search

389ds / 389-ds-base

The enterprise-class Open Source LDAP server for Linux
https://www.port389.org/
Other
212 stars 91 forks source link

dscreate error, cannot start ns-slapd with custom db_dir path, incorrect sub dir permissions #4592

Closed msauton closed 2 years ago

msauton commented 3 years ago

Description of problem:

dscreate fails when using custom path with the db_dir parameter. Creating the db_dir path and changing permissions, mode, SELinux labels, prior to the dscreate did not seem to help. It seems the directories are created in /usr/lib/python3.6/site-packages/lib389/instance/setup.py The ns-slapd process start sequence fails with a permission error on the custom db directory. CRIT - bdb_start - Can't start because the database directory "/testdata/dirsrv/test/db" either doesn't exist, or is not accessible

permissions and ownership look correct, SELinux labels not correct have unconfined_u:object_r:default_t:s0

versus an expected unconfined_u:object_r:dirsrv_var_lib_t:s0

but permissive mode does not change the behavior.

the problem may be around line 757, when the parent directories owned by root:root are created with mode 770, while they need 775 so that the ns-slapd's uid/group can actually change into those directories:

/usr/lib/python3.6/site-packages/lib389/instance/setup.py ... def _install_ds(self, general, slapd, backends): ...

Create all the needed paths

    # we should only need to make bak_dir, cert_dir, config_dir, db_dir, ldif_dir, lock_dir, log_dir, run_dir?
    for path in ('backup_dir', 'cert_dir', 'db_dir', 'ldif_dir', 'lock_dir', 'log_dir', 'run_dir'):
        self.log.debug("ACTION: creating %s", slapd[path])
        try:
            os.umask(0o007)  # For parent dirs that get created -> sets 770 for perms
            os.makedirs(slapd[path], mode=0o770)
        except OSError:
            pass
        os.chown(slapd[path], slapd['user_uid'], slapd['group_gid'])

related: os.makedirs(name, mode=0o777, exist_ok=False)¶ ... Changed in version 3.7: The mode argument no longer affects the file permission bits of newly-created intermediate-level directories.

workaround, do before the dscreate command:

mkdir -p /testdata/dirsrv/test/db chmod 775 /testdata/ chmod 775 /testdata/dirsrv/ chown root:root /testdata/ chown root:root /testdata/dirsrv/ chmod -R 770 /testdata/dirsrv/test/ chown -R ldapuser1:ldapgroup1 /testdata/dirsrv/test/ chcon -R system_u:object_r:dirsrv_var_lib_t:s0 /testdata/dirsrv/ ls -alRZ /testdata/ /testdata/: total 4 drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 20 Feb 2 19:55 . dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 4096 Feb 2 19:55 .. drwxr-xr-x. 3 root root system_u:object_r:dirsrv_var_lib_t:s0 18 Feb 2 19:55 dirsrv

/testdata/dirsrv: total 0 drwxr-xr-x. 3 root root system_u:object_r:dirsrv_var_lib_t:s0 18 Feb 2 19:55 . drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 20 Feb 2 19:55 .. drwxrwx---. 3 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 16 Feb 2 22:15 test

/testdata/dirsrv/test: total 0 drwxrwx---. 3 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 16 Feb 2 22:15 . drwxr-xr-x. 3 root root system_u:object_r:dirsrv_var_lib_t:s0 18 Feb 2 19:55 .. drwxrwx---. 2 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 6 Feb 2 22:15 db

/testdata/dirsrv/test/db: total 0 drwxrwx---. 2 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 6 Feb 2 22:15 . drwxrwx---. 3 ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 16 Feb 2 22:15 ..

Version-Release number of selected component (if applicable):

redhat-release-8.3-1.0.el8.x86_64 SELinux enforced or permissive 389-ds-base-1.4.3.13-1.module+el8dsrv+8334+69a46a2e.x86_64

How reproducible: on demand

Steps to Reproduce:

  1. create a config file

grep ldap /etc/passwd /etc/group groupadd -r ldapgroup1 useradd -r -g ldapgroup1 ldapuser1 grep ldap /etc/passwd /etc/group

cat << EOF > ~/ds11.instance.test.inf [general] full_machine_name = m2.example.test [slapd] backup_dir = /dump/dirsrv/{instance_name} cert_dir = /etc/dirsrv/slapd-{instance_name} config_dir = /etc/dirsrv/slapd-{instance_name} data_dir = /usr/share db_dir = /testdata/dirsrv/{instance_name}/db user = ldapuser1 group = ldapgroup1 instance_name = test port = 1389 secure_port = 1636 root_dn = cn=Directory Manager root_password = password [backend-userroot] EOF

