Failed to open /var/lib/openqa/.config/openqa/client.conf: Permission denied at /usr/share/openqa/script/../lib/OpenQA/UserAgent.pm line 42
|Target version:||openQA Project - Done|
from o3 after upgrade (could have been there in before):
Jul 16 09:00:02 ariel openqa: Failed to open /var/lib/openqa/.config/openqa/client.conf: Permission denied at /usr/share/openqa/script/../lib/OpenQA/UserAgent.pm line 42
ariel:~> sudo ls -l /var/lib/openqa/.config/openqa/client.conf -rw------- 1 geekotest root 125 Mar 23 2015 /var/lib/openqa/.config/openqa/client.conf
type=AVC msg=audit(1563267602.725:39999): apparmor="DENIED" operation="open" profile="/usr/share/openqa/script/openqa" name="/var/lib/openqa/.config/openqa/client.conf" pid=10799 comm="openqa" requested_mask="r" denied_mask="r" fsuid=493 ouid=493
so I guess something changed causing openQA to want to read the client config now?
Maybe a regression from the recent upgrade:
$ git log1 --no-merges 222783b0..e00d3964 4a71161b Make the websocket server tests less noisy 79acbcfe (okurz/fix/spec, fix/spec) docker: Add back 'Test::Compile' as needed for os-autoinst 641b735b spec: Fix invalid '%perl' introduced with 3aadc34c 0500c7e5 Test handling worker job status changes 623d86ea Fix passing --no-cleanup worker CLI option bcf9926f (okurz/enhance/prevent_git_gc_message, enhance/prevent_git_gc_message) fetchneedles: Use subshells efficiently for dir changes c611e003 fetchneedles: Fix indention 0e7265d4 fetchneedles: Prevent noisy output about auto-packing git repos 461240de (Martchus/limit-jobs) Ensure query in jobs API does not become too big 561c8399 (Martchus/job-templates) Remove group name from job templates example d949480f Adapt order of job template example e0bf4f71 (kraih/dead_auth_tests) Remove dead auth tests from a DBus refactoring 4 years ago 02a40929 (kraih/plugin_auth) Give the authentication routes plugins will use names and test them 262df501 Improve and simplify compile check 380e5131 Add Test::Strict to Docker container ad573935 (kraih/plugin_links) Allow plugins to add links to the menu 9d954788 Allow any suffix for TAP source files a9bfc7da (okurz/enhance/docs_generation) .travis.yml: Make documentation generation an explicit job, only on master 68df32b1 .travis.yml: Give readable names to test jobs ed28edff .travis.yml: Put handling of cache dir together 8250363b Extend filter for new/updated admin table rows f6178374 Make log messages of worker tests less verbose 3887fe66 (okurz/fix/genapi) generate-documentation: Fix wrong script path introduced by 81df2fd e4e70018 (okurz/fix/docs) docs: Fix quotes and apostrophes for asciidoctor/github style 3d7e4f25 (okurz/feature/travis_retry) .travis.yml: Workaround flaky tests with 'travis_test' b25d06ed Test kvm module, only if it is not built-in 2dcb9772 Make containers non-x86 archs friendly and update to leap 15.1 53a11de0 (kraih/run_cmd_proto) Remove another useless prototype and an unused function from OpenQA::Utils 512455fe Remove obsolete prototypes 3aadc34c (okurz/fix/build_warning) Explicitly specify perl module 'Module::Pluggable' to fix warning f54fa4d7 openqa-clone-job: Improve handling --from parameter 841e0772 (okurz/feature/release_readme) README: Clarify how releases are made
I could not find related changes in the according diff though.
It rather looks to me as if this is not causing any real problems as the relevant config file should be /etc/openqa/client.conf . I checked both files /etc/openqa/client.conf and /var/lib/openqa/.config/openqa/client.conf . Both are unchanged since 2015 and probably we can just delete the latter.
It simply looks for the config file in the home directory (apparently
/var/lib/openqa in this case). That this doesn't work is not a problem because then it falls back to the global config under
I guess searching in the home directory it actually a useful feature so I'd keep it. Likely we should just delete the file under
/var/lib/openqa/.config/openqa/client.conf. So far I have just renamed it to
- Project changed from openQA Project to openQA Infrastructure
- Category deleted (
- Status changed from New to Resolved
- Assignee set to okurz
yes, right. So I guess it was actually just a configuration issue in our infra. I deleted the complete directory /var/lib/openqa/.config/openqa , the file in /etc/openqa/client.conf is still there with the same content. I don't know if it's even required. thanks for the help.
- Status changed from Resolved to In Progress
nope, not that easy :)
The file is used by rsync.pl from /etc/cron.d/openqa-iso-sync calling /opt/openqa-scripts/openqa-iso-sync as geekotest. I put back a copy of /etc/openqa/client.conf . We could either make /etc/openqa/client.conf readable to geekotest or schedule from a different user. I checked the setup on osd and it seems to be comparable, e.g. geekotest calling rsync.pl with the credentials in /var/lib/openqa/.config/openqa/client.conf as well but the difference being that apparmor is not running on osd.