SUSE Clients Fail to Register with RMT Server
This document (000021033) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP3
Repository Mirroring Tool (RMT)
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP3
Repository Mirroring Tool (RMT)
Situation
From the Client Side
Errors when attempting to register a client to the RMT server via yast registration.
Connection to registration server failed.
Details: 757: unexpected token at 'An unhandled lowlevel error occurred. The application logs may have details.'
Registration server error. Retry the operation later.
Details: Cannot parse credentials file
All clients can establish a connection to the RMT server to download the rmt-client-setup script:
From the RMT Server Side
The secrets.yml.key file is owned by root:
The rmt-server.service status shows a permission denied error
Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key
Errors when attempting to register a client to the RMT server via yast registration.
Connection to registration server failed.
Details: 757: unexpected token at 'An unhandled lowlevel error occurred. The application logs may have details.'
Registration server error. Retry the operation later.
Details: Cannot parse credentials file
All clients can establish a connection to the RMT server to download the rmt-client-setup script:
# curl http://rmtserver.local/tools/rmt-client-setup --output /tmp/rmt-client-setup % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8842 100 8842 0 0 3491k 0 --:--:-- --:--:-- --:--:-- 4317kErrors when using the rmt-client-setup script:
# bash /tmp/rmt-client-setup https://rmtserver.local ... Do you accept this certificate? [y/n] y Client setup finished. Start the registration now? [y/n] y /usr/sbin/SUSEConnect --write-config --url https://rmtserver.local Registering system to registration proxy https://rmtserver.local Announcing system to https://rmtserver.local ... Your Registration Proxy server doesn't support this function. Please update it and try again.
From the RMT Server Side
The secrets.yml.key file is owned by root:
# ls -al /usr/share/rmt/config/secrets.yml.key -rw------- 1 root root 32 Sep 6 07:41 /usr/share/rmt/config/secrets.yml.keyUpdating the rmt-server package from earlier versions does not affect the RMT server (see Additional Section below).
The rmt-server.service status shows a permission denied error
Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key
#==[ Command ]======================================#
# /bin/systemctl status rmt-server.service
* rmt-server.service - RMT API server
Loaded: loaded (/usr/lib/systemd/system/rmt-server.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2023-03-31 15:52:20 CEST; 1h 2min ago
Main PID: 9569 (rails)
Tasks: 30
CGroup: /system.slice/rmt-server.service
Mar 31 15:58:03 rmtserver rails[9680]: 2023-03-31 15:58:03 +0200 Rack app ("POST /connect/subscriptions/systems" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>
Mar 31 15:58:03 rmtserver rails[9680]: 2023-03-31 15:58:03 +0200 Rack app ("GET /connect/repositories/installer" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>
Mar 31 15:59:03 rmtserver rails[9675]: 2023-03-31 15:59:03 +0200 Rack app ("POST /connect/subscriptions/systems" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>
Mar 31 15:59:03 rmtserver rails[9680]: 2023-03-31 15:59:03 +0200 Rack app ("GET /connect/repositories/installer" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>
Resolution
Reported to Engineering
WARNING: Changing the secrets.yml.key file's ownership from root.root to _rmt.nginx may leave the RMT server open to security vulnerabilities, but is the only current workaround available. Engineering is aware of the issue.
On the RMT server host, workaround as follows:
1. Change the secrets.yml.key file ownership to _rmt.nginx
WARNING: Changing the secrets.yml.key file's ownership from root.root to _rmt.nginx may leave the RMT server open to security vulnerabilities, but is the only current workaround available. Engineering is aware of the issue.
On the RMT server host, workaround as follows:
1. Change the secrets.yml.key file ownership to _rmt.nginx
# chown _rmt.nginx /usr/share/rmt/config/secrets.yml.key # ls -al /usr/share/rmt/config/secrets.yml.key -rw------- 1 _rmt nginx 32 Sep 6 07:41 /usr/share/rmt/config/secrets.yml.key2. You can now register your clients. You do not need to restart the rmt-server.service.
Cause
If the rmt-server packages listed in the Additional Information section are installed and the /usr/share/rmt/config/secrets.yml.key file is not found, it will be created with root ownership causing client errors upon registration.
Status
Reported to Engineering
Additional Information
All information from TID 000020958 - Incorrect file permissions on /usr/share/rmt/config/secrets.yml.key after installation of package rmt-server has been merged into this document and removed.
As of this writing, the following rmt-server packages will create secrets.yml.key with the root owner and would need the ownership changed.
SLES15 SP5
rmt-server-2.14-150500.3.6.1
rmt-server-2.13-150500.3.3.1
SLES15 SP4
rmt-server-2.14-150400.3.15.1
rmt-server-2.13-150400.3.12.1
rmt-server-2.10-150400.3.9.1
SLES15 SP3
rmt-server-2.10-150300.3.21.1
As of this writing, the following rmt-server packages will create secrets.yml.key with the root owner and would need the ownership changed.
SLES15 SP5
rmt-server-2.14-150500.3.6.1
rmt-server-2.13-150500.3.3.1
SLES15 SP4
rmt-server-2.14-150400.3.15.1
rmt-server-2.13-150400.3.12.1
rmt-server-2.10-150400.3.9.1
SLES15 SP3
rmt-server-2.10-150300.3.21.1
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021033
- Creation Date: 20-Sep-2023
- Modified Date:20-Sep-2023
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
Run SAP
SUSE for Public Cloud
Security
