Project

Profile

Help

Issue #1688

Delete of ISO repo failing due to Permission Denied exception

Added by dkliban@redhat.com almost 5 years ago. Updated almost 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.8.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

pulp_smash.tests.rpm.api_v2.test_iso_crud.AddImporterDistributorTestCase test case experiences failures during tearDown with the following exception:

TaskReportError: Task report /pulp/api/v2/tasks/8ab2c1e3-49fc-4be7-a041-e0a878a44c10/ contains a error: {u'code': u'PLP0000', u'data': {}, u'description': u'Pulp exception occurred: PulpExecutionException', u'sub_errors': [{u'code': u'PLP0000', u'data': {}, u'description': u"[Errno 13] Permission denied: '/etc/pki/pulp/content/pulp-protected-repos'", u'sub_errors': []}]}
Full task report: {u'exception': None, u'task_type': u'pulp.server.tasks.repository.delete', u'_href': u'/pulp/api/v2/tasks/8ab2c1e3-49fc-4be7-a041-e0a878a44c10/', u'task_id': u'8ab2c1e3-49fc-4be7-a041-e0a878a44c10', u'tags': [u'pulp:repository:b7930128-a473-401e-83e0-956345739475', u'pulp:action:delete'], u'finish_time': u'2016-02-18T08:08:48Z', u'_ns': u'task_status', u'start_time': u'2016-02-18T08:08:48Z', u'traceback': u'Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 240, in trace_task
    R = retval = fun(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 473, in __call__
    return super(Task, self).__call__(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 103, in __call__
    return super(PulpTask, self).__call__(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 437, in __protected_call__
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 547, in delete
    raise pe
PulpExecutionException: Pulp exception occurred: PulpExecutionException
', u'spawned_tasks': [], u'progress_report': {}, u'queue': u'reserved_resource_worker-1@f23-vanilla-np-qeos-73646.slave.openstack.org.novalocal.dq', u'state': u'error', u'worker_name': u'reserved_resource_worker-1@f23-vanilla-np-qeos-73646.slave.openstack.org.novalocal', u'result': None, u'error': {u'code': u'PLP0000', u'data': {}, u'description': u'Pulp exception occurred: PulpExecutionException', u'sub_errors': [{u'code': u'PLP0000', u'data': {}, u'description': u"[Errno 13] Permission denied: '/etc/pki/pulp/content/pulp-protected-repos'", u'sub_errors': []}]}, u'_id': {u'$oid': u'56c57c0f2ed802421bf26c00'}, u'id': u'56c57c0f2ed802421bf26c00'}

Associated revisions

Revision a473ddff View on GitHub
Added by bmbouter almost 5 years ago

Adds pulp_cert_t manage files and dirs to pulp-celery SELinux policy

closes #1688 https://pulp.plan.io/issues/1688

Revision a473ddff View on GitHub
Added by bmbouter almost 5 years ago

Adds pulp_cert_t manage files and dirs to pulp-celery SELinux policy

closes #1688 https://pulp.plan.io/issues/1688

History

#1 Updated by amacdona@redhat.com almost 5 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to amacdona@redhat.com

#2 Updated by dkliban@redhat.com almost 5 years ago

  • Assignee changed from amacdona@redhat.com to dkliban@redhat.com

#3 Updated by bmbouter almost 5 years ago

Through exploit I managed to raise the complete traceback:

pulp[14698]: celery.worker.job:ERROR: (14698-91008) Task pulp.server.tasks.repository.delete[423a6f92-df2b-484e-b87d-fd7fcf9f675d] raised unexpected: IOError(13, 'Permission denied')
pulp[14698]: celery.worker.job:ERROR: (14698-91008) Traceback (most recent call last): 
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 240, in trace_task
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     R = retval = fun(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 473, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     return super(Task, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 103, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     return super(PulpTask, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 437, in __protected_call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     return self.run(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 516, in delete
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     dist_controller.delete(distributor.repo_id, distributor.distributor_id)   
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/celery/local.py", line 167, in <lambda>
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     __call__ = lambda x, *a, **kw: x._get_current_object()(*a, **kw)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 473, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     return super(Task, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 103, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     return super(PulpTask, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 438, in __protected_call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     return orig(self, *args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/celery/app/task.py", line 420, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     return self.run(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/pulp/server/controllers/distributor.py", line 133, in delete
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     dist_instance.distributor_removed(repo.to_transfer_repo(), call_config)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/pulp/plugins/file/distributor.py", line 55, in distributor_removed
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     self.unpublish_repo(repo, config)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/iso_distributor/distributor.py", line 76, in unpublish_repo
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     publish.remove_repository_protection(transfer_repo.repo_obj)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/iso_distributor/publish.py", line 78, in remove_repository_protection
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     protected_repo_utils.delete_protected_repo(relative_path)
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/pulp/repoauth/protected_repo_utils.py", line 63, in delete_protected_repo
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     f.save()
pulp[14698]: celery.worker.job:ERROR: (14698-91008)   File "/usr/lib/python2.7/site-packages/pulp/repoauth/protected_repo_utils.py", line 143, in save
pulp[14698]: celery.worker.job:ERROR: (14698-91008)     f = open(self.filename, 'w')
pulp[14698]: celery.worker.job:ERROR: (14698-91008) IOError: [Errno 13] Permission denied: '/etc/pki/pulp/content/pulp-protected-repos'

When the denial occurs it produces the following SELinux denials:

type=AVC msg=audit(1455821948.486:3856): avc:  denied  { write } for  pid=24813 comm="python" name="content" dev=dm-1 ino=146462 scontext=unconfined_u:system_r:celery_t:s0 tcontext=system_u:object_r:pulp_cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1455821948.486:3856): arch=c000003e syscall=2 success=no exit=-13 a0=4f390f0 a1=241 a2=1b6 a3=0 items=0 ppid=24702 pid=24813 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=25 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1455821951.136:3864): avc:  denied  { write } for  pid=24813 comm="python" name="content" dev=dm-1 ino=146462 scontext=unconfined_u:system_r:celery_t:s0 tcontext=system_u:object_r:pulp_cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1455821951.136:3864): arch=c000003e syscall=2 success=no exit=-13 a0=4f43b50 a1=241 a2=1b6 a3=0 items=0 ppid=24702 pid=24813 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=25 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:celery_t:s0 key=(null)

#4 Updated by bmbouter almost 5 years ago

  • Status changed from ASSIGNED to POST

After some IRC discussion it was identified that it started failing due to a change introduced in pulp-smash[0] which deletes repositories it creates. Given that repo deletion requires the ability to remove those certs we need to make celery_t have those rights in our pulp-server SELinux policy.

A PR is available with that change: https://github.com/pulp/pulp/pull/2438

[0]: https://github.com/PulpQE/pulp-smash/commit/46f6a1f93ae6f127acd06529978e8a9d9751a217

#5 Updated by bmbouter almost 5 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#6 Updated by mhrivnak almost 5 years ago

  • Triaged changed from No to Yes

#7 Updated by dkliban@redhat.com almost 5 years ago

  • Status changed from MODIFIED to 5

#8 Updated by dkliban@redhat.com almost 5 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#9 Updated by bmbouter almost 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF