Bug 1636290

Summary: [OSP13] instack uses /tmp as temporary directory for DIB to run scripts, but /tmp is often mounted with noexec
Product: Red Hat OpenStack Reporter: David Vallee Delisle <dvd>
Component: instackAssignee: Emilien Macchi <emacchi>
Status: CLOSED ERRATA QA Contact: Gurenko Alex <agurenko>
Severity: high Docs Contact: Gurenko Alex <agurenko>
Priority: high    
Version: 13.0 (Queens)CC: bdobreli, emacchi, jschluet, mburns, mcornea
Target Milestone: z3Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: instack-8.1.1-0.20180313084440.0d768a3.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1636295 1636296 (view as bug list) Environment:
Last Closed: 2018-11-14 01:14:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1636295, 1636296    

Description David Vallee Delisle 2018-10-05 02:11:09 UTC 
Description of problem:
A lot of deployments are mounting /tmp with noexec flag for security reasons. Because of this, it's impossible to run any executables in there, which breaks the undercloud install and undercloud upgrade processes as described here [1]

[1] https://access.redhat.com/solutions/3002821

Version-Release number of selected component (if applicable):
All

How reproducible:
All the time

Steps to Reproduce:
[stack@undercloud-0 ~]$ echo "tmpfs /tmp tmpfs mode=1777,nosuid,nodev,noexec 0 0" | sudo tee -a /etc/fstab
[stack@undercloud-0 ~]$ sudo mount /tmp
[stack@undercloud-0 ~]$ sudo systemctl stop 'openstack-*' 'neutron-*' httpd
[stack@undercloud-0 ~]$ sudo yum update python-tripleoclient
[stack@undercloud-0 ~]$ openstack undercloud (upgrade or install)

Actual results:
instack uses tempfile.mkdtemp() without any argument to create a temporary folder to store scripts that are going to be run by dib-run-parts. When dib-run-parts starts, it runs a find /tmp/path/to/scripts -executable which returns nothing and it quits.


Expected results:
instack should use a different prefix. 


Additional info:
in instack/main.py, we already use ~stack/.instack/ to store the logs. It might be a good candidate to store the temp folders, for example: ~stack/.instack/tmp/
Comment 6 Gurenko Alex 2018-11-01 09:29:55 UTC 
Verified on puddle 2018-10-24.1

[stack@undercloud-0 ~]$ rpm -q instack
instack-8.1.1-0.20180313084440.0d768a3.el7ost.noarch
Comment 10 errata-xmlrpc 2018-11-14 01:14:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3611