ov_rest plugin fails to create cert files

open-hpi / openhpi

Other

6 stars 10 forks source link

ov_rest plugin fails to create cert files #2733

Open mohandev2 opened 5 years ago

mohandev2 commented 5 years ago

The plugin is unable to create the cert file and OEM_EVENT_FILE due to permissions. The plugin works well though. We could also see if we need to store the cert files. The error in the syslog is Aug 30 12:48:43 openhpi-rhel76 openhpid: ov_rest: ov_rest_discover.c:1733: OV_REST Discovery Completed Aug 30 12:48:43 openhpi-rhel76 openhpid: ov_rest: ov_rest_event.c:1256: Failed to create the directory /var/lib/openhpi/ov_rest/cert, Permission denied Aug 30 12:48:43 openhpi-rhel76 openhpid: ov_rest: ov_rest_event.c:1276: Failed to change the dir to /var/lib/openhpi/ov_rest/cert, Permission denied Aug 30 12:48:43 openhpi-rhel76 openhpid: ov_rest: ov_rest_event.c:1292: Error opening the file SSLCert_9.pem Aug 30 12:48:43 openhpi-rhel76 openhpid: ov_rest: ov_rest_event.c:1857: Error opening OEM_EVENT_FILE file: /var/lib/openhpi/ov_rest/oem_event_9.log

HemanthBeecherla commented 5 years ago

Hi Mohan,

Could you please add the steps to recreate this issue.

Thanks, Hemantha Reddy

mohandev2 commented 5 years ago

Compiled the sources on RHEL 7.5 system using make rpm. Installed the rpm's using rpm -iUvh *.rpm and ran the daemon using systemctl start daemon. The cert directory has 600 permissions.

mohandev2 commented 5 years ago

The problem is due to SELinux being enforced. The security context of the source and target are not matching. Packaging ov_rest and cert directories with 600 permission helps little bit as it allows the creation of cert files in that directory. We will not be able to package the cert files as there are three files for each one view ring and the file name depends on the instance id also.

One workaround for now is that user could stop the daemon and set the openhpid_t to the permissive mode using "semanage permissive -a openhpid_t" before restarting the daemon using systemctl. Looks like this setting is valid till the next reboot.

mohandev2 commented 5 years ago

One of the other thing that may help to over come this problem is to create an openhpi user and make the /var/lib/openhpi directory owned by openhpi user. Take a look at sssd-common or trousers packages. Not many packages do this, so by default SELinux is turned off even on the production machines as of now. This may not last forever. Workaround for now.

Install policycoreutils-python-utils if not already installed systemctl stop openhpid semanage permissive -a openhpid_t as root systemctl start openhpid