  1. create an instance

dscreate -v from-file ~/ds11.instance.test.inf

  1. review errors log and test

grep CRIT /var/log/dirsrv/slapd-test/errors

Actual results:

DEBUG: PASSED: instance checking DEBUG: INFO: temp root password set to .PttHq45IET43tXes746XQ.RKPEP7WuzBsBCVdxCDoqmNcgZWJtuql1.1TqB7pxsY DEBUG: PASSED: root user checking DEBUG: PASSED: network avaliability checking DEBUG: READY: Beginning installation for test... DEBUG: ACTION: Creating dse.ldif DEBUG: ACTION: creating /dump/dirsrv/test DEBUG: ACTION: creating /etc/dirsrv/slapd-test DEBUG: ACTION: creating /testdata/dirsrv/test/db DEBUG: ACTION: creating /var/lib/dirsrv/slapd-test/ldif DEBUG: ACTION: creating /var/lock/dirsrv/slapd-test DEBUG: ACTION: creating /var/log/dirsrv/slapd-test DEBUG: ACTION: creating /var/run/dirsrv DEBUG: CMD: systemctl enable dirsrv@test ; STDOUT: ; STDERR: Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv@test.service → /usr/lib/systemd/system/dirsrv@.service.

DEBUG: ACTION: Creating certificate database is /etc/dirsrv/slapd-test DEBUG: Allocate <class 'lib389.DirSrv'> with None DEBUG: Allocate <class 'lib389.DirSrv'> with m2.example.test:1389 DEBUG: Allocate <class 'lib389.DirSrv'> with m2.example.test:1389 DEBUG: nss cmd: /usr/bin/certutil -N -d /etc/dirsrv/slapd-test -f /etc/dirsrv/slapd-test/pwdfile.txt DEBUG: nss output: DEBUG: nss cmd: /usr/bin/certutil -L -n Self-Signed-CA -d /etc/dirsrv/ssca/ DEBUG: CSR subject -> CN=m2.example.test,givenName=fb995d04-c4e4-47bf-a160-30b371b57eb0,O=testing,L=389ds,ST=Queensland,C=AU DEBUG: CSR alt_names -> ['m2.example.test'] DEBUG: nss cmd: /usr/bin/certutil -R --keyUsage digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment --nsCertType sslClient,sslServer --extKeyUsage clientAuth,serverAuth -s CN=m2.example.test,givenName=fb995d04-c4e4-47bf-a160-30b371b57eb0,O=testing,L=389ds,ST=Queensland,C=AU -8 m2.example.test -g 4096 -d /etc/dirsrv/slapd-test -z /etc/dirsrv/slapd-test/noise.txt -f /etc/dirsrv/slapd-test/pwdfile.txt -a -o /etc/dirsrv/slapd-test/Server-Cert.csr DEBUG: nss cmd: /usr/bin/certutil -C -d /etc/dirsrv/ssca/ -f /etc/dirsrv/ssca//pwdfile.txt -v 24 -a -i /etc/dirsrv/slapd-test/Server-Cert.csr -o /etc/dirsrv/slapd-test/Server-Cert.crt -c Self-Signed-CA DEBUG: nss cmd: /usr/bin/c_rehash /etc/dirsrv/slapd-test DEBUG: nss cmd: /usr/bin/certutil -A -n Self-Signed-CA -t CT,, -a -i /etc/dirsrv/slapd-test/ca.crt -d /etc/dirsrv/slapd-test -f /etc/dirsrv/slapd-test/pwdfile.txt DEBUG: nss cmd: /usr/bin/certutil -A -n Server-Cert -t ,, -a -i /etc/dirsrv/slapd-test/Server-Cert.crt -d /etc/dirsrv/slapd-test -f /etc/dirsrv/slapd-test/pwdfile.txt DEBUG: nss cmd: /usr/bin/certutil -V -d /etc/dirsrv/slapd-test -n Server-Cert -u YCV DEBUG: systemd status -> True DEBUG: systemd status -> True Job for dirsrv@test.service failed because the control process exited with error code. See "systemctl status dirsrv@test.service" and "journalctl -xe" for details. DEBUG: Command '['systemctl', 'start', 'dirsrv@test']' returned non-zero exit status 1. Traceback (most recent call last): File "/usr/sbin/dscreate", line 78, in result = args.func(inst, log, args) File "/usr/lib/python3.6/site-packages/lib389/cli_ctl/instance.py", line 68, in instance_create if sd.create_from_inf(args.file): File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 533, in create_from_inf self.create_from_args(general, slapd, backends, self.extra) File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 669, in create_from_args self._install_ds(general, slapd, backends) File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 888, in _install_ds ds_instance.start(timeout=60) File "/usr/lib/python3.6/site-packages/lib389/init.py", line 1129, in start "dirsrv@%s" % self.serverid]) File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['systemctl', 'start', 'dirsrv@test']' returned non-zero exit status 1. ERROR: Error: Command '['systemctl', 'start', 'dirsrv@test']' returned non-zero exit status 1.

