Description of problem: When running the rolling_updates.yml playbook customers encounter permission errors, resulting in failure of the playbook tasks, for environments where the noexec flag has been set for the /tmp dir. The default tmp perms all for exec from that dir: [quicklab@mgmt-0 /]$ ls -ld /tmp drwxrwxrwt. 8 root root 169 May 15 16:30 /tmp However: Our security guide (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/) mentions that it can be a security vulnerability to have the /tmp directory allow for exec permissions. So any customer who is following these recommendations will be subject to this error/issue. We are requesting that scripts which are critical to the execution of a playbook task be populated in an alternative directory, when possible.
Which directory should be used instead of /tmp? What's the recommendation? We can potentially make this directory configurable.
Fix in https://github.com/ceph/ceph-ansible/releases/tag/v3.0.34
(In reply to leseb from comment #3) > Which directory should be used instead of /tmp? What's the recommendation? > We can potentially make this directory configurable. Leseb, to be completely honest, I am not sure what the best alternative for directory placement would be. I was able to find this article: https://access.redhat.com/blogs/766093/posts/3169121 And found the approach quite interesting, however I am *feel that integrating such a feature might not be feasible, or the most productive, for such situations. But it does seem to address the main issues that we are facing in environments where customers must adhere to stricter security measures, and harden their environments. I will continue searching for, and considering potential solutions to this problem. Cheers! -Scoots
Thanks for your response, I just backported a patch that will fix the issue. You will find it in tag v.3.0.34. I suspect this will be part of the next z stream release for 3.0. There is no need to dig further into this if you're interested in the solution is here: https://github.com/ceph/ceph-ansible/pull/2591/commits/628d4cc161f862001460300426481ba60953ddc3 Calling bash directly doesn't trigger the shebang which allows us to execute the script even though /tmp is mounted with noexec.
(In reply to leseb from comment #6) > Thanks for your response, I just backported a patch that will fix the issue. > You will find it in tag v.3.0.34. > > I suspect this will be part of the next z stream release for 3.0. > > There is no need to dig further into this if you're interested in the > solution is here: > https://github.com/ceph/ceph-ansible/pull/2591/commits/ > 628d4cc161f862001460300426481ba60953ddc3 > > Calling bash directly doesn't trigger the shebang which allows us to execute > the script even though /tmp is mounted with noexec. Awesome! That is way more fluid than what I was able to stumble upon, lol. Snazzy fix, congrats on the great work ^_^ -Scoots
Done.
QE tried the solution provided under PR 2591, working fine "# /usr/bin/env bash /tmp/restart_mon_daemon.sh" restarted mon service when noexec flag was set on '/tmp' Moving to VERIFIED state, Please let us know if there are any concerns. Regards, Vasishta Shastry AQE, Ceph
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2177