Bug 2066811

Summary: Hosted engine deployment fails when DISA STIG profile is selected for the engine VM
Product: Red Hat Enterprise Virtualization Manager Reporter: Asaf Rachmani <arachman>
Component: ovirt-ansible-collectionAssignee: Asaf Rachmani <arachman>
Status: CLOSED ERRATA QA Contact: Nikolai Sednev <nsednev>
Severity: high Docs Contact:
Priority: high    
Version: 4.5.0CC: emarcus
Target Milestone: ovirt-4.5.0Keywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-ansible-collection-2.0.0-0.9.BETA Doc Type: Bug Fix
Doc Text:
Previously, DISA STIG profile used fapolicyd that blocked ansible command execution as non-root, and self-hosted engine deployment failed. In this release, calls to psql as postgres are replaced with engine_psql.sh, and deployment succeeds.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-26 17:25:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Asaf Rachmani 2022-03-22 14:20:41 UTC 
Description of problem:
Hosted engine deployment fails when DISA STIG profile is selected for the engine VM


Steps to Reproduce:
1. Run hosted-engine deployment
2. Choose yes for "Do you want to apply an OpenSCAP security profile? (Yes, No) [No]:"


Actual results:
Hosted-Engine deployment fails

Expected results:
Hosted-Engine deployment succeeds

Additional info:
The deployment fails on task "Update target VM details at DB level".
fapolicyd blocks "postgres" user for executing ansible's command located in /var/tmp


TASK [redhat.rhv.hosted_engine_setup : Update target VM details at DB level] **************************************************************************************************************************************
task path: /usr/share/ansible/collections/ansible_collections/redhat/rhv/roles/hosted_engine_setup/tasks/create_target_vm/02_engine_vm_configuration.yml:11
<192.168.1.183> ESTABLISH SSH CONNECTION FOR USER: root
:
.
<192.168.1.183> SSH: EXEC sshpass -d9 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/roo
t/.ansible/cp/b36a7240de -tt 192.168.1.183 '/bin/sh -c '"'"'sudo -H -S -n  -u postgres /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-snwymfuuyqxctfkuojgwgvjmrougaazc ; LANGUAGE=en_US.UTF-8 LANG=en_US.UTF-8 LC_
MESSAGES=en_US.UTF-8 LC_ALL=en_US.UTF-8 /usr/libexec/platform-python /var/tmp/ansible-tmp-1647935594.9874861-4123834-133661441375419/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<192.168.1.183> (2, b"/usr/libexec/platform-python: can't open file '/var/tmp/ansible-tmp-1647935594.9874861-4123834-133661441375419/AnsiballZ_command.py': [Errno 1] Operation not permitted\r\n",
Comment 5 Nikolai Sednev 2022-04-12 15:40:39 UTC 
Do you want to apply an OpenSCAP security profile? (Yes, No) [No]: Yes
Please provide the security profile you would like to use (stig, pci-dss) [stig]: 
.
.
.
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Initialize OpenSCAP variables]
[ INFO  ] ok: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Set OpenSCAP datastream path]
[ INFO  ] ok: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Verify OpenSCAP datastream]
[ INFO  ] ok: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Set OpenSCAP profile]
[ INFO  ] changed: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Apply OpenSCAP profile]
[ INFO  ] changed: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Reset PermitRootLogin for sshd]
[ INFO  ] ok: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Enable FIPS on the engine VM]
[ INFO  ] skipping: [localhost]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Reboot the engine VM to apply security rules]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Check if FIPS mode is enabled]
[ INFO  ] skipping: [localhost]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Enforce FIPS mode]
[ INFO  ] skipping: [localhost]
.
.
.
[ INFO  ] Hosted Engine successfully deployed

rhvm-appliance-4.5-20220412.0.el8ev.x86_64
ovirt-hosted-engine-ha-2.5.0-1.el8ev.noarch
ovirt-hosted-engine-setup-2.6.3-1.el8ev.noarch
Linux 4.18.0-372.7.1.el8.x86_64 #1 SMP Wed Apr 6 12:38:30 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux release 8.6 (Ootpa)
Comment 6 Nikolai Sednev 2022-04-12 15:41:01 UTC 
ovirt-ansible-collection-2.0.2-1.el8ev.noarch
Comment 11 errata-xmlrpc 2022-05-26 17:25:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Engine and Host Common Packages security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4712