Bug 2066811
Summary: | Hosted engine deployment fails when DISA STIG profile is selected for the engine VM | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Asaf Rachmani <arachman> |
Component: | ovirt-ansible-collection | Assignee: | Asaf Rachmani <arachman> |
Status: | CLOSED ERRATA | QA Contact: | Nikolai Sednev <nsednev> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 4.5.0 | CC: | emarcus |
Target Milestone: | ovirt-4.5.0 | Keywords: | Triaged, ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ovirt-ansible-collection-2.0.0-0.9.BETA | Doc Type: | Bug Fix |
Doc Text: |
Previously, DISA STIG profile used fapolicyd that blocked ansible command execution as non-root, and self-hosted engine deployment failed.
In this release, calls to psql as postgres are replaced with engine_psql.sh, and deployment succeeds.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-05-26 17:25:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Integration | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Asaf Rachmani
2022-03-22 14:20:41 UTC
Do you want to apply an OpenSCAP security profile? (Yes, No) [No]: Yes Please provide the security profile you would like to use (stig, pci-dss) [stig]: . . . [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Initialize OpenSCAP variables] [ INFO ] ok: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Set OpenSCAP datastream path] [ INFO ] ok: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Verify OpenSCAP datastream] [ INFO ] ok: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Set OpenSCAP profile] [ INFO ] changed: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Apply OpenSCAP profile] [ INFO ] changed: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Reset PermitRootLogin for sshd] [ INFO ] ok: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Enable FIPS on the engine VM] [ INFO ] skipping: [localhost] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Reboot the engine VM to apply security rules] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Check if FIPS mode is enabled] [ INFO ] skipping: [localhost] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Enforce FIPS mode] [ INFO ] skipping: [localhost] . . . [ INFO ] Hosted Engine successfully deployed rhvm-appliance-4.5-20220412.0.el8ev.x86_64 ovirt-hosted-engine-ha-2.5.0-1.el8ev.noarch ovirt-hosted-engine-setup-2.6.3-1.el8ev.noarch Linux 4.18.0-372.7.1.el8.x86_64 #1 SMP Wed Apr 6 12:38:30 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux release 8.6 (Ootpa) ovirt-ansible-collection-2.0.2-1.el8ev.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Engine and Host Common Packages security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4712 |