Bug 1835650 - [security] selecting STIG profile cause host to be unusable due to indirect dependency on telnet
Summary: [security] selecting STIG profile cause host to be unusable due to indirect d...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: vdsm
Version: 4.4.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-4.4.3
: ---
Assignee: Eli Mesika
QA Contact: Wei Wang
URL:
Whiteboard:
Depends On: 1729222
Blocks: 1833254 1867158
TreeView+ depends on / blocked
 
Reported: 2020-05-14 09:28 UTC by Wei Wang
Modified: 2024-06-13 22:38 UTC (History)
24 users (show)

Fixed In Version: vdsm-4.40.35
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-24 13:11:27 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:
weiwang: testing_plan_complete+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:5213 0 None None None 2020-11-24 13:11:48 UTC
oVirt gerrit 111680 0 master MERGED use fence agents without telnet dependency on RHEL 2021-02-04 08:45:51 UTC

Comment 3 Sandro Bonazzola 2020-05-19 07:52:20 UTC 
# rpm -e telnet
error: Failed dependencies:
	telnet is needed by (installed) fence-agents-apc-4.2.1-30.el8_1.1.noarch
	telnet is needed by (installed) fence-agents-bladecenter-4.2.1-30.el8_1.1.noarch
	telnet is needed by (installed) fence-agents-brocade-4.2.1-30.el8_1.1.noarch
	telnet is needed by (installed) fence-agents-drac5-4.2.1-30.el8_1.1.noarch
	telnet is needed by (installed) fence-agents-hpblade-4.2.1-30.el8_1.1.noarch
	telnet is needed by (installed) fence-agents-ilo-moonshot-4.2.1-30.el8_1.1.noarch
	telnet is needed by (installed) fence-agents-ilo-mp-4.2.1-30.el8_1.1.noarch
	telnet is needed by (installed) fence-agents-rsa-4.2.1-30.el8_1.1.noarch
	telnet is needed by (installed) fence-agents-rsb-4.2.1-30.el8_1.1.noarch
	telnet is needed by (installed) fence-agents-wti-4.2.1-30.el8_1.1.noarch
Comment 4 Sandro Bonazzola 2020-05-19 07:55:02 UTC 
rpm -e fence-agents-all
error: Failed dependencies:
	fence-agents-all is needed by (installed) vdsm-4.40.16-1.el8.x86_64

moving to vdsm
Comment 5 Martin Tessun 2020-07-16 12:19:17 UTC 
To me the STIG profile is the issue. telnet package contains the telnet client, which is needed for several fencing-agents.
What you don't want to have is the telnet-server from my pov.

telnet.x86_64 : The client program for the Telnet remote login protocol
telnet-server.x86_64 : The server program for the Telnet remote login protocol

You cannot remove telnet from the fence-agents, as quite some connections are telnet based - so you would need to remove these fencing-agents (Would include HP ILO as well as lots of APC fence-agents)
Comment 9 Wei Wang 2020-09-08 09:08:03 UTC 
QE have added the test case to Polarion, but it cannot be automated.
Comment 11 Martin Perina 2020-10-12 09:13:25 UTC 
We need to add requirement for fence-agents-4.2.1-53.el8_3.1 into VDSM
Comment 13 Wei Wang 2020-10-23 02:30:30 UTC 
The vdsm package is vdsm-4.40.33-1.el8ev.x86_64 in the latest rhvh build RHVH-4.4-20201020.5-RHVH-x86_64-dvd1.iso. QE will verify this bug after getting the vdsm-4.40.35 package build.
Comment 14 Wei Wang 2020-10-28 02:20:21 UTC 
Test Version
RHVH-4.4-20201026.1-RHVH-x86_64-dvd1.iso
[root@hp-dl388g9-04 ~]# rpm -qa|grep vdsm
vdsm-yajsonrpc-4.40.35-1.el8ev.noarch
vdsm-http-4.40.35-1.el8ev.noarch
vdsm-network-4.40.35-1.el8ev.x86_64
vdsm-common-4.40.35-1.el8ev.noarch
vdsm-python-4.40.35-1.el8ev.noarch
vdsm-client-4.40.35-1.el8ev.noarch
vdsm-api-4.40.35-1.el8ev.noarch
vdsm-hook-vhostmd-4.40.35-1.el8ev.noarch
vdsm-hook-openstacknet-4.40.35-1.el8ev.noarch
vdsm-jsonrpc-4.40.35-1.el8ev.noarch

Test Steps:
According to comment 0

Test Result:
[root@hp-dl388g9-04 ~]# rpm -qa|grep cockpit-ovirt-dashboard
[root@hp-dl388g9-04 ~]# rpm -qa|grep telnet
[root@hp-dl388g9-04 ~]# rpm -qa|grep ovirt-hosted-engine-setup
[root@hp-dl388g9-04 ~]# rpm -qa|grep ovirt-hosted-engine

"telnet-server" and packages related to hosted-engine deployment are all missed.
Bug is not fixed, move the status to "ASSIGNED"
Comment 15 Eli Mesika 2020-10-28 06:49:44 UTC 
(In reply to Wei Wang from comment #14)
please provide the following from the failing env : 

1) OS version 

2) fence-agents-all version 

3) libvirt* version
Comment 21 Wei Wang 2020-11-04 06:13:51 UTC 
Test with RHVH-4.4-20201029.0-RHVH-x86_64-dvd1.iso, all the packages related to hosted engine are installed.

[root@hp-dl388g9-04 ~]# rpm -qa|grep cockpit-ovirt-dashboard
cockpit-ovirt-dashboard-0.14.12-1.el8ev.noarch

[root@hp-dl388g9-04 ~]# rpm -qa|grep ovirt-hosted-engine
ovirt-hosted-engine-setup-2.4.8-1.el8ev.noarch
ovirt-hosted-engine-ha-2.4.5-1.el8ev.noarch

[root@hp-dl388g9-04 ~]# rpm -qa|grep vdsm*
vdsm-api-4.40.35.1-1.el8ev.noarch
vdsm-hook-vhostmd-4.40.35.1-1.el8ev.noarch
vdsm-jsonrpc-4.40.35.1-1.el8ev.noarch
vdsm-gluster-4.40.35.1-1.el8ev.x86_64
vdsm-common-4.40.35.1-1.el8ev.noarch
vdsm-python-4.40.35.1-1.el8ev.noarch
vdsm-hook-openstacknet-4.40.35.1-1.el8ev.noarch
vdsm-client-4.40.35.1-1.el8ev.noarch
vdsm-4.40.35.1-1.el8ev.x86_64
vdsm-http-4.40.35.1-1.el8ev.noarch
vdsm-hook-ethtool-options-4.40.35.1-1.el8ev.noarch
vdsm-network-4.40.35.1-1.el8ev.x86_64
vdsm-hook-fcoe-4.40.35.1-1.el8ev.noarch
vdsm-yajsonrpc-4.40.35.1-1.el8ev.noarch
vdsm-hook-vmfex-dev-4.40.35.1-1.el8ev.noarch

[root@hp-dl388g9-04 ~]# rpm -qa|grep fence-agents-all
fence-agents-all-4.2.1-53.el8_3.1.x86_64

QE will verify this bug after dev move the status to "ON_QA"
Comment 22 Wei Wang 2020-11-05 07:48:45 UTC 
According to comment 21, move status to "VERIFIED".
Comment 26 errata-xmlrpc 2020-11-24 13:11:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV RHEL Host (ovirt-host) 4.4.z [ovirt-4.4.3]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5213
Note You need to log in before you can comment on or make changes to this bug.