1588009 – Deploying logging on a system where /tmp mounted with noexec option fails

Bug 1588009 - Deploying logging on a system where /tmp mounted with noexec option fails

Summary: Deploying logging on a system where /tmp mounted with noexec option fails

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	3.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	---
Target Release:	3.9.z
Assignee:	ewolinet
QA Contact:	Anping Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1600685
TreeView+	depends on / blocked

Reported:	2018-06-06 13:12 UTC by Birol Bilgin
Modified:	2021-09-09 14:25 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: To label nodes for Fluentd, we were running a script out of /tmp Consequence: When noexec option was set for /tmp the playbook failed. Fix: Instead of running a script where we paused, we labeled with a pause using the 'shell' Ansible task. Result: We are able to pause and run to completion.
Clone Of:
Clones:	1600685 (view as bug list)
Environment:
Last Closed:	2018-06-27 18:02:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2013	0	normal	SHIPPED_LIVE	Important: OpenShift Container Platform 3.9 security, bug fix, and enhancement update	2018-06-27 22:01:43 UTC

Description Birol Bilgin 2018-06-06 13:12:58 UTC

Description of problem:

Deploying logging on a system where /tmp mounted with noexec option fails

In the file below there is task executes a script o /tmp directory,
this is hardcoded to be executed on /tmp directory.

openshift/openshift-ansible/roles/openshift_logging_fluentd/tasks/label_and_wait.yaml

- name: Execute the fluentd temporary labeling script
  command: "/tmp/fluentd_label.temp.sh {{ fluentd_host }}"
  with_items: "{{ openshift_logging_fluentd_hosts }}"
  loop_control:
    loop_var: fluentd_host

When a system mounts the /tmp directory with noexec option this task fails with the error below,

2018-06-01 15:34:15,427 p=626 u=karel |  failed: [i********************] (item=hrrlyicplv005.msnet.railb.be) => {
    "changed": false,
    "cmd": "/tmp/fluentd_label.temp.sh h****************",
    "fluentd_host": "h***********",
    "invocation": {
        "module_args": {
            "_raw_params": "/tmp/fluentd_label.temp.sh h****************",
            "_uses_shell": false,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "stdin": null,
            "warn": true
        }
    },
    "msg": "[Errno 13] Permission denied",
    "rc": 13
}


Version-Release number of the following components:
Ansible: ansible 2.5.3
Git: openshift-ansible-3.9.29-1

How reproducible:
Allways

Steps to Reproduce:
1. Mount the /tmp directory with noexec option
2. Install the looging component

Actual results:
ansible log will be added to the case.


Upstream issue:
https://github.com/openshift/openshift-ansible/issues/8517

Comment 2 Rich Megginson 2018-06-06 23:38:57 UTC

looks like a problem in roles/openshift_logging_fluentd/tasks/label_and_wait.yaml

Comment 3 ewolinet 2018-06-07 16:42:49 UTC

https://github.com/openshift/openshift-ansible/pull/8676

Comment 4 ewolinet 2018-06-08 22:58:58 UTC

https://github.com/openshift/openshift-ansible/pull/8688

Comment 6 Anping Li 2018-06-19 05:16:25 UTC

work well with ose-ansible/images/v3.9.31-2. 

The following message are printed when use openshift-ansible:v3.9.29 
TASK [openshift_logging_fluentd : Execute the fluentd temporary labeling script] ***
^[[0;31mfailed: [10.66.146.153] (item=10.66.146.153) => {"changed": false, "cmd": "/tmp/fluentd_label.temp.sh 10.66.146.153", "failed": true, "fluentd_host": "10.66.146.153", "msg": "[Errno 13] Permission denied", "rc": 13}^[[0m

Comment 8 errata-xmlrpc 2018-06-27 18:02:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2013

Note You need to log in before you can comment on or make changes to this bug.