SUSE Support

Here When You Need Us

SUSE Clients Fail to Register with RMT Server

This document (000021033) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP3
Repository Mirroring Tool (RMT)
 

Situation

From the Client Side

Errors when attempting to register a client to the RMT server via yast registration.

Connection to registration server failed.
Details: 757: unexpected token at 'An unhandled lowlevel error occurred. The application logs may have details.'

Registration server error. Retry the operation later.
Details: Cannot parse credentials file


All clients can establish a connection to the RMT server to download the rmt-client-setup script:
# curl http://rmtserver.local/tools/rmt-client-setup --output /tmp/rmt-client-setup
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8842  100  8842    0     0  3491k      0 --:--:-- --:--:-- --:--:-- 4317k
Errors when using the rmt-client-setup script:
# bash /tmp/rmt-client-setup https://rmtserver.local
...
Do you accept this certificate? [y/n] y
Client setup finished.
Start the registration now? [y/n] y
/usr/sbin/SUSEConnect --write-config --url https://rmtserver.local 
Registering system to registration proxy https://rmtserver.local

Announcing system to https://rmtserver.local ...
Your Registration Proxy server doesn't support this function. Please update it and try again.

From the RMT Server Side

The secrets.yml.key file is owned by root with 600 permissions:
# ls -al /usr/share/rmt/config/secrets.yml.key
-rw------- 1 root root 32 Sep  6 07:41 /usr/share/rmt/config/secrets.yml.key
Updating the rmt-server package from earlier versions does not affect the RMT server (see Additional Section below).

The rmt-server.service status shows a permission denied error

Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key
#==[ Command ]======================================#
# /bin/systemctl status rmt-server.service
* rmt-server.service - RMT API server
     Loaded: loaded (/usr/lib/systemd/system/rmt-server.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2023-03-31 15:52:20 CEST; 1h 2min ago
   Main PID: 9569 (rails)
      Tasks: 30
     CGroup: /system.slice/rmt-server.service

Mar 31 15:58:03 rmtserver rails[9680]: 2023-03-31 15:58:03 +0200 Rack app ("POST /connect/subscriptions/systems" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>
Mar 31 15:58:03 rmtserver rails[9680]: 2023-03-31 15:58:03 +0200 Rack app ("GET /connect/repositories/installer" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>
Mar 31 15:59:03 rmtserver rails[9675]: 2023-03-31 15:59:03 +0200 Rack app ("POST /connect/subscriptions/systems" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>
Mar 31 15:59:03 rmtserver rails[9680]: 2023-03-31 15:59:03 +0200 Rack app ("GET /connect/repositories/installer" - (10.250.23.66)): #<Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/rmt/config/secrets.yml.key>

Resolution

PREFERRED FIX
Update to the rmt-server package to rmt-server-2.15 or higher. For SLES15 SP4 and earlier, the package is available in the LTSS channels. For example,

SLES15 SP5 rmt-server-2.15-150500.3.9.2
SLES15 SP4 rmt-server-2.15-150400.3.18.2 (LTSS) 
SLES15 SP3 rmt-server-2.15-150300.3.30.1 (LTSS)

You can register your clients immediately after updating the package.

WORK AROUND
If you cannot update the rmt-server package, you can choose this less desirable work around.

WARNING: Changing the secrets.yml.key file's ownership from root.root to root.nginx may leave the RMT server open to security vulnerabilities.

On the RMT server host, workaround as follows:
1. Change the secrets.yml.key file group ownership to nginx
2. Change the permissions to 640
# chown root.nginx /usr/share/rmt/config/secrets.yml.key
# chmod 640 /usr/share/rmt/config/secrets.yml.key
# ls -al /usr/share/rmt/config/secrets.yml.key
-rw-r----- 1 root nginx 32 Sep  6 07:41 /usr/share/rmt/config/secrets.yml.key
3. You can now register your clients. You do not need to restart the rmt-server.service.

Cause

If the rmt-server packages listed in the Additional Information section are installed and the /usr/share/rmt/config/secrets.yml.key file is not found, it will be created with root ownership and 600 permissions causing client errors upon registration.

Status

Reported to Engineering

Additional Information

The new rmt-server-2.15 package removes the /usr/share/rmt/config/secrets.yml.key file altogether.

All information from TID 000020958 - Incorrect file permissions on /usr/share/rmt/config/secrets.yml.key after installation of package rmt-server has been merged into this document and removed.

As of this writing, the following rmt-server packages will create secrets.yml.key with the root owner and 600 permissions and would need the file ownership and mode changed.

SLES15 SP5
rmt-server-2.14-150500.3.6.1
rmt-server-2.13-150500.3.3.1

SLES15 SP4
rmt-server-2.14-150400.3.15.1
rmt-server-2.13-150400.3.12.1
rmt-server-2.10-150400.3.9.1

SLES15 SP3
rmt-server-2.10-150300.3.21.1

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021033
  • Creation Date: 04-Apr-2023
  • Modified Date:23-Apr-2024
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.