Several 'Permission Denied' errors on the iop-core-engine container and other files/services after installing or upgrading to Satellite 6.18 with IOP enabled when non-default umask is applied

Solution Verified - Updated 5 Mar 2026

Environment

Red Hat Satellite 6.18

Issue

iop-core-engine container fails to start
Error message: "{\"msg\":\"exec container process /usr/local/bin/insights-core-engine: Permission denied\",\"level\":\"error\",\"time\":\"2026-02-11T10:30:23.646882Z\"}" when the container is run manually and as part of the satellite-installer
"Error loading component" When visiting LIghtspeed component pages in Satellite

Resolution

The issues stem from a default umask with an "others" mask of 7, which is typical in environments that have any of the levels of CIS security profiles applied. Permission issues stem from two things with this umask applied, during container import and after first running the satellite-installer which initializes the files for the new webpages. To account for these we can follow these steps;

Adjust the umask within the container import script in the docomentation here to add umask 0022 just for the import, for example;
```
  #!/bin/bash
  umask 0022

  images=(
    "satellite/iop-ingress-rhel9:6.18"
  ...
```
After the installer is run and services are up the files and directories of the newly added components must be made to be accessible. We can use these commands for this;
```
  # find /var/lib/foreman/public/assets/apps/ -type f -exec chmod 644 {} \;
  # find /var/lib/foreman/public/assets/apps/ -type d -exec chmod 755 {} \;
```

Root Cause

These issues are being monitored in the following Jiras:
This content is not included.SAT-41246
This content is not included.SAT-41866
This content is not included.SAT-38792

Diagnostic Steps

You can check for container namespace issues by trying to run commands in the container. For example;

# podman run -it --entrypoint /bin/bash fe9de9694285
{"msg":"exec container process `/bin/bash`: Permission denied","level":"error","time":"2026-02-24T03:35:03.824420Z"}

And access on the web files you can check via curl;

# curl https://`hostname -f`/assets/apps/advisor/fed-mods.json
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

SBR

SysMgmt

Product(s)

Red Hat Satellite

Category

Troubleshoot

Tags

satellite_6

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.