MAAS doesn't have permissions to write in /etc/bind/maas

When the package creates this directory, can't it just make it owned/writable by the maas user?

To clarify, the code was written in such a way as to make a separately writable file possible, which should be included from the main named.conf.

Andres said he'd make the directory writable by the package.

Julian,

So I made the directory to be owned by maas user, root group, and this is the outcome:

ubuntu@maas:/etc/bind$ ls -l maas/
total 12
-rw-r--r-- 1 root root 99 Aug 29 08:57 named.conf.maas
-rw-r--r-- 1 root root 193 Aug 29 08:57 named.conf.rndc.maas
-rw-r--r-- 1 root root 539 Aug 29 08:57 rndc.conf.maas
ubuntu@maas:/etc/bind$ sudo chown -R maas:root maas
ubuntu@maas:/etc/bind$ ls -l maas/
total 12
-rw-r--r-- 1 maas maas 99 Aug 29 09:05 named.conf.maas
-rw-r--r-- 1 maas root 193 Aug 29 08:57 named.conf.rndc.maas
-rw-r--r-- 1 maas root 539 Aug 29 08:57 rndc.conf.maas

Now, I re-enabled the DNS server from the WebUI , the following error was seen in the celery.log. Additionally, I noticed that permissions on named.conf.maas were changed, causing bind9 to fail reloading the configuration file:

== Incorrect file permissions ==
ubuntu@maas:/etc/bind$ ls -l maas/
total 12
-rw------- 1 maas maas 99 Aug 29 09:05 named.conf.maas
-rw-r--r-- 1 maas root 193 Aug 29 08:57 named.conf.rndc.maas
-rw-r--r-- 1 maas root 539 Aug 29 08:57 rndc.conf.maas

=== bind failure (syslog) ===

Aug 29 09:05:33 maas named[23407]: received control channel command 'reload'
Aug 29 09:05:33 maas named[23407]: loading configuration from '/etc/bind/named.conf'
Aug 29 09:05:33 maas named[23407]: /etc/bind/named.conf.local:9: open: /etc/bind/maas/named.conf.maas: permission denied
Aug 29 09:05:33 maas named[23407]: reloading configuration failed: permission denied

=== celery error log ===

[2012-08-29 09:05:33,405: INFO/MainProcess] Got task from broker: provisioningserver.tasks.write_full_dns_config[3b7fe6ce-380f-442c-a9[67/784]
0e71313]
[2012-08-29 09:05:33,446: INFO/MainProcess] Got task from broker: provisioningserver.tasks.rndc_command[86c0d418-cb60-4720-b051-212b0f891782]
[2012-08-29 09:05:33,451: INFO/MainProcess] Task provisioningserver.tasks.write_full_dns_config[3b7fe6ce-380f-442c-a9fe-56fcd0e71313] succeede
d in 0.0323147773743s: None
[2012-08-29 09:05:33,498: ERROR/MainProcess] Task provisioningserver.tasks.rndc_command[86c0d418-cb60-4720-b051-212b0f891782] raised exception
: UnpickleableExceptionWrapper('subprocess', 'CalledProcessError', (), 'CalledProcessError()')
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/celery/execute/trace.py", line 47, in trace
    return cls(states.SUCCESS, retval=fun(*args, **kwargs))
  File "/usr/lib/python2.7/dist-packages/celery/app/task/__init__.py", line 247, in __call__
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/celery/app/__init__.py", line 175, in run
    return fun(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/provisioningserver/tasks.py", line 165, in rndc_command
    execute_rndc_command(arguments)
  File "/usr/lib/python2.7/dist-packages/provisioningserver/dns/config.py", line 110, in execute_rndc_command
    stdout=devnull)
  File "/usr/lib/python2.7/subprocess.py", line 511, in check_call
    raise CalledProcessError(retcode, ...

ARGH. The umask is messing us around again, it's the same problem for maas-
import-ephemerals. The reason it changes on an existing file is because it
gets renamed from a temp file (for atomic write purposes).

Do you know where the umask is getting set for the maas user?

Julian,

we do not set a umask for the maas user. It uses the default on user creation. however, we should not rely on changing the umask for the maas user, but rather, this should be fixed setting the correct permissions when copying over the file.