the dse.ldif got the custom path: grep testdata /etc/dirsrv/slapd-test/dse.ldif nsslapd-directory: /testdata/dirsrv/test/db nsslapd-db-logdirectory: /testdata/dirsrv/test/db

less /var/log/dirsrv/slapd-test/errors 389-Directory/1.4.2.12 B2021.029.2040 m2.example.test:1389 (/etc/dirsrv/slapd-test)

[02/Feb/2021:17:54:42.454458825 -0800] - INFO - main - 389-Directory/1.4.2.12 B2021.029.2040 starting up [02/Feb/2021:17:54:42.457603853 -0800] - INFO - main - Setting the maximum file descriptor limit to: 262144 [02/Feb/2021:17:54:43.008425092 -0800] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds [02/Feb/2021:17:54:43.015806960 -0800] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [02/Feb/2021:17:54:43.019459291 -0800] - INFO - bdb_config_upgrade_dse_info - create config entry from old config [02/Feb/2021:17:54:43.027048488 -0800] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [02/Feb/2021:17:54:43.030485385 -0800] - NOTICE - ldbm_back_start - found 1870824k physical memory [02/Feb/2021:17:54:43.033408626 -0800] - NOTICE - ldbm_back_start - found 1115964k available [02/Feb/2021:17:54:43.036323091 -0800] - NOTICE - ldbm_back_start - cache autosizing: db cache: 46770k [02/Feb/2021:17:54:43.039575161 -0800] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [02/Feb/2021:17:54:43.043020082 -0800] - NOTICE - ldbm_back_start - total cache size: 38314475 B; [02/Feb/2021:17:54:43.046258626 -0800] - ERR - bdb_version_write - Could not open file "%s" for writing Netscape Portable Runtime %d (%s)

Expected results: yes

Additional info:

got incorrect sub directory permissions after the dscreate, 770 instead of 775, in this example with /testdata/ and /testdata/dirsrv/

ls -laRZ /testdata/ /testdata/: total 4 drwxrwx---. 3 root root unconfined_u:object_r:default_t:s0 20 Feb 2 19:55 . dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 4096 Feb 2 19:55 .. drwxrwx---. 3 root root unconfined_u:object_r:default_t:s0 18 Feb 2 19:55 dirsrv

/testdata/dirsrv: total 0 drwxrwx---. 3 root root unconfined_u:object_r:default_t:s0 18 Feb 2 19:55 . drwxrwx---. 3 root root unconfined_u:object_r:default_t:s0 20 Feb 2 19:55 .. drwxrwx---. 3 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 16 Feb 2 19:55 test

/testdata/dirsrv/test: total 0 drwxrwx---. 3 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 16 Feb 2 19:55 . drwxrwx---. 3 root root unconfined_u:object_r:default_t:s0 18 Feb 2 19:55 .. drwxrwx---. 2 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 6 Feb 2 19:55 db

/testdata/dirsrv/test/db: total 0 drwxrwx---. 2 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 6 Feb 2 19:55 . drwxrwx---. 3 ldapuser1 ldapgroup1 unconfined_u:object_r:default_t:s0 16 Feb 2 19:55 ..

mreynolds389 commented 3 years ago

https://bugzilla.redhat.com/show_bug.cgi?id=1924569

progier389 commented 2 years ago

199ec65576b4d27351327e9eb02ebcce5e7a36f7

d5ba53748..199ec6557 main -> main 43661bd99..3a1ec4409 389-ds-base-2.2 -> 389-ds-base-2.2 db8159f70..2512a1c12 389-ds-base-2.1 -> 389-ds-base-2.1 8ef769b1b..478f1e378 389-ds-base-2.0 -> 389-ds-base-2.0 cad4c7596..35d97883c 389-ds-base-1.4.3 -> 389-ds-base-1.4.3