Bug 1552454 - Installation failed in some security environments due to the running commands don't include absolute path
Summary: Installation failed in some security environments due to the running commands...
Keywords:
Status: CLOSED DUPLICATE of bug 1546254
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.9.z
Assignee: Vadim Rutkovsky
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-07 07:58 UTC by Gan Huang
Modified: 2018-03-07 16:15 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-07 16:15:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Gan Huang 2018-03-07 07:58:48 UTC 
Description of problem:
In some scenarios from customers (Details: BZ#1474246), the users would change sudo's secure path for security reason, that lead the installation failed.

Version-Release number of the following components:
openshift-ansible-3.9.2-1.git.0.1a855b3.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. Create a non-root user on the host.
2. Add cloud-user to sudo group and edit /etc/sudoers to change sudo's secure path(delete default /sbin and /usr/sbin):
Defaults    secure_path = /bin:/usr/bin
3. Run install playbook with user cloud-user.
# cat inventory
<--snip-->
ansible_ssh_user=cloud-user
ansible_become=yes
<--snip-->


Actual results:


TASK [container_runtime : Fix SELinux Permissions on /var/lib/containers] ***************************************************************************************************
fatal: [host-8-241-56.host.centralci.eng.rdu2.redhat.com]: FAILED! => {"changed": false, "cmd": "restorecon -R /var/lib/containers/", "msg": "[Errno 2] No such file or directory", "rc": 2}
fatal: [host-8-246-98.host.centralci.eng.rdu2.redhat.com]: FAILED! => {"changed": false, "cmd": "restorecon -R /var/lib/containers/", "msg": "[Errno 2] No such file or directory", "rc": 2}
	to retry, use: --limit @/usr/share/ansible/openshift-ansible/playbooks/prerequisites.retry

PLAY RECAP ******************************************************************************************************************************************************************
host-8-241-56.host.centralci.eng.rdu2.redhat.com : ok=73   changed=3    unreachable=0    failed=1   
host-8-246-98.host.centralci.eng.rdu2.redhat.com : ok=65   changed=3    unreachable=0    failed=1   



Expected results:

Additional info:

Once adding the absolute path for command restorecon, things work well.
[cloud-user@host-172-16-120-108 ~]$ sudo restorecon
sudo: restorecon: command not found
[cloud-user@host-172-16-120-108 ~]$ sudo /sbin/restorecon
usage:  /sbin/restorecon [-iFnprRv0] [-e excludedir] pathname...
usage:  /sbin/restorecon [-iFnprRv0] [-e excludedir] -f filename
Comment 1 Gan Huang 2018-03-07 08:57:58 UTC 
Same issue with swapon command in module: https://github.com/openshift/openshift-ansible/blob/master/roles/lib_utils/library/swapoff.py

[cloud-user@host-172-16-120-108 ~]$ sudo swapon
sudo: swapon: command not found

# whereis swapon
swapon: /usr/sbin/swapon /usr/share/man/man8/swapon.8.gz
Comment 2 Gan Huang 2018-03-07 09:24:09 UTC 
As we as command mpathconf: https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_node/tasks/storage_plugins/iscsi.yml#L33
Comment 3 Scott Dodson 2018-03-07 14:01:59 UTC 
We've documented that they need standard paths. I don't think we should consider this a 3.9 blocker if they've modified their paths either in the environment or sudo.
Comment 4 Vadim Rutkovsky 2018-03-07 15:38:19 UTC 
Created https://github.com/openshift/openshift-ansible/pull/7421
Comment 5 Scott Dodson 2018-03-07 16:15:16 UTC 
closing wontfix, need to have sane default paths

*** This bug has been marked as a duplicate of bug 1546254 ***
Note You need to log in before you can comment on or make changes to this bug.