Also not that on maas-dns install, I had to fix those permissions, but they keep being changed:

 # fix permissions
        if [ -f /etc/bind/maas/named.conf.maas ]; then
                chmod 644 /etc/bind/maas/named.conf.maas
        fi

On Wednesday 29 August 2012 14:43:31 you wrote:
> Also not that on maas-dns install, I had to fix those permissions, but
> they keep being changed:
>
>
> # fix permissions
> if [ -f /etc/bind/maas/named.conf.maas ]; then
> chmod 644 /etc/bind/maas/named.conf.maas
> fi

Yeah that's due to the atomic way of writing with a temp rename. We'll make
it chmod.

Hi Julian

Already proposed a branch to fix that! :-)

Cheers
On Aug 29, 2012 8:15 PM, "Julian Edwards" <email address hidden>
wrote:

> On Wednesday 29 August 2012 14:43:31 you wrote:
> > Also not that on maas-dns install, I had to fix those permissions, but
> > they keep being changed:
> >
> >
> > # fix permissions
> > if [ -f /etc/bind/maas/named.conf.maas ]; then
> > chmod 644 /etc/bind/maas/named.conf.maas
> > fi
>
> Yeah that's due to the atomic way of writing with a temp rename. We'll
> make
> it chmod.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1042868
>
> Title:
> MAAS doesn't have permissions to write in /etc/bind/maas
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/maas/+bug/1042868/+subscriptions
>

Ok so, this needs to be looked at. MAAS modifies the files and the permissions end up being:

ubuntu@maas:/etc/bind/maas$ ls -l
total 12
-rwxr--r-- 1 maas maas 99 Aug 31 10:44 named.conf.maas
-rw-r--r-- 1 root root 193 Aug 31 10:12 named.conf.rndc.maas
-rw------- 1 root root 539 Aug 31 10:12 rndc.conf.maas

This bug was fixed in the package maas - 0.1+bzr971+dfsg-0ubuntu1

---------------
maas (0.1+bzr971+dfsg-0ubuntu1) quantal; urgency=low

  * New upstream release (LP: #1044367)

  [ Julian Edwards ]
  * Fix 02-pserv-config.patch to handle new default tftp directory

  [ Andres Rodriguez ]
  * debian/maas.postinst:
    - include '/MAAS' for DEFAULT_MAAS_URL.(LP: #1033956)
    - Update bzr version to safely upgrade.
  * Add maas-dns package that configures DNS in MAAS (LP: #1030860)
  * Remove cobbler related bits
    - debian/maas.postinst: Drop cobbler configuration
    - debian/maas.install: Drop installation of snippets/preseeds.
    - debian/control:
      + Drop Depends on maas-provision. (LP: #975473)
      + Depends on bind9utils.
      + Depends on python-lockfile (LP: #1037400)
      Add necessary Conflicts/Replaces. Add conflicts to tftpd-hpa and dnsmasq.
      Depends on isc-dhcp-server for maas-dhcp, and syslinux-common.
    - debian/extras/maas-provision: Add missing "$@" (LP: #1040462)
    - debian/patches:
      + 02-pserv-config.patch: Updated. Do not patch cobbler related bits.
        patch tftp config to default.
  * maas-dhcp: Re-add to handle initial configuration of MAAS DHCP server.
  * Allow restart of 'isc-dhcp-server' by adding a sudoers file:
    - debian/extras/99-maas-sudoers: Added.
    - debian/maas.install: Install 99-maas-sudoers
  * Minor improvements on dbconfig-common handling:
    - debian/maas.config: Only call dbc_go when scripts present.
    - debian/maas.postrm: Only call dbc_go when config file exists.
  * debian/maas.maas-celery.upstart: Enable Beat and set scheduler db file.
  * debian/maas-dns.postinst: Set correct permissions. (LP: #1042868)
  * debian/maas-dhcp.config:
    - Ask whether we want to enable DHCP (LP: #1044229)
    - Add debconf question for network interfaces
  * debian/maas.prerm: Stop services before removing database (LP: #1044559)
 -- Andres Rodriguez <email address hidden> Thu, 02 Aug 2012 09:01:43 -0400