search

holgerBerger / hpc-workspace

Automatically exported from code.google.com/p/hpc-workspace
GNU General Public License v3.0
18 stars 13 forks source link

Error: could not change permissions of database entry #58

Closed staeglis closed 3 years ago

staeglis commented 3 years ago

Hi,

even on as test workspace on /tmp I get the same issue:

$ ws_allocate test 10
warn: you seem to have no access to your default workspace!?
Info: creating workspace.
Error: could not change permissions of database entry
/tmp/tmp-work/staeglis-test
remaining extensions  : 2
remaining time in days: 10
$ ws_list 
/usr/local/bin/ws_list:106: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details.
  config = yaml.load(open('/etc/ws.conf'))

The config

admins: [root, metadm]                                  # users listed here can sees all workspaces with ws_list
clustername: cluster                                 # some name for the cluster
smtphost: localhost                                     # (my smtp server for sending mails)
dbgid: 16010                                            # a user id, this is the owner of some directories
dbuid: 1533                                             # a group id, this is the owner of some directories
default: tmp                                       # the workspace location to use for everybody
duration: 10                                            # (max duration in days, default for all workspaces )
maxextensions: 1                                        # (maximum number of times a user can ask for a extension)
workspaces:
  tmp:                                                  # name of the workspace location
    database: /tmp/tmp-db                               # DB directory
    deleted: .removed                                   # name of the subdirectory used for expired workspaces
    duration: 20                                        # max lifetime of a workspace in days
    keeptime: 7                                         # days to keep deleted data after expiration
    maxextensions: 2                                    # maximum number of times a user can ask for a extension
    spaces: [/tmp/tmp-work]                             # paths where workspaces are created, this is a list and path is picked randomly
    group_acl: [admin]
    user_acl: []

Best, Stefan

staeglis commented 3 years ago

ws_list is empty:

$ ws_list 
/usr/local/bin/ws_list:106: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details.
  config = yaml.load(open('/etc/ws.conf'))
holgerBerger commented 3 years ago

can you show my your python version?

holgerBerger commented 3 years ago

in your config you have default: tmp and you have an ACL (group_acl: admin) are you part of that group? If not, that warning is expected.

holgerBerger commented 3 years ago

I think a fixed the ws_list warning in latest commit.

staeglis commented 3 years ago

Yes I'm a member of the admin group. And the directory itself is created. But there is still no database. Do I have to create the database manually before I can allocate workspaces?

staeglis commented 3 years ago

I think a fixed the ws_list warning in latest commit.

The issue still exist in ws_register at least

can you show my your python version?

It's python 3.8 on Ubuntu 20.04

holgerBerger commented 3 years ago

primary or secondary group? compiled with cmake flag CHECK_ALL_GROUPS?

Am Fr., 15. Jan. 2021 um 09:50 Uhr schrieb staeglis < notifications@github.com>:

Yes I'm a member of the admin group.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/holgerBerger/hpc-workspace/issues/58#issuecomment-760759817, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADEY2AVBZRNZT7VTYUAQQQDSZ76UXANCNFSM4WCTHVJA .

staeglis commented 3 years ago

It's secondary group. User and group informations are provided through SSSD.

The issue remains after changing the CMakeList.txt regarding CHECK_ALL_GROUPS and after changing/removing group_acl

holgerBerger commented 3 years ago

ok, that is unexpected....

can you give me output of with -d ?

Am Fr., 15. Jan. 2021 um 11:37 Uhr schrieb staeglis < notifications@github.com>:

It's secondary group. User and group informations are provided through SSSD.

The issue remains after changing the CMakeList.txt regarding CHECK_ALL_GROUPS and after changing/removing group_acl

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/holgerBerger/hpc-workspace/issues/58#issuecomment-760819321, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADEY2AXR4TXBPU2KKLMDRWDS2ALELANCNFSM4WCTHVJA .

staeglis commented 3 years ago

-d as option for ws_allocate?

$ ws_allocate -d 10 -n test
warn: you seem to have no access to your default workspace!?
Info: creating workspace.
Error: could not change permissions of database entry
/tmp/tmp-work/staeglis-test
remaining extensions  : 2
remaining time in days: 10

Or this?

