Bug 1578572

Summary: [RFE] Ceph-Ansible main.yml places restart scripts in /tmp - causing failures running restart scripts
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Scoots Hamilton <schamilt>
Component: Ceph-AnsibleAssignee: Sébastien Han <shan>
Status: CLOSED ERRATA QA Contact: Vasishta <vashastr>
Severity: medium Docs Contact: Erin Donnelly <edonnell>
Priority: high    
Version: 3.0CC: adeza, aschoen, ceph-eng-bugs, ceph-qe-bugs, edonnell, gmeno, hnallurv, kdreyer, mhackett, nthomas, rperiyas, sankarshan, schamilt, shan, vumrao
Target Milestone: z4Keywords: FutureFeature
Target Release: 3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: RHEL: ceph-ansible-3.0.34-1.el7cp Ubuntu: ceph-ansible_3.0.34-2redhat1 Doc Type: Bug Fix
Doc Text:
Previously, when running the "rolling_updates.yml" playbook, customers encountered permission errors resulting in failure of the playbook tasks. This was due to an underlying issue in the script. In Ceph environments where "/tmp" is mounted with "noexec", calling the execution of the restart script from the "/tmp" does not work. The script is now called using a binary outside of "/tmp" so the "noexec" does not apply, and the "rolling_updates.yml" playbook no longer fails.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-11 18:11:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scoots Hamilton 2018-05-15 21:21:29 UTC 
Description of problem:

When running the rolling_updates.yml playbook customers encounter permission errors, resulting in failure of the playbook tasks, for environments where the noexec flag has been set for the /tmp dir. 

The default tmp perms all for exec from that dir:

[quicklab@mgmt-0 /]$ ls -ld /tmp
drwxrwxrwt. 8 root root 169 May 15 16:30 /tmp

However:
Our security guide (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/) mentions that it can be a security vulnerability to have the /tmp directory allow for exec permissions. So any customer who is following these recommendations will be subject to this error/issue. 


We are requesting that scripts which are critical to the execution of a playbook task be populated in an alternative directory, when possible.
Comment 3 Sébastien Han 2018-05-16 08:04:56 UTC 
Which directory should be used instead of /tmp? What's the recommendation?
We can potentially make this directory configurable.
Comment 4 Sébastien Han 2018-05-16 09:01:06 UTC 
Fix in https://github.com/ceph/ceph-ansible/releases/tag/v3.0.34
Comment 5 Scoots Hamilton 2018-05-16 13:50:29 UTC 
(In reply to leseb from comment #3)
> Which directory should be used instead of /tmp? What's the recommendation?
> We can potentially make this directory configurable.

Leseb, to be completely honest, I am not sure what the best alternative for directory placement would be.

I was able to find this article:  https://access.redhat.com/blogs/766093/posts/3169121

And found the approach quite interesting, however I am *feel that integrating such a feature might not be feasible, or the most productive, for such situations. But it does seem to address the main issues that we are facing in environments where customers must adhere to stricter security measures, and harden their environments. 

I will continue searching for, and considering potential solutions to this problem. 


Cheers!
-Scoots
Comment 6 Sébastien Han 2018-05-16 13:55:20 UTC 
Thanks for your response, I just backported a patch that will fix the issue. You will find it in tag v.3.0.34.

I suspect this will be part of the next z stream release for 3.0.

There is no need to dig further into this if you're interested in the solution is here: https://github.com/ceph/ceph-ansible/pull/2591/commits/628d4cc161f862001460300426481ba60953ddc3

Calling bash directly doesn't trigger the shebang which allows us to execute the script even though /tmp is mounted with noexec.
Comment 7 Scoots Hamilton 2018-05-16 14:23:35 UTC 
(In reply to leseb from comment #6)
> Thanks for your response, I just backported a patch that will fix the issue.
> You will find it in tag v.3.0.34.
> 
> I suspect this will be part of the next z stream release for 3.0.
> 
> There is no need to dig further into this if you're interested in the
> solution is here:
> https://github.com/ceph/ceph-ansible/pull/2591/commits/
> 628d4cc161f862001460300426481ba60953ddc3
> 
> Calling bash directly doesn't trigger the shebang which allows us to execute
> the script even though /tmp is mounted with noexec.

Awesome! That is way more fluid than what I was able to stumble upon, lol. Snazzy fix, congrats on the great work ^_^ 

-Scoots
Comment 13 Sébastien Han 2018-06-12 06:36:13 UTC 
Done.
Comment 14 Vasishta 2018-06-28 13:11:28 UTC 
QE tried the solution provided under PR 2591, working fine

"# /usr/bin/env bash /tmp/restart_mon_daemon.sh" restarted mon service when noexec flag was set on '/tmp'

Moving to VERIFIED state, Please let us know if there are any concerns.

Regards,
Vasishta Shastry
AQE, Ceph
Comment 16 errata-xmlrpc 2018-07-11 18:11:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2177