SUSE Clients Fail to Register with RMT Server
This document (000021033) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP3
Repository Mirroring Tool (RMT)
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP3
Repository Mirroring Tool (RMT)
Situation
From the Client Side
Errors when attempting to register a client to the RMT server via yast registration.
Connection to registration server failed.
Details: 757: unexpected token at 'An unhandled lowlevel error occurred. The application logs may have details.'
Registration server error. Retry the operation later.
Details: Cannot parse credentials file
All clients can establish a connection to the RMT server to download the rmt-client-setup script:
From the RMT Server Side
The secrets.yml.key file is owned by root with 600 permissions:
The rmt-server.service status shows a permission denied error
Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key
Errors when attempting to register a client to the RMT server via yast registration.
Connection to registration server failed.
Details: 757: unexpected token at 'An unhandled lowlevel error occurred. The application logs may have details.'
Registration server error. Retry the operation later.
Details: Cannot parse credentials file
All clients can establish a connection to the RMT server to download the rmt-client-setup script:
# curl http://rmtserver.local/tools/rmt-client-setup --output /tmp/rmt-client-setup % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8842 100 8842 0 0 3491k 0 --:--:-- --:--:-- --:--:-- 4317kErrors when using the rmt-client-setup script:
# bash /tmp/rmt-client-setup https://rmtserver.local ... Do you accept this certificate? [y/n] y Client setup finished. Start the registration now? [y/n] y /usr/sbin/SUSEConnect --write-config --url https://rmtserver.local Registering system to registration proxy https://rmtserver.local Announcing system to https://rmtserver.local ... Your Registration Proxy server doesn't support this function. Please update it and try again.
From the RMT Server Side
The secrets.yml.key file is owned by root with 600 permissions:
# ls -al /usr/share/rmt/config/secrets.yml.key -rw------- 1 root root 32 Sep 6 07:41 /usr/share/rmt/config/secrets.yml.keyUpdating the rmt-server package from earlier versions does not affect the RMT server (see Additional Section below).
The rmt-server.service status shows a permission denied error
Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key
#==[ Command ]======================================#
# /bin/systemctl status rmt-server.service
* rmt-server.service - RMT API server
Loaded: loaded (/usr/lib/systemd/system/rmt-server.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2023-03-31 15:52:20 CEST; 1h 2min ago
Main PID: 9569 (rails)
Tasks: 30
CGroup: /system.slice/rmt-server.service
Mar 31 15:58:03 rmtserver rails[9680]: 2023-03-31 15:58:03 +0200 Rack app ("POST /connect/subscriptions/systems" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>
Mar 31 15:58:03 rmtserver rails[9680]: 2023-03-31 15:58:03 +0200 Rack app ("GET /connect/repositories/installer" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>
Mar 31 15:59:03 rmtserver rails[9675]: 2023-03-31 15:59:03 +0200 Rack app ("POST /connect/subscriptions/systems" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>
Mar 31 15:59:03 rmtserver rails[9680]: 2023-03-31 15:59:03 +0200 Rack app ("GET /connect/repositories/installer" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>
Resolution
PREFERRED FIX
Update to the rmt-server package to rmt-server-2.15 or higher. For SLES15 SP4 and earlier, the package is available in the LTSS channels. For example,
SLES15 SP5 rmt-server-2.15-150500.3.9.2
SLES15 SP4 rmt-server-2.15-150400.3.18.2 (LTSS)
SLES15 SP3 rmt-server-2.15-150300.3.30.1 (LTSS)
You can register your clients immediately after updating the package.
WORK AROUND
If you cannot update the rmt-server package, you can choose this less desirable work around.
WARNING: Changing the secrets.yml.key file's ownership from root.root to root.nginx may leave the RMT server open to security vulnerabilities.
On the RMT server host, workaround as follows:
1. Change the secrets.yml.key file group ownership to nginx
2. Change the permissions to 640
Update to the rmt-server package to rmt-server-2.15 or higher. For SLES15 SP4 and earlier, the package is available in the LTSS channels. For example,
SLES15 SP5 rmt-server-2.15-150500.3.9.2
SLES15 SP4 rmt-server-2.15-150400.3.18.2 (LTSS)
SLES15 SP3 rmt-server-2.15-150300.3.30.1 (LTSS)
You can register your clients immediately after updating the package.
WORK AROUND
If you cannot update the rmt-server package, you can choose this less desirable work around.
WARNING: Changing the secrets.yml.key file's ownership from root.root to root.nginx may leave the RMT server open to security vulnerabilities.
On the RMT server host, workaround as follows:
1. Change the secrets.yml.key file group ownership to nginx
2. Change the permissions to 640
# chown root.nginx /usr/share/rmt/config/secrets.yml.key # chmod 640 /usr/share/rmt/config/secrets.yml.key # ls -al /usr/share/rmt/config/secrets.yml.key -rw-r----- 1 root nginx 32 Sep 6 07:41 /usr/share/rmt/config/secrets.yml.key3. You can now register your clients. You do not need to restart the rmt-server.service.
Cause
If the rmt-server packages listed in the Additional Information section are installed and the /usr/share/rmt/config/secrets.yml.key file is not found, it will be created with root ownership and 600 permissions causing client errors upon registration.
Status
Reported to Engineering
Additional Information
The new rmt-server-2.15 package removes the /usr/share/rmt/config/secrets.yml.key file altogether.
All information from TID 000020958 - Incorrect file permissions on /usr/share/rmt/config/secrets.yml.key after installation of package rmt-server has been merged into this document and removed.
As of this writing, the following rmt-server packages will create secrets.yml.key with the root owner and 600 permissions and would need the file ownership and mode changed.
SLES15 SP5
rmt-server-2.14-150500.3.6.1
rmt-server-2.13-150500.3.3.1
SLES15 SP4
rmt-server-2.14-150400.3.15.1
rmt-server-2.13-150400.3.12.1
rmt-server-2.10-150400.3.9.1
SLES15 SP3
rmt-server-2.10-150300.3.21.1
All information from TID 000020958 - Incorrect file permissions on /usr/share/rmt/config/secrets.yml.key after installation of package rmt-server has been merged into this document and removed.
As of this writing, the following rmt-server packages will create secrets.yml.key with the root owner and 600 permissions and would need the file ownership and mode changed.
SLES15 SP5
rmt-server-2.14-150500.3.6.1
rmt-server-2.13-150500.3.3.1
SLES15 SP4
rmt-server-2.14-150400.3.15.1
rmt-server-2.13-150400.3.12.1
rmt-server-2.10-150400.3.9.1
SLES15 SP3
rmt-server-2.10-150300.3.21.1
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021033
- Creation Date: 22-Apr-2024
- Modified Date:23-Apr-2024
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