# cmake -DCHECK_ALL_GROUPS=TRUE .
-- Found terminfo
-- Found system YAML
-- LINKER_VAR: /usr/lib/x86_64-linux-gnu
-- Configuring done
-- Generating done
-- Build files have been written to: /root/hpc-workspace
holgerBerger commented 3 years ago

sorry, I ment --debug please get latest commit 594048c45182a20c98defc1c6402febbefe720c6 and try with --debug this is for the warning

about the permission problem: can you show ls -ld of the Db diectory? ls -ld /tmp/tmp-db

Am Fr., 15. Jan. 2021 um 12:39 Uhr schrieb staeglis < notifications@github.com>:

-d as option for ws_allocate? $ ws_allocate -d 10 -n test warn: you seem to have no access to your default workspace!? Info: creating workspace. Error: could not change permissions of database entry /tmp/tmp-work/staeglis-test remaining extensions : 2 remaining time in days: 10 http://url

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/holgerBerger/hpc-workspace/issues/58#issuecomment-760891890, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADEY2AVG2MCQULV7SWSND2LS2ASNZANCNFSM4WCTHVJA .

staeglis commented 3 years ago 
debug: primarygroup=ml
debug: no filesystem given, searching...
debug: searching dlclarge
debug: searching dlcsmall
debug: searching tmp
debug: fallback, using global default, ending search
debug: find_valid_fs:dlclarge
debug: find_valid_fs, has ACL, access denied.
debug: find_valid_fs, in group ACL, access granted (secondary).
debug: find_valid_fs, granted
debug: find_valid_fs:dlcsmall
debug: find_valid_fs, has ACL, access denied.
debug: find_valid_fs, in group ACL, access granted (secondary).
debug: find_valid_fs, granted
debug: find_valid_fs:tmp
debug: find_valid_fs, has ACL, access denied.
debug: find_valid_fs, in user ACL, access granted.
debug: find_valid_fs, granted
debug: moved default filesystem to front:tmp
debug: searching valid filesystems tmp
debug: searching valid filesystems dlcsmall
debug: searching valid filesystems dlclarge
Info: creating workspace.
Error: could not change permissions of database entry
/tmp/tmp-work/staeglis-test
remaining extensions  : 2
remaining time in days: 10
$ ls -ld /tmp/tmp-db
drwxr-xr-x 3 dbuid dbgid 4096 Jan 14 13:51 /tmp/tmp-db
holgerBerger commented 3 years ago

ok looks good, and the setuid-bit on ws_allocate is present?

should somehow like this $ ls -l bin/ws_allocate -rwsrwxr-x 1 root xxxxxx 9666344 Jan 15 13:25 bin/ws_allocate

and the filesystem has to allow sbits, which is default.

staeglis commented 3 years ago

Yes:

$ ls -l /usr/local/bin/ws_allocate 
-rwsr-xr-x 1 root root 3210928 Jan 15 13:42 /usr/local/bin/ws_allocate
holgerBerger commented 3 years ago

but the db file is created? what does it look like permission wise?

staeglis commented 3 years ago

No there is not database file:

$ ls -la /tmp/tmp-db/
total 48
drwxr-xr-x  3 kislurm kisconfig  4096 Jan 14 13:51 .
drwxrwxrwt 27 root    root      36864 Jan 15 16:47 ..
drwxr-xr-x  2 kislurm kisconfig  4096 Jan 14 13:51 .removed

I assume it's right that /tmp/tmp-db is a directory

holgerBerger commented 3 years ago

has sbin/ws_validate_config something to say? (I noticed a bug in that script last check in your case, fixed in latest commit)

holgerBerger commented 3 years ago

and yes, the db is just a directory, that is correct.

holgerBerger commented 3 years ago

ok if there is no file one can not change the permissions of it.. so far so good. But why can the file not be written? that is strange.

staeglis commented 3 years ago

Can you provide a example database?

staeglis commented 3 years ago

If I remove the following line, ws_allocate is working: setegid(dbgid); seteuid(dbuid);

But his will cause trouble if the db is on a NFS. If thge dbuid/dbgid are unix groups/users the issue occurs too.

staeglis commented 3 years ago

Ok I've mixed up the config entries dbuid and dbgid. But this doesn't solve the issue. It's working only if a give write acess for the database directory to everyone. I assume this isn't intended? The owner of the new db file is in this case dbuid/dbgid

staeglis commented 3 years ago

Sorry, this was a classical layer 8 problem. The dbuid user hadn't write access to the database folder. Thank you very much for your help.