Bug 2089332

Summary: DISA-STIG profile sets default umask that fails HE install
Product: Red Hat Enterprise Virtualization Manager Reporter: Guilherme Santos <gdeolive>
Component: ovirt-engineAssignee: Michal Skrivanek <michal.skrivanek>
Status: CLOSED ERRATA QA Contact: Guilherme Santos <gdeolive>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.5.0CC: gscott, lsvaty, mavital, michal.skrivanek, mkalinin, mperina
Target Milestone: ovirt-4.5.1Keywords: Reopened, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-14 12:55:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2015796    

Description Guilherme Santos 2022-05-23 13:03:27 UTC 
Description of problem:
DISA-STIG profile sets default umask that fails HE install.
Task "Copy configuration archive to storage" fails on HE deploy playbook due to default umask (0077) of rhel with disa stig security profile enabled.

Task failure:
02:06:07 TASK [ovirt.ovirt.hosted_engine_setup : Copy configuration archive to storage] ***
02:06:10 [WARNING]: Module remote_tmp /var/lib/vdsm/.ansible/tmp did not exist and was
02:06:10 created with a mode of 0700, this may cause issues when running as another
02:06:10 user. To avoid this, create the remote_tmp dir with the correct permissions
02:06:10 manually
02:06:10 fatal: [x.x.x.x]: FAILED! => {"changed": true, "cmd": ["dd", "bs=20480", "count=1", "oflag=direct", "if=/var/tmp/localvmdmgfg6zl/b522b14f-02d3-4818-b78a-c22bd1ace665", "of=/rhev/data-center/mnt/<mounted_storage_domain>/352c228f-d9fb-40b7-87e5-bc3242a93b29/images/91489285-8a4f-4c33-a77d-013a599698bb/b522b14f-02d3-4818-b78a-c22bd1ace665"], "delta": "0:00:00.003691", "end": "2022-05-22 20:06:09.926276", "msg": "non-zero return code", "rc": 1, "start": "2022-05-22 20:06:09.922585", "stderr": "dd: failed to open '/var/tmp/localvmdmgfg6zl/b522b14f-02d3-4818-b78a-c22bd1ace665': Permission denied", "stderr_lines": ["dd: failed to open '/var/tmp/localvmdmgfg6zl/b522b14f-02d3-4818-b78a-c22bd1ace665': Permission denied"], "stdout": "", "stdout_lines": []}
 

Version-Release number of selected component (if applicable):
latest

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
fail

Expected results:
pass

Additional info:
Comment 1 Michal Skrivanek 2022-05-23 13:16:05 UTC 
seems bug 2020620 didn't really fix it correctly, with umask 077 the tar creating is with 0600 root:root and it fails later on to open as vdsm user
Comment 7 Guilherme Santos 2022-06-30 13:05:38 UTC 
Reopening as it was tested alongside BZ2089856
Comment 8 Guilherme Santos 2022-06-30 13:06:21 UTC 
Verified on ovirt-engine-4.5.1.2-0.11.el8ev.noarch alongside BZ2089856
Comment 12 errata-xmlrpc 2022-07-14 12:55:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV Engine and Host Common Packages update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:5584
Comment 13 Asaf Rachmani 2022-07-28 07:16:28 UTC 
*** Bug 2107659 has been marked as a duplicate of this bug. ***
Comment 14 meital avital 2022-08-04 11:06:08 UTC 
Due to QE capacity, we are not going to cover this issue in our automation