Project

Profile

Help

Issue #1791

After upgrading from 2.7.1 to pulp 2.8.0 getting 403 error's on all my Pulp repo's.

Added by Senza over 4 years ago. Updated over 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
2.8.0
Platform Release:
2.8.3
OS:
RHEL 7
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Easy Fix, Pulp 2
Sprint:
Sprint 1
Quarter:

Description

After I by accident upgraded our pulp-server from 2.7.1 to 2.8.0 all our repo's were giving 403 errors.

This was because 2.8.0 cannot handle the /var/lib/pulp(/.*) directory being a symlink.

This issue can be solved my creating a bind mount instead of a symlink.

mount --bind /path/to/your/pulp/(dir/) /var/lib/pulp/(dir/) 

Associated revisions

Revision e8656b8b View on GitHub
Added by Jeremy Cline over 4 years ago

Modify the content web view to account for symbolic links

Users sometimes make /var/lib/pulp a symbolic link. This worked fine until we introduced the content wsgi application for lazy syncing. This modifies it to account for symbolic links when deciding whether or not it's safe to serve a file. It also documents the necesssary Apache changes that need to take place to make symbolic links work.

closes #1791

Revision e8656b8b View on GitHub
Added by Jeremy Cline over 4 years ago

Modify the content web view to account for symbolic links

Users sometimes make /var/lib/pulp a symbolic link. This worked fine until we introduced the content wsgi application for lazy syncing. This modifies it to account for symbolic links when deciding whether or not it's safe to serve a file. It also documents the necesssary Apache changes that need to take place to make symbolic links work.

closes #1791

History

#1 Updated by bmbouter over 4 years ago

  • Description updated (diff)

#2 Updated by bmbouter over 4 years ago

Background on the design:

Starting in 2.8.0 inbound content requests for RPM are rewritten using this rewrite rule[0]. That rewrite causes the platform httpd.conf file[1] match the inbound request against the content.wsgi apache WSGI handler which sends the request into the "content" Django application which is provided by Pulp platform and written by Pulp. The content.wsgi app url matches against this urls.py[2] handler which because of the url rewriting routes the request to this view code[3]. That[3] view code is where the logic lives that either uses XSendFile or issues the redirect.

I believe the problem is specifically right here[4]. That is where the symlink is being treated as if it is outside of /var/lib/pulp/content which for security purposes must be enforced. Without enforcing that you could ask Pulp to serve any file it had POSIX and SELinux read access to.

[0]: https://github.com/pulp/pulp_rpm/blob/dfaffec54b6b4834ef6d0ec52354a38fd779fedf/plugins/etc/httpd/conf.d/pulp_rpm.conf#L21-L32
[1]: https://github.com/pulp/pulp/blob/73b813b6c2ce682708f9386d71a29393e6d8fe77/server/etc/httpd/conf.d/pulp_content.conf
[2]: https://github.com/pulp/pulp/blob/328f4a4860866a7c090ce07834210ad549acb8d7/server/pulp/server/content/web/urls.py
[3]: https://github.com/pulp/pulp/blob/9af1dcf077baac3d9969e0e8621c44b3e4fb37a0/server/pulp/server/content/web/views.py
[4]: https://github.com/pulp/pulp/blob/9af1dcf077baac3d9969e0e8621c44b3e4fb37a0/server/pulp/server/content/web/views.py#L154-L158

#3 Updated by mhrivnak over 4 years ago

  • Platform Release set to 2.8.2
  • Triaged changed from No to Yes

#4 Updated by jcline@redhat.com over 4 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jcline@redhat.com

#5 Updated by mhrivnak over 4 years ago

  • Sprint/Milestone set to 19

#6 Updated by jcline@redhat.com over 4 years ago

  • Status changed from ASSIGNED to POST

#7 Updated by Anonymous over 4 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#8 Updated by semyers over 4 years ago

  • Platform Release changed from 2.8.2 to 2.8.3

#9 Updated by semyers over 4 years ago

  • Status changed from MODIFIED to 5

#10 Updated by pthomas@redhat.com over 4 years ago

  • Status changed from 5 to 6

Verified
Tested upgrade from 2.7.z -> 2.8.3 and 2.6.z -> 2.8.3 and both passed.

#11 Updated by semyers over 4 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE

#13 Updated by bmbouter over 2 years ago

  • Sprint set to Sprint 1

#14 Updated by bmbouter over 2 years ago

  • Sprint/Milestone deleted (19)

#15 Updated by bmbouter over 1 year ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF