UKGovLD/registry-core

Failure to update nginx proxy via sudo

Closed this issue · 2 comments

We encountered an issue with user credentials: Tomcat reported a failure starting. However our registry was accessible. Log in with a correct user name and password (worked once? then) seemed to permanently fail. A bit of digging showed the following errors in Catalina.out

09-12 04:28:52 INFO ForwardingServiceImpl :: Registering delegation path at /ogc/om/1.0 -> http://schemas.opengis.net/om/1.0.0/om.xsd [302]
09-12 04:28:52 ERROR ForwardingServiceImpl :: Failed to update nginx proxy config (code: 1) sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts

I believe this results in a read only user database perhaps that explains the issues with credentials but I'm not sure.

Nevertheless the Catalina error messages are associated with

Process process = Runtime.getRuntime().exec(new String[]{ "/usr/bin/sudo", script});

This fails in our (dockerized) environment because sudo cannot be invoked form Java by the tomcat7 user. Changing the tomcat configuration so it ran as root resulted in a successful registry start up and seemed to solve our user credentials issue.

If this is a bug perhaps the call to sudo to modify the ngnix configuration could be removed and instead, during install, tomcat could be given write permissions to the ngnix configuration.

der commented

Not sure why this left authentication not working. There isn't a read only mode for the user database that I know of. You can get into a state where the user database is locked and not accessible at all. That can be cleared by deleting the derby lock file in /var/opt/ldregistry/userstore/ however if that was the situation you would see an exception trace in the catalina log saying derby was unable to open the database.

The issue with sudo is not write permission but the need to request an nginx reload (done by a sending a -HUP signal). I'm not aware of another way to grant permissions to a user to do this other than by sudo. The sudo configuration that's installed by the shell provisioner is limited to only the ability to run the /opt/ldregistry/proxy-conf.sh script. You shouldn't need to run as root, the sudoers entry should be enough. I've no experience with docker but don't see why that should be any different in this respect.

It looks like your sudoers entry is not being picked up. The entry from the install script includes !requiretty but your error message shows a tty is being required. Is the /etc/sudoers.d/ldregistry file present and correct? Is sudoers configured to use /etc/sudoers.d? An alternative, which we used originally, was to tack the entry on the end of /etc/sudoers.

Ah thanks I see. Sorry about that I should have taken a look at the bootstrap script a bit more closely. I've had success with your suggestions in a prexisting docker container and I'm attempting to replicate this in a Dockerfile built image.