Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1463853

Summary: [RFE] RHV-M appliance should meet NIST 800-53 partitioning requirements
Product: Red Hat Enterprise Virtualization Manager Reporter: Javier Coscia <jcoscia>
Component: rhevm-applianceAssignee: Yuval Turgeman <yturgema>
Status: CLOSED ERRATA QA Contact: Gonza <grafuls>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.1.2CC: cshao, dfediuck, eheftman, huzhao, lsvaty, mgoldboi, mkalinin, pstehlik, qiyuan, rbarry, sbonazzo, weiwang, yaniwang, ycui, yturgema, yzhao
Target Milestone: ovirt-4.2.0Keywords: FutureFeature
Target Release: ---Flags: pstehlik: testing_plan_complete-
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Previously, the partitioning scheme for the RHV-M Virtual Appliance included two primary partitions, "/" and swap. In this release, the disk partitioning scheme has been modified to match the scheme specified by NIST. The updated disk partitions are as follows: /boot 1G (primary) /home 1G (lvm) /tmp 2G (lvm) /var 20G (lvm) /var/log 10G (lvm) /var/log/audit 1G (lvm) swap 8G (lvm) / 6G (primary)
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-15 19:00:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1502604    

Description Javier Coscia 2017-06-22 00:10:23 UTC 
Description of the problem:

Customers in public sector need to meet certain security layouts, one of them
is the requirement of having separate partitions for the following directories

/home
/tmp
/var
/var/log/audit

Version-Release number of selected component (if applicable):

RHV-M appliance > rhvm-appliance-20170619.0-1.x86_64.rhevm.ova
RPM > rhevm-appliance-20170616.0-1.el7ev.noarch.rpm

How reproducible:
100%
Comment 15 Gonza 2018-01-12 10:23:10 UTC 
Tried with:
rhvm-appliance-20180103.0-1.x86_64.rhevm.ova

# findmnt
TARGET                                SOURCE     FSTYPE     OPTIONS
/                                     /dev/vda2  xfs        rw,relatime,seclabel,attr2,inode64,noquota
├─/sys                                sysfs      sysfs      rw,nosuid,nodev,noexec,relatime,seclabel
│ ├─/sys/kernel/security              securityfs securityfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/cgroup                    tmpfs      tmpfs      ro,nosuid,nodev,noexec,seclabel,mode=755
│ │ ├─/sys/fs/cgroup/systemd          cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
│ │ ├─/sys/fs/cgroup/perf_event       cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,perf_event
│ │ ├─/sys/fs/cgroup/cpuset           cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,cpuset
│ │ ├─/sys/fs/cgroup/blkio            cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,blkio
│ │ ├─/sys/fs/cgroup/memory           cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,memory
│ │ ├─/sys/fs/cgroup/pids             cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,pids
│ │ ├─/sys/fs/cgroup/hugetlb          cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,hugetlb
│ │ ├─/sys/fs/cgroup/net_cls,net_prio cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,net_prio,net_cls
│ │ ├─/sys/fs/cgroup/cpu,cpuacct      cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,cpuacct,cpu
│ │ ├─/sys/fs/cgroup/freezer          cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,freezer
│ │ └─/sys/fs/cgroup/devices          cgroup     cgroup     rw,nosuid,nodev,noexec,relatime,devices
│ ├─/sys/fs/pstore                    pstore     pstore     rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/selinux                   selinuxfs  selinuxfs  rw,relatime
│ ├─/sys/kernel/debug                 debugfs    debugfs    rw,relatime
│ └─/sys/kernel/config                configfs   configfs   rw,relatime
├─/proc                               proc       proc       rw,nosuid,nodev,noexec,relatime
│ ├─/proc/sys/fs/binfmt_misc          systemd-1  autofs     rw,relatime,fd=32,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=12601
│ └─/proc/fs/nfsd                     nfsd       nfsd       rw,relatime
├─/dev                                devtmpfs   devtmpfs   rw,nosuid,seclabel,size=887000k,nr_inodes=221750,mode=755
│ ├─/dev/shm                          tmpfs      tmpfs      rw,nosuid,nodev,seclabel
│ ├─/dev/pts                          devpts     devpts     rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000
│ ├─/dev/hugepages                    hugetlbfs  hugetlbfs  rw,relatime,seclabel
│ └─/dev/mqueue                       mqueue     mqueue     rw,relatime,seclabel
├─/run                                tmpfs      tmpfs      rw,nosuid,nodev,seclabel,mode=755
│ └─/run/user/0                       tmpfs      tmpfs      rw,nosuid,nodev,relatime,seclabel,size=181540k,mode=700
└─/var/lib/nfs/rpc_pipefs             rpc_pipefs rpc_pipefs rw,relatime

# df -Th
Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/vda2      xfs        50G  3.3G   47G   7% /
devtmpfs       devtmpfs  867M     0  867M   0% /dev
tmpfs          tmpfs     887M     0  887M   0% /dev/shm
tmpfs          tmpfs     887M   17M  871M   2% /run
tmpfs          tmpfs     887M     0  887M   0% /sys/fs/cgroup
tmpfs          tmpfs     178M     0  178M   0% /run/user/0

# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sr0     11:0    1 1024M  0 rom  
vda    253:0    0   58G  0 disk 
├─vda1 253:1    0    8G  0 part [SWAP]
└─vda2 253:2    0   50G  0 part /
Comment 16 Ryan Barry 2018-01-13 00:48:57 UTC 
rhvm-appliance-20180103.0-1.x86_64.rhevm.ova is not 4.2

Please check with rhvm-appliance-4.2-20171219.0, which contains the appropriate partitions.
Comment 17 Gonza 2018-01-16 11:28:47 UTC 
Verified with:
rhvm-appliance-4.2-20171219.0

# lsblk
NAME            MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sr0              11:0    1 1024M  0 rom  
sr1              11:1    1  374K  0 rom  
vda             252:0    0   50G  0 disk 
├─vda1          252:1    0    1G  0 part /boot
├─vda2          252:2    0 42.9G  0 part 
│ ├─ovirt-swap  253:0    0    8G  0 lvm  [SWAP]
│ ├─ovirt-audit 253:1    0    1G  0 lvm  /var/log/audit
│ ├─ovirt-log   253:2    0   10G  0 lvm  /var/log
│ ├─ovirt-var   253:3    0   20G  0 lvm  /var
│ ├─ovirt-tmp   253:4    0    2G  0 lvm  /tmp
│ └─ovirt-home  253:5    0    1G  0 lvm  /home
└─vda3          252:3    0  6.1G  0 part /
Comment 22 errata-xmlrpc 2018-05-15 19:00:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1525
Comment 23 Franta Kust 2019-05-16 13:08:19 UTC 
BZ<2>Jira Resync