Issue #1726
closedDownloading on_demand RPM content results in 500 error
Description
1) Import Manifest
2) Enable RHEL 6Server repo
3) Set default download policy to "on_demand"
4) Sync
5) Register client, install a package from RHEL6 via 'yum install', note error
Main error:
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) OSError: [Errno 13] Permission denied: '/tmp/nectar-ssl_ca_cert-Q1HNWK'
Extended trace:
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) An unexpected error occurred while handling the request.
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) Traceback (most recent call last):
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) File "/usr/lib/python2.7/site-packages/pulp/streamer/server.py", line 184, in _handle_get
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) self._download(catalog_entry, request, responder)
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) File "/usr/lib/python2.7/site-packages/pulp/streamer/server.py", line 214, in _download
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) **catalog_entry.data)
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) File "/usr/lib/python2.7/site-packages/pulp/plugins/importer.py", line 37, in get_downloader
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) nectar_config = importer_config_to_nectar_config(config.flatten(), working_dir=working_dir)
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) File "/usr/lib/python2.7/site-packages/pulp/plugins/util/nectar_config.py", line 51, in importer_config_to_nectar_config
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) download_config = DownloaderConfig(**download_config_kwargs)
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) File "/usr/lib/python2.7/site-packages/nectar/config.py", line 134, in __init__
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) self._process_ssl_settings()
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) File "/usr/lib/python2.7/site-packages/nectar/config.py", line 171, in _process_ssl_settings
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) prefix=prefix)
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) File "/usr/lib64/python2.7/tempfile.py", line 304, in mkstemp
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) return _mkstemp_inner(dir, prefix, suffix, flags)
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) File "/usr/lib64/python2.7/tempfile.py", line 239, in _mkstemp_inner
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) fd = _os.open(file, flags, 0600)
pulp_streamer[26539]: pulp.streamer.server:ERROR: (26539-72352) OSError: [Errno 13] Permission denied: '/tmp/nectar-ssl_ca_cert-Q1HNWK'
Updated by bmbouter almost 9 years ago
@mmccune, was SELinux enabled on this machine? If it was, can you post the associate AVC denial?
Updated by bmbouter almost 9 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
Updated by mmccune@redhat.com almost 9 years ago
This appears to be the denial:
time->Sun Feb 28 03:32:16 2016
type=SYSCALL msg=audit(1456648336.583:3519): arch=c000003e syscall=2 success=no exit=-13 a0=7fb1080198a0 a1=200c2 a2=180 a3=3 items=0 ppid=1 pid=14337 auid=4
294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pulp_streamer" exe="/usr/bin/python2.7" subj=system
_u:system_r:streamer_t:s0 key=(null)
type=AVC msg=audit(1456648336.583:3519): avc: denied { write } for pid=14337 comm="pulp_streamer" name="tmp" dev="dm-0" ino=133 scontext=system_u:system_r
:streamer_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Updated by mmccune@redhat.com almost 9 years ago
Confirmed, just reproduced the error now and got the same denial:
time->Tue Mar 1 07:07:57 2016
type=SYSCALL msg=audit(1456834077.500:5942): arch=c000003e syscall=2 success=no exit=-13 a0=7fb1081b3e00 a1=200c2 a2=180 a3=3 items=0 ppid=1 pid=14337 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pulp_streamer" exe="/usr/bin/python2.7" subj=system_u:system_r:streamer_t:s0 key=(null)
type=AVC msg=audit(1456834077.500:5942): avc: denied { write } for pid=14337 comm="pulp_streamer" name="tmp" dev="dm-0" ino=133 scontext=system_u:system_r:streamer_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Added by bmbouter almost 9 years ago
Added by bmbouter almost 9 years ago
Revision df7e5c5b | View on GitHub
Adds pulp_streamer_tmp_t to the pulp-streamer SELinux policy
Also removes inappropriate semicolons behind Refpol statements
re #1459 closes #1726 https://pulp.plan.io/issues/1726
Updated by bmbouter almost 9 years ago
- Status changed from ASSIGNED to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulp|df7e5c5b533ae6e3e2d962a3df47ed027d3df22c.
