-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Candlepin CA should be owned by tomcat user #232
Conversation
I think there may be something else at play with selinux despite the fact I did a restorecon in /etc/candlepin/certs. Will look into it.. |
I am also doing some further testing. One thing I think I missed in the initial commit was adding "stripping" of the certificate to remove the x509 header information from the file we had originally been using. |
For me, the following additions fixed it:
|
It'd be great if you could add a test to https://github.com/theforeman/puppet-certs/blob/master/spec/acceptance/candlepin_spec.rb where you can use https://serverspec.org/resource_types.html#file to write tests about files on an actual installed system. Note that it's my goal to add a similar test to puppet-katello where we combine the two |
@ehelms those additions look sane - but could you explain the stripping piece a bit more? especially since it seems to work without. The selinux issue I mentioned:
I'm interpreting this as tomcat doesn't have the ability to read files with the candlepin_etc_certs_ca_r_t context. Is that a responsibility of candlepin-selinux? I'm testing this on nightly btw. |
@jturel We were stripping it before and perhaps we don't need to anymore. The stripping removes the x509 header information from the certificate file can be useful for debugging but you can output it using I was not experiencing any selinux issues. |
Here is my testing playbook:
|
After restarting tomcat you can |
I can reproduce the selinux issue on the nightly pipeline and a box I've defined like this:
The puppet module changes are part of the fix, but there are selinux denials:
I applied these and after restarting tomcat I can curl the status API successfully which failed previously. The correct place to fix this is in the candlepin code itself which defines the rest of the policy[1] since I don't think we're in the business of managing selinux by hand (with puppet). I think we're in a bit of a sticky situation. Any opinions on the next step? |
Opened a PR for candlepin: candlepin/candlepin#2171 |
What step fails for you testing my changes added to yours? I got green
vagrant up.
…On Wed, Dec 5, 2018, 2:35 PM Jonathon Turel ***@***.*** wrote:
Opened a PR for candlepin: candlepin/candlepin#2171
<candlepin/candlepin#2171>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#232 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAR58yjaMysPxS_3KEGGs06dC-72DSlVks5u2CAXgaJpZM4ZBhr2>
.
|
rake db:seed fails because candlepin is not in a good state as it can't read the cert :( |
Odd, why does it work for me. I'm gonna retest to see if it was a fluke.
…On Wed, Dec 5, 2018, 5:59 PM Jonathon Turel ***@***.*** wrote:
rake db:seed fails because candlepin is not in a good state as it can't
read the cert :(
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#232 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAR58y3eRl3EjL1EZTUodA2E7KWsB3_zks5u2E_AgaJpZM4ZBhr2>
.
|
f3367cd
to
1be2052
Compare
This does fix the devel environment but I'm still not sure about nightly. I think this should be merged asap nevertheless. If it that's OK I can add tests during business hours in a separate PR |
1be2052
to
3a55f3a
Compare
nvm added tests ;) |
Need to test this still but I want to see if a test fails so I can fix it or write a new one.