Freeipa has a 'permission fixer' activity that attempts to sense when new files with security tokens are produced by the ods / dnssec process, then alter the group permissions of those files so named/bind9 can read them. However, it appears there exists some race condition resulting in the 'permission fixing' process leaving some few files lacking permission enough for named to read them.
Notice bind9 errors in the log like: May 12 10:25:31 registry1.1.quietfountain.com named[1397]: File.cpp(94): Could not open the file (Permission denied): /var/lib/ipa/dnssec/tokens/a16475a1-d0e7-b572-4f6c-c478f59d3035/189946a4-d576-5068-f018-4e3cbc7d5c5d.object May 12 10:25:31 registry1.1.quietfountain.com named[1397]: File.cpp(94): Could not open the file (Permission denied): /var/lib/ipa/dnssec/tokens/a16475a1-d0e7-b572-4f6c-c478f59d3035/189946a4-d576-5068-f018-4e3cbc7d5c5d.object May 12 10:25:32 registry1.1.quietfountain.com named[1397]: File.cpp(94): Could not open the file (Permission denied): /var/lib/ipa/dnssec/tokens/a16475a1-d0e7-b572-4f6c-c478f59d3035/b855b01a-50b0-ee9f-eec4-957706c5de42.object May 12 10:25:32 registry1.1.quietfountain.com named[1397]: File.cpp(94): Could not open the file (Permission denied): /var/lib/ipa/dnssec/tokens/a16475a1-d0e7-b572-4f6c-c478f59d3035/b855b01a-50b0-ee9f-eec4-957706c5de42.object
Notice files lacking permissions, for hours, despite permission fixer process like:
[root@registry1 ~]# ls -l /var/lib/ipa/dnssec/tokens/a16475a1-d0e7-b572-4f6c-c478f59d3035/ total 444 -rw-rw----+ 1 ods named 0 May 11 17:31 013d02e5-abb6-a458-d4fe-fbf2eccb1137.lock ... -rw-rw----+ 1 ods named 2273 May 12 05:07 139c7173-9bae-f36b-4113-9ae4fc846272.object -rw-------. 1 ods named 0 May 12 10:14 189946a4-d576-5068-f018-4e3cbc7d5c5d.lock -rw-------. 1 ods named 983 May 12 10:14 189946a4-d576-5068-f018-4e3cbc7d5c5d.object -rw-rw----+ 1 ods named 0 May 12 05:53 1ec25135-6cca-6d1b-d513-2de0ad7812f0.lock -rw-rw----+ 1 ods named 983 May 12 05:53 1ec25135-6cca-6d1b-d513-2de0ad7812f0.object ... -rw-rw----+ 1 ods named 855 May 11 17:47 b808e046-963e-eed3-ff5c-cdb56647af5f.object -rw-------. 1 ods named 0 May 12 10:14 b855b01a-50b0-ee9f-eec4-957706c5de42.lock -rw-------. 1 ods named 2849 May 12 10:14 b855b01a-50b0-ee9f-eec4-957706c5de42.object -rw-rw----+ 1 ods named 0 May 12 07:25 bb0efb24-1dea-8f38-0476-a9c09ac146d1.lock -rw-rw----+ 1 ods named 983 May 12 07:25 bb0efb24-1dea-8f38-0476-a9c09ac146d1.object
bind9 / named not being blocked from reading token files. Might setting a better umask in the .service file or setfacl default mask in the token directory make the permissions correct from the moment the file is created and so eliminate the need to chase after the creation of these files to fix the permissions?
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.9.3-2.fc34.x86_64 freeipa-client-4.9.3-2.fc34.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-2.0.3-3.fc34.x86_64 pki-ca-10.10.5-6.fc34.noarch krb5-server-1.19.1-3.fc34.x86_64
Evil workaround: Put this command in as an hourly cron job:
chmod -R g+rwX /var/lib/ipa/dnssec/tokens
Metadata Update from @frenaud: - Issue set to the milestone: DNSSEC
Note: possible fix by softhsm(not released yet): https://github.com/opendnssec/SoftHSMv2/pull/566/commits/de5bb8a3a5b98c193821be1b3bbfa4f768a32da1
Login to comment on this ticket.