Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1507438

Summary: not able to deploy new rhvh host when "/tmp" is mounted with "noexec" option
Product: Red Hat Enterprise Virtualization Manager Reporter: Marian Jankular <mjankula>
Component: ovirt-engineAssignee: Dana <delfassy>
Status: CLOSED ERRATA QA Contact: Petr Matyáš <pmatyas>
Severity: high Docs Contact:
Priority: high    
Version: 4.1.6CC: cshao, dfediuck, dougsland, gveitmic, huzhao, lleistne, lsurette, mperina, mtessun, pstehlik, qiyuan, rhodain, sbonazzo, srevivo, weiwang, yaniwang, ycui, yturgema
Target Milestone: ovirt-4.4.0Flags: lsvaty: testing_plan_complete-
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhvm-4.4.0-0.31 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-04 13:16:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marian Jankular 2017-10-30 09:25:36 UTC 
Description of problem:
after applying DISA STIG PCI-DSS audit rules on rhvh it is not possible to add this host to manager

Version-Release number of selected component (if applicable):
rhvh 4.1.6 and most probably versions before

How reproducible:
everytime

Steps to Reproduce:
1. install rhvh
2. create thin lv for /tmp and mount it with "noexec" option
3. try to add host from manager

Actual results:
2017-10-30 05:02:59,163-04 ERROR [org.ovirt.engine.core.bll.hostdeploy.VdsDeployBase] (VdsDeploy) [2986cfa7] Error during deploy dialog
2017-10-30 05:02:59,171-04 ERROR [org.ovirt.engine.core.bll.hostdeploy.VdsDeployBase] (org.ovirt.thread.pool-6-thread-7) [2986cfa7] Error during host 10.37.192.203 install
2017-10-30 05:02:59,211-04 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-7) [2986cfa7] EVENT_ID: VDS_INSTALL_IN_PROGRESS_ERROR(511), Correlation ID: 2986cfa7, Call Stack: null, Custom ID: null, Custom Event ID: -1, Message: Failed to install Host noexechost. Unexpected error during execution: bash: /tmp/ovirt-nFmb9TnASj/ovirt-host-deploy: Permission denied


Expected results:
host will be added

Additional info:
is it possible to make host compliant and move the deploy scritps to different location?
Comment 1 Ryan Barry 2017-10-30 12:46:26 UTC 
This should also be reproducible on RHEL hosts. ovirt-host-deploy uses /tmp on both variants. Changing component.
Comment 2 Sandro Bonazzola 2017-10-30 12:50:36 UTC 
Moving to infra team for review.
Martin, what do you think?
Comment 3 Martin Perina 2017-11-01 12:57:29 UTC 
Targeting to 4.3 as it's planned to evaluate those security standards during 4.3 planning
Comment 4 Daniel Gur 2019-08-28 13:12:56 UTC 
sync2jira
Comment 5 Daniel Gur 2019-08-28 13:17:09 UTC 
sync2jira
Comment 8 Martin Perina 2020-04-03 11:24:35 UTC 
Moving to MODIFIED as ansible is using /root directory to store temporary data including executed scripts
Comment 11 Petr Matyáš 2020-04-16 16:26:54 UTC 
Verified on ovirt-engine-4.4.0-0.32.master.el8ev.noarch

Machine with noexec /tmp (and /home) can be added as a host.
Comment 15 errata-xmlrpc 2020-08-04 13:16:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3247