Bug 2035051
| Summary: | removing nfs-utils cause ovirt-engine removal due to cinderlib dep tree | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | schandle |
| Component: | ovirt-engine | Assignee: | Ales Musil <amusil> |
| Status: | CLOSED ERRATA | QA Contact: | Petr Kubica <pkubica> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.4.9 | CC: | ahadas, amusil, asocha, didi, emarcus, gdeolive, kemyers, lsurette, michal.skrivanek, mperina |
| Target Milestone: | ovirt-4.5.0 | Keywords: | Regression, TestOnly |
| Target Release: | 4.5.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Release Note | |
| Doc Text: |
Red Hat Virtualization 4.4 SP1 uses the updated DISA STIG OpenSCAP profile from RHEL 8.6, which does not remove the gssproxy package. As a result, the Red Hat Virtualization host works correctly after applying the DISA STIG profile.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-26 16:23:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This looks like BZ https://bugzilla.redhat.com/show_bug.cgi?id=1867158 that has since been closed in 4.4.3 nfs-utils is not required anymore since Tue Oct 13 13:43:39 2020 - ovirt-engine-4.4.3.8 - https://gerrit.ovirt.org/c/ovirt-engine/+/111689 gssproxy is not required at all. Going to dig into this. nfs-utils is required by python3-os-brick which is required by python3-cinder-common which is required by python3-cinderlib which is needed by ovirt-engine. Moving to storage team as they need to either: - fix the dependency chain - or give up on requiring cinderlib - or fix the security profile for not removing gssproxy for RHV This is going to be fixed in RHV 4.4 SP1 where we introduce proper support to DISA STIG (BZ2015796 and BZ2015802) and PCI-DSS (BZ2030596 and BZ2030226) openscap profiles, so aligning status with those RFEs. This will be fixed with release of RHV SP1. Verified in rhv-release-4.5.0-8-001.noarch Installed RHEL8, yes to Openscap profile, choosed stig. Engine was successfully deployed Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4711 |
Description of problem: When deploying HostedEngine and using OpenScap, when the package 'gssproxy' is removed from HostedEngineLocal it removes: ~~~ Removing: gssproxy x86_64 0.8.0-19.el8 @anaconda 263 k Removing dependent packages: nfs-utils x86_64 1:2.3.3-46.el8 @anaconda 1.5 M ovirt-engine noarch 4.4.9.5-0.1.el8ev @koji-override-0 38 M ovirt-engine-setup noarch 4.4.9.5-0.1.el8ev @koji-override-0 671 ovirt-engine-setup-plugin-ovirt-engine noarch 4.4.9.5-0.1.el8ev @koji-override-0 776 k ~~~ Version-Release number of selected component (if applicable): How reproducible: 100% Customer is seeing, and has been verified in the lab Steps to Reproduce: 1. Deploy RHVH with security profile 2. Deploy Self Hosted engine 3. Yes to openscap Actual results: The deployment will fail as engine setup is not installed: ~~~ 2021-12-21 13:55:18,532-0500 INFO otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:112 TASK [**FILTERED**.rhv.engine_setup : Install oVirt Engine package] 2021-12-21 13:55:22,246-0500 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:106 {'msg': 'Failed to install some of the specified packages', 'failures': ['No package ovirt-engine available.'], 'results': [], 'rc': 1, 'invocation': {'module_args': {'name': ['ovirt-engine'], 'state': 'present', 'allow_downgrade': False, 'autoremove': False, 'bugfix': False, 'disable_gpg_check': False, 'disable_plugin': [], 'disablerepo': [], 'download_only': False, 'enable_plugin': [], 'enablerepo': [], 'exclude': [], 'installroot': '/', 'install_repoquery': True, 'install_weak_deps': True, 'security': False, 'skip_broken': False, 'update_cache': False, 'update_only': False, 'validate_certs': True, 'lock_timeout': 30, 'conf_file': None, 'disable_excludes': None, 'download_dir': None, 'list': None, 'releasever': None}}, '_ansible_no_log': False, 'changed': False, '_ansible_delegated_vars': {'ansible_host': '192.168.222.225', 'ansible_port': None, 'ansible_user': 'root', 'ansible_connection': 'smart'}} 2021-12-21 13:55:22,347-0500 ERROR otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:110 fatal: [localhost -> 192.168.222.225]: FAILED! => {"changed": false, "failures": ["No package ovirt-engine available."], "msg": "Failed to install some of the specified packages", "rc": 1, "results": []} ~~~ While configuring Openscap for bootstrap, it needs to remove several packages that do not meet this security protocol. The issue is that when removing gssproxy, it removes 'rhvm' Expected results: When preparing for openscap, need to prevent the removal of the dependencies. Additional info: The current workaround is to pause the deployment prior to engine-setup, add the engine repos, yum install rhvm, and finally remove the individual rpm package for the deployment to continue.