Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ov_rest plugin fails to create cert files #2733

Open
mohandev2 opened this issue Aug 30, 2018 · 4 comments
Open

ov_rest plugin fails to create cert files #2733

mohandev2 opened this issue Aug 30, 2018 · 4 comments
Assignees
@mohandev2
Labels
HPE Synergy plugin
Milestone
4.0.0

Comments

@mohandev2
Copy link
Collaborator

The plugin is unable to create the cert file and OEM_EVENT_FILE due to permissions. The plugin works well though. We could also see if we need to store the cert files. The error in the syslog is
Aug 30 12:48:43 openhpi-rhel76 openhpid: ov_rest: ov_rest_discover.c:1733: OV_REST Discovery Completed
Aug 30 12:48:43 openhpi-rhel76 openhpid: ov_rest: ov_rest_event.c:1256: Failed to create the directory /var/lib/openhpi/ov_rest/cert, Permission denied
Aug 30 12:48:43 openhpi-rhel76 openhpid: ov_rest: ov_rest_event.c:1276: Failed to change the dir to /var/lib/openhpi/ov_rest/cert, Permission denied
Aug 30 12:48:43 openhpi-rhel76 openhpid: ov_rest: ov_rest_event.c:1292: Error opening the file SSLCert_9.pem
Aug 30 12:48:43 openhpi-rhel76 openhpid: ov_rest: ov_rest_event.c:1857: Error opening OEM_EVENT_FILE file: /var/lib/openhpi/ov_rest/oem_event_9.log
@mohandev2 mohandev2 added this to the 4.0.0 milestone Aug 30, 2018
@HemanthBeecherla
Copy link
Collaborator

Hi Mohan,

Could you please add the steps to recreate this issue.

Thanks,
Hemantha Reddy

@mohandev2
Copy link
Collaborator Author

Compiled the sources on RHEL 7.5 system using make rpm. Installed the rpm's using rpm -iUvh *.rpm and ran the daemon using systemctl start daemon. The cert directory has 600 permissions.

@mohandev2
Copy link
Collaborator Author

The problem is due to SELinux being enforced. The security context of the source and target are not matching. Packaging ov_rest and cert directories with 600 permission helps little bit as it allows the creation of cert files in that directory. We will not be able to package the cert files as there are three files for each one view ring and the file name depends on the instance id also.

One workaround for now is that user could stop the daemon and set the openhpid_t to the permissive mode using "semanage permissive -a openhpid_t" before restarting the daemon using systemctl. Looks like this setting is valid till the next reboot.

@mohandev2
Copy link
Collaborator Author

One of the other thing that may help to over come this problem is to create an openhpi user and make the /var/lib/openhpi directory owned by openhpi user. Take a look at sssd-common or trousers packages.
Not many packages do this, so by default SELinux is turned off even on the production machines as of now. This may not last forever.
Workaround for now.

Install policycoreutils-python-utils if not already installed
systemctl stop openhpid
semanage permissive -a openhpid_t as root
systemctl start openhpid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mohandev2 mohandev2

Labels
HPE Synergy plugin
Projects
None yet
Milestone
4.0.0
Development

No branches or pull requests
2 participants
@mohandev2 @HemanthBeecherla