Updated by dkliban@redhat.com almost 9 years ago
- Status changed from MODIFIED to 5
Updated by pthomas@redhat.com almost 9 years ago
- Status changed from 5 to 6
verified
[root@mgmt5 ~]# pulp-admin rpm repo create --repo-id rhel7 --feed https://cdn.redhat.com/content/dist/rhel/rhui/server/7/7.2/x86_64/os/ --feed-ca-cert cdn/cdn.redhat.com-chain.crt --feed-cert cdn/914f702153514b06c1ef279db9dcadce.crt --feed-key cdn/914f702153514b06c1ef279db9dcadce.key --download-policy on_demand
Successfully created repository [rhel7]
[root@mgmt5 ~]#
[root@mgmt5 ~]#
[root@mgmt5 ~]# pulp-admin rpm repo sync run --repo-id rhel7
--------------------------------------------------------------------
Synchronizing Repository [rhel7]
--------------------------------------------------------------------
This command may be exited via ctrl+c without affecting the request.
[-]
Waiting to begin...
Downloading metadata...
[/]
... completed
Downloading repository content...
[\]
[==================================================] 100%
RPMs: 10359/10359 items
Delta RPMs: 0/0 items
... completed
Downloading distribution files...
[==================================================] 100%
Distributions: 0/0 items
... completed
Importing errata...
[\]
... completed
Importing package groups/categories...
[\]
... completed
Cleaning duplicate packages...
[/]
... completed
Task Succeeded
Initializing repo metadata
[-]
... completed
Publishing Distribution files
[-]
... completed
Publishing RPMs
[==================================================] 100%
10359 of 10359 items
... completed
Publishing Delta RPMs
... skipped
Publishing Errata
[==================================================] 100%
1101 of 1101 items
... completed
Publishing Comps file
[==================================================] 100%
86 of 86 items
... completed
Publishing Metadata.
[-]
... completed
Closing repo metadata
[-]
... completed
Generating sqlite files
... skipped
Publishing files to web
[|]
... completed
Writing Listings File
[-]
... completed
Task Succeeded
[root@mgmt5 ~]# yum install screen --disablerepo "*" --enablerepo rhel7
Loaded plugins: product-id, pulp-profile-update, search-disabled-repos,
: subscription-manager
rhel7 | 2.1 kB 00:00:00
(1/3): rhel7/updateinfo | 1.0 MB 00:00:00
(2/3): rhel7/group | 588 kB 00:00:00
(3/3): rhel7/primary | 12 MB 00:00:01
rhel7 10359/10359
Resolving Dependencies
--> Running transaction check
---> Package screen.x86_64 0:4.1.0-0.23.20120314git3c2946.el7_2 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===================================================================================
Package Arch Version Repository Size
===================================================================================
Installing:
screen x86_64 4.1.0-0.23.20120314git3c2946.el7_2 rhel7 552 k
Transaction Summary
===================================================================================
Install 1 Package
Total download size: 552 k
Installed size: 914 k
Is this ok [y/d/N]: y
Downloading packages:
screen-4.1.0-0.23.20120314git3c2946.el7_2.x86_64.rpm | 552 kB 00:00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : screen-4.1.0-0.23.20120314git3c2946.el7_2.x86_64 1/1
rhel7/productid | 1.7 kB 00:00:00
pulp: profile sent, status=201
Verifying : screen-4.1.0-0.23.20120314git3c2946.el7_2.x86_64 1/1
Installed:
screen.x86_64 0:4.1.0-0.23.20120314git3c2946.el7_2
Complete!
[root@mgmt5 ~]#
Updated by dkliban@redhat.com almost 9 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
Adds pulp_streamer_tmp_t to the pulp-streamer SELinux policy
Also removes inappropriate semicolons behind Refpol statements
re #1459 closes #1726 https://pulp.plan.io/issues/1726