Set correct permissions on /var/lib/pulp/ if it pre-exists

[dralley]

closes #5553
https://pulp.plan.io/issues/5553

[bmbouter]

Do we want to make the user's perms other user readable?

[dralley]

https://pulp.plan.io/issues/5553

They are already, at least, on a fresh Pulp 3 install. 775 "vagrant" "pulp" across the board.

The present issue is that if /var/lib/pulp/ is already present (because of an existing Pulp 2 install) then the whole directory is owned by "apache" with group "pulp" but due to the lack of group write permissions (755) Pulp 3 can't write to /var/lib/pulp/

[mikedep333]

With Pulp 2, what are the permissions?

It is a security practice to not relax permissions during software upgrades.

Unlike "others", the group might be an example where you can make an exception and relax permissions, if the group generally doesn't have arbitrary users on it.

[dralley]

See Tanya's comment on the issue -- that's what the perms are

[mikedep333]

This creates the directory when it does not exist, and sets those permissions only. It probably creates them as root:root, and that's probably why this is failing.

If you want to modify its permissions only when it exists, you'll need to use a stat module to check if it exists (and is a directory), register the result, and then run this task with a "when" condition. Follow that link and search the page for "p.stat.isdir" for a good example).

[mikedep333]

You're not setting the owner/group on purpose, correct?

[mikedep333]

@dralley Also, we have this for molecule: https://github.com/pulp/ansible-pulp/blob/master/molecule/source/prepare.yml#L36

[dralley]

Re: the molecule solution: I can do that if you think it would be better, I was just trying to keep the permissions minimal.

edit: of course, molecule doesn't like my solution due to imdempotence...

[mikedep333]

Looks good

[mikedep333]

I approved it, but I would like to see more comments above these tasks about why we have them. Either a reasonably detailed explanation, or a very short one and then a reference to the ticket URL.

[dralley]

@mikedep333 Still having idempotence issues :(

ERROR: Idempotence test failed because of the following tasks:

* [fedora-30] => pulp : Check if user exists

* [debian-10] => pulp : Check if user exists

* [centos-7] => pulp : Check if user exists

* [fedora-30] => pulp : Set permissions on '/var/lib/pulp'

* [centos-7] => pulp : Set permissions on '/var/lib/pulp'

* [debian-10] => pulp : Set permissions on '/var/lib/pulp'

[mikedep333]

@dralley Do you need help with this?

[dralley]

@mikedep333 I've not looked at it in a month but to be honest, probably I do yes.

[mikedep333]

@dralley I have some open-ended questions about what permissions are needed under the 2 scenarios. Let's do a video call when you have a chance, and then let's summarize it here.

[dralley]

On my machine, this seems to work. Pulp 2 and Pulp 3 sync correctly (well, without error at least) and of course vagrant up works. Not sure if there are still other problems as we discussed the other day though, I didn't test super thoroughly.

This seems fixed: https://pulp.plan.io/issues/5742

[mikedep333]

This may resolve the idempotence failure:
https://serverfault.com/a/104850
If it doesn't, it means that files are being created under it with different permissions. In this case, your needed logic would be more complex. Either setting umask for pulp processes, or having different logic for different files.

[bmbouter]

This looks good to me. I see the code setting the group to the pulp3 expected group, adding apache to it, and setting setgid so new files from Pulp2 get the correct group also. If this is all correct please merge.

Thanks @mikedep333 and @dralley !