Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set correct permissions on /var/lib/pulp/ if it pre-exists #178

Merged
merged 1 commit into from Dec 18, 2019

Conversation

dralley
Copy link
Contributor

@dralley dralley commented Oct 15, 2019

@dralley dralley force-pushed the master branch 4 times, most recently from 1b5d3eb to 45584da Compare October 15, 2019 14:47
@@ -94,12 +94,10 @@
- name: Reset ssh conn to allow user changes to affect when ssh user and pulp user are the same
meta: reset_connection

- name: Create cache dir for Pulp
- name: Set permissions on {{ pulp_user_home }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to make the user's perms other user readable?

Copy link
Contributor Author

@dralley dralley Oct 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://pulp.plan.io/issues/5553

They are already, at least, on a fresh Pulp 3 install. 775 "vagrant" "pulp" across the board.

The present issue is that if /var/lib/pulp/ is already present (because of an existing Pulp 2 install) then the whole directory is owned by "apache" with group "pulp" but due to the lack of group write permissions (755) Pulp 3 can't write to /var/lib/pulp/

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With Pulp 2, what are the permissions?

It is a security practice to not relax permissions during software upgrades.

Unlike "others", the group might be an example where you can make an exception and relax permissions, if the group generally doesn't have arbitrary users on it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See Tanya's comment on the issue -- that's what the perms are

group: '{{ pulp_group }}'
mode: 0775

- name: Set permissions on {{ pulp_user_home }}/static/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This creates the directory when it does not exist, and sets those permissions only. It probably creates them as root:root, and that's probably why this is failing.

If you want to modify its permissions only when it exists, you'll need to use a stat module to check if it exists (and is a directory), register the result, and then run this task with a "when" condition. Follow that link and search the page for "p.stat.isdir" for a good example).

state: directory
owner: '{{ pulp_user }}'
group: '{{ pulp_group }}'
mode: 0775
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're not setting the owner/group on purpose, correct?

@mikedep333
Copy link
Member

@dralley dralley force-pushed the master branch 4 times, most recently from 4fb45b2 to d2742ab Compare October 15, 2019 17:02
@dralley
Copy link
Contributor Author

dralley commented Oct 15, 2019

Re: the molecule solution: I can do that if you think it would be better, I was just trying to keep the permissions minimal.

edit: of course, molecule doesn't like my solution due to imdempotence...

Copy link
Member

@mikedep333 mikedep333 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@mikedep333
Copy link
Member

I approved it, but I would like to see more comments above these tasks about why we have them. Either a reasonably detailed explanation, or a very short one and then a reference to the ticket URL.

@dralley dralley force-pushed the master branch 14 times, most recently from 6512744 to b004209 Compare October 21, 2019 11:26
@dralley
Copy link
Contributor Author

dralley commented Oct 21, 2019

@mikedep333 Still having idempotence issues :(

ERROR: Idempotence test failed because of the following tasks:

* [fedora-30] => pulp : Check if user exists

* [debian-10] => pulp : Check if user exists

* [centos-7] => pulp : Check if user exists

* [fedora-30] => pulp : Set permissions on '/var/lib/pulp'

* [centos-7] => pulp : Set permissions on '/var/lib/pulp'

* [debian-10] => pulp : Set permissions on '/var/lib/pulp'

@mikedep333
Copy link
Member

@dralley Do you need help with this?

@dralley
Copy link
Contributor Author

dralley commented Dec 2, 2019

@mikedep333 I've not looked at it in a month but to be honest, probably I do yes.

@mikedep333
Copy link
Member

@dralley I have some open-ended questions about what permissions are needed under the 2 scenarios. Let's do a video call when you have a chance, and then let's summarize it here.

@dralley
Copy link
Contributor Author

dralley commented Dec 9, 2019

On my machine, this seems to work. Pulp 2 and Pulp 3 sync correctly (well, without error at least) and of course vagrant up works. Not sure if there are still other problems as we discussed the other day though, I didn't test super thoroughly.

This seems fixed: https://pulp.plan.io/issues/5742

state: directory
owner: '{{ pulp_user }}'
group: '{{ pulp_group }}'
mode: 0775
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may resolve the idempotence failure:
https://serverfault.com/a/104850
If it doesn't, it means that files are being created under it with different permissions. In this case, your needed logic would be more complex. Either setting umask for pulp processes, or having different logic for different files.

roles/pulp/tasks/install.yml Show resolved Hide resolved
roles/pulp/tasks/install.yml Show resolved Hide resolved
roles/pulp/tasks/install.yml Show resolved Hide resolved
roles/pulp/tasks/install.yml Show resolved Hide resolved
Copy link
Member

@bmbouter bmbouter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me. I see the code setting the group to the pulp3 expected group, adding apache to it, and setting setgid so new files from Pulp2 get the correct group also. If this is all correct please merge.

Thanks @mikedep333 and @dralley !

@mikedep333 mikedep333 merged commit 5eae817 into pulp:master Dec 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants