Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1552454

Summary: Installation failed in some security environments due to the running commands don't include absolute path
Product: OpenShift Container Platform Reporter: Gan Huang <ghuang>
Component: InstallerAssignee: Vadim Rutkovsky <vrutkovs>
Status: CLOSED DUPLICATE QA Contact: Johnny Liu <jialiu>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.9.0CC: aos-bugs, jokerman, mmccomas, vrutkovs, wmeng
Target Milestone: ---   
Target Release: 3.9.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-07 16:15:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gan Huang 2018-03-07 07:58:48 UTC 
Description of problem:
In some scenarios from customers (Details: BZ#1474246), the users would change sudo's secure path for security reason, that lead the installation failed.

Version-Release number of the following components:
openshift-ansible-3.9.2-1.git.0.1a855b3.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. Create a non-root user on the host.
2. Add cloud-user to sudo group and edit /etc/sudoers to change sudo's secure path(delete default /sbin and /usr/sbin):
Defaults    secure_path = /bin:/usr/bin
3. Run install playbook with user cloud-user.
# cat inventory
<--snip-->
ansible_ssh_user=cloud-user
ansible_become=yes
<--snip-->


Actual results:


TASK [container_runtime : Fix SELinux Permissions on /var/lib/containers] ***************************************************************************************************
fatal: [host-8-241-56.host.centralci.eng.rdu2.redhat.com]: FAILED! => {"changed": false, "cmd": "restorecon -R /var/lib/containers/", "msg": "[Errno 2] No such file or directory", "rc": 2}
fatal: [host-8-246-98.host.centralci.eng.rdu2.redhat.com]: FAILED! => {"changed": false, "cmd": "restorecon -R /var/lib/containers/", "msg": "[Errno 2] No such file or directory", "rc": 2}
	to retry, use: --limit @/usr/share/ansible/openshift-ansible/playbooks/prerequisites.retry

PLAY RECAP ******************************************************************************************************************************************************************
host-8-241-56.host.centralci.eng.rdu2.redhat.com : ok=73   changed=3    unreachable=0    failed=1   
host-8-246-98.host.centralci.eng.rdu2.redhat.com : ok=65   changed=3    unreachable=0    failed=1   



Expected results:

Additional info:

Once adding the absolute path for command restorecon, things work well.
[cloud-user@host-172-16-120-108 ~]$ sudo restorecon
sudo: restorecon: command not found
[cloud-user@host-172-16-120-108 ~]$ sudo /sbin/restorecon
usage:  /sbin/restorecon [-iFnprRv0] [-e excludedir] pathname...
usage:  /sbin/restorecon [-iFnprRv0] [-e excludedir] -f filename
Comment 1 Gan Huang 2018-03-07 08:57:58 UTC 
Same issue with swapon command in module: https://github.com/openshift/openshift-ansible/blob/master/roles/lib_utils/library/swapoff.py

[cloud-user@host-172-16-120-108 ~]$ sudo swapon
sudo: swapon: command not found

# whereis swapon
swapon: /usr/sbin/swapon /usr/share/man/man8/swapon.8.gz
Comment 2 Gan Huang 2018-03-07 09:24:09 UTC 
As we as command mpathconf: https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_node/tasks/storage_plugins/iscsi.yml#L33
Comment 3 Scott Dodson 2018-03-07 14:01:59 UTC 
We've documented that they need standard paths. I don't think we should consider this a 3.9 blocker if they've modified their paths either in the environment or sudo.
Comment 4 Vadim Rutkovsky 2018-03-07 15:38:19 UTC 
Created https://github.com/openshift/openshift-ansible/pull/7421
Comment 5 Scott Dodson 2018-03-07 16:15:16 UTC 
closing wontfix, need to have sane default paths

*** This bug has been marked as a duplicate of bug 1546254 ***