830228 – net-analyzer/icinga2-2.13.2-r1 - Permission denied for /var/lib/icinga2/certs/ and /etc/icinga2/features-enabled/

Bug 830228 - net-analyzer/icinga2-2.13.2-r1 - Permission denied for /var/lib/icinga2/certs/ and /etc/icinga2/features-enabled/

Summary: net-analyzer/icinga2-2.13.2-r1 - Permission denied for /var/lib/icinga2/certs...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Matthew Thode ( prometheanfire )

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-12-29 13:29 UTC by Horst Prote
Modified:	2022-01-03 15:58 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Horst Prote 2021-12-29 13:29:59 UTC

Running "icinga2 node wizard" a fresh installed agent/satellite I get
...
critical/cli: chown() failed with error code 1, "Operation not permitted"
critical/SSL: Error while opening private RSA key file '/var/lib/icinga2/certs//agent1.my-domain.key': 33558541, "error:0200100D:system library:fopen:Permission denied"
critical/cli: Failed to create new self-signed certificate for CN 'agent1.my-domain'. Please try again.

and after fixing this by "chown icinga:icingacmd /var/lib/icinga2/certs/" the next "icinga2 node wizard" says
...
critical/cli: Cannot disable feature 'notification'. Unlinking target file '/etc/icinga2/features-enabled/notification.conf' failed with error code 13, "Permission denied".
critical/cli: Cannot disable feature(s): notification
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
critical/cli: Cannot enable feature 'api'. Linking source '../features-available/api.conf' to
target file '/etc/icinga2/features-enabled/api.conf' failed with error code 13, "Permission denied".
critical/cli: Cannot enable feature(s): api
critical/Application: Error: boost::filesystem::copy_file: Permission denied: "/etc/icinga2/features-available/api.conf", "/etc/icinga2/features-available/api.conf.orig"

Only after "chown -R icinga:icinga /etc/icinga2/" the "icinga2 node wizard" runs without errors.

Reproducible: Always

Steps to Reproduce:
1. Install net-analyzer/icinga2-2.13.2-r1
2. Run "icinga2 node wizard" and do an agent/satellite setup.
Actual Results:
The errors noted above.

Expected Results:
No errors.

This can be fixed by changing
fowners root:icinga /etc/icinga2
in the ebuild to
fowners -R icinga:icinga /etc/icinga2
and adding
fowners -R icinga:icingacmd /var/lib/icinga2/certs
fowners -R icinga:icingacmd /var/lib/icinga2/certificate-requests
(In my case the /var/lib/icinga2/certificate-requests/ folder wasn't used by "icinga2 node wizard" but if one does another setup that wants to create a certificate request I think one will get the same Permission denied error for this folder.)

Comment 1 Larry the Git Cow gentoo-dev

2021-12-29 17:20:08 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9cd116618c6110a18eb9995a986f6c8aa63ce5ff

commit 9cd116618c6110a18eb9995a986f6c8aa63ce5ff
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2021-12-29 17:19:46 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2021-12-29 17:19:46 +0000

    net-analyzer/icinga2: update fowners to work with install wizard
    
    Closes: https://bugs.gentoo.org/830228
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 .../icinga2/{icinga2-2.13.2-r1.ebuild => icinga2-2.13.2-r2.ebuild} | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29c0f4abdb1bd2638c84c0b946af174326f7d3dd

commit 29c0f4abdb1bd2638c84c0b946af174326f7d3dd
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2021-12-29 17:18:13 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2021-12-29 17:18:13 +0000

    net-analyzer/icinga2: update fowners to work with the install wizard
    
    Bug: https://bugs.gentoo.org/830228
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 net-analyzer/icinga2/icinga2-9999.ebuild | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comment 2 Horst Prote 2022-01-03 14:26:22 UTC

In icinga2-9999.ebuild you kept the line
  fowners icinga:icingacmd /var/log/icinga2
but in icinga2-2.13.2-r2.ebuild you removed it. Why?
This causes icinga2.service to fail with
  systemd[1]: icinga2.service: Main process exited, code=exited, status=1/FAILURE
  systemd[1]: icinga2.service: Failed with result 'exit-code'.
and /var/log/icinga2/ is empty. After
  chown icinga:icingacmd /var/log/icinga2
the icinga2.service starts without error.

Comment 3 Larry the Git Cow gentoo-dev

2022-01-03 15:58:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=836eb0586634c5d1a5da7e59775c9880c5c5c545

commit 836eb0586634c5d1a5da7e59775c9880c5c5c545
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2022-01-03 15:58:00 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2022-01-03 15:58:14 +0000

    net-analyzer/icinga2: fix missing fowner on logdir
    
    Bug: https://bugs.gentoo.org/830228
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 .../icinga2/{icinga2-2.13.2-r2.ebuild => icinga2-2.13.2-r3.ebuild}     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comment 4 Matthew Thode ( prometheanfire ) archtester

2022-01-03 15:58:54 UTC

sorry about that, looks like I got to zealous removing lines