Description of problem: A lot of deployments are mounting /tmp with noexec flag for security reasons. Because of this, it's impossible to run any executables in there, which breaks the undercloud install and undercloud upgrade processes as described here [1] [1] https://access.redhat.com/solutions/3002821 Version-Release number of selected component (if applicable): All How reproducible: All the time Steps to Reproduce: [stack@undercloud-0 ~]$ echo "tmpfs /tmp tmpfs mode=1777,nosuid,nodev,noexec 0 0" | sudo tee -a /etc/fstab [stack@undercloud-0 ~]$ sudo mount /tmp [stack@undercloud-0 ~]$ sudo systemctl stop 'openstack-*' 'neutron-*' httpd [stack@undercloud-0 ~]$ sudo yum update python-tripleoclient [stack@undercloud-0 ~]$ openstack undercloud (upgrade or install) Actual results: instack uses tempfile.mkdtemp() without any argument to create a temporary folder to store scripts that are going to be run by dib-run-parts. When dib-run-parts starts, it runs a find /tmp/path/to/scripts -executable which returns nothing and it quits. Expected results: instack should use a different prefix. Additional info: in instack/main.py, we already use ~stack/.instack/ to store the logs. It might be a good candidate to store the temp folders, for example: ~stack/.instack/tmp/
Verified on puddle 2018-10-24.1 [stack@undercloud-0 ~]$ rpm -q instack instack-8.1.1-0.20180313084440.0d768a3.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3611