserved_resource_worker-1@f23-vanilla-np-qeos-73646.slave.openstack.org.novalocal.dq', u'state': u'error', u'worker_name': u'reserved_resource_worker-1@f23-vanilla-np-qeos-73646.slave.openstack.org.novalocal', u'result': None, u'error': {u'code': u'PLP0000', u'data': {}, u'description': u'Pulp exception occurred: PulpExecutionException', u'sub_errors': [{u'code': u'PLP0000', u'data': {}, u'description': u"[Errno 13] Permission denied: '/etc/pki/pulp/content/pulp-protected-repos'", u'sub_errors': []}]}, u'_id': {u'$oid': u'56c57c0f2ed802421bf26c00'}, u'id': u'56c57c0f2ed802421bf26c00'}
Updated by amacdona@redhat.com over 7 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to amacdona@redhat.com
Updated by dkliban@redhat.com over 7 years ago
- Assignee changed from amacdona@redhat.com to dkliban@redhat.com
Updated by bmbouter over 7 years ago
Through exploit I managed to raise the complete traceback:
pulp[14698]: celery.worker.job:ERROR: (14698-91008) Task pulp.server.tasks.repository.delete[423a6f92-df2b-484e-b87d-fd7fcf9f675d] raised unexpected: IOError(13, 'Permission denied')
pulp[14698]: celery.worker.job:ERROR: (14698-91008) Traceback (most recent call last):
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 240, in trace_task
pulp[14698]: celery.worker.job:ERROR: (14698-91008) R = retval = fun(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 473, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return super(Task, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 103, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return super(PulpTask, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 437, in __protected_call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return self.run(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 516, in delete
pulp[14698]: celery.worker.job:ERROR: (14698-91008) dist_controller.delete(distributor.repo_id, distributor.distributor_id)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/celery/local.py", line 167, in <lambda>
pulp[14698]: celery.worker.job:ERROR: (14698-91008) __call__ = lambda x, *a, **kw: x._get_current_object()(*a, **kw)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 473, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return super(Task, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 103, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return super(PulpTask, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 438, in __protected_call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return orig(self, *args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/celery/app/task.py", line 420, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return self.run(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/controllers/distributor.py", line 133, in delete
pulp[14698]: celery.worker.job:ERROR: (14698-91008) dist_instance.distributor_removed(repo.to_transfer_repo(), call_config)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/plugins/file/distributor.py", line 55, in distributor_removed
pulp[14698]: celery.worker.job:ERROR: (14698-91008) self.unpublish_repo(repo, config)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/iso_distributor/distributor.py", line 76, in unpublish_repo
pulp[14698]: celery.worker.job:ERROR: (14698-91008) publish.remove_repository_protection(transfer_repo.repo_obj)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/iso_distributor/publish.py", line 78, in remove_repository_protection
pulp[14698]: celery.worker.job:ERROR: (14698-91008) protected_repo_utils.delete_protected_repo(relative_path)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/repoauth/protected_repo_utils.py", line 63, in delete_protected_repo
pulp[14698]: celery.worker.job:ERROR: (14698-91008) f.save()
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/repoauth/protected_repo_utils.py", line 143, in save
pulp[14698]: celery.worker.job:ERROR: (14698-91008) f = open(self.filename, 'w')
pulp[14698]: celery.worker.job:ERROR: (14698-91008) IOError: [Errno 13] Permission denied: '/etc/pki/pulp/content/pulp-protected-repos'
When the denial occurs it produces the following SELinux denials:
type=AVC msg=audit(1455821948.486:3856): avc: denied { write } for pid=24813 comm="python" name="content" dev=dm-1 ino=146462 scontext=unconfined_u:system_r:celery_t:s0 tcontext=system_u:object_r:pulp_cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1455821948.486:3856): arch=c000003e syscall=2 success=no exit=-13 a0=4f390f0 a1=241 a2=1b6 a3=0 items=0 ppid=24702 pid=24813 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=25 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1455821951.136:3864): avc: denied { write } for pid=24813 comm="python" name="content" dev=dm-1 ino=146462 scontext=unconfined_u:system_r:celery_t:s0 tcontext=system_u:object_r:pulp_cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1455821951.136:3864): arch=c000003e syscall=2 success=no exit=-13 a0=4f43b50 a1=241 a2=1b6 a3=0 items=0 ppid=24702 pid=24813 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=25 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:celery_t:s0 key=(null)
Added by bmbouter over 7 years ago
Added by bmbouter over 7 years ago
Adds pulp_cert_t manage files and dirs to pulp-celery SELinux policy
Updated by bmbouter over 7 years ago
- Status changed from ASSIGNED to POST
After some IRC discussion it was identified that it started failing due to a change introduced in pulp-smash[0] which deletes repositories it creates. Given that repo deletion requires the ability to remove those certs we need to make celery_t have those rights in our pulp-server SELinux policy.
A PR is available with that change: https://github.com/pulp/pulp/pull/2438
[0]: https://github.com/PulpQE/pulp-smash/commit/46f6a1f93ae6f127acd06529978e8a9d9751a217
Updated by bmbouter over 7 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulp:pulp|a473ddffb18bab5ed224a40198bf4c7cfaed30cf.
Updated by dkliban@redhat.com over 7 years ago
- Status changed from MODIFIED to 5
Updated by dkliban@redhat.com over 7 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
Actions
.
Adds pulp_cert_t manage files and dirs to pulp-celery SELinux policy
closes #1688 https://pulp.plan.io/issues/1688