Description of problem: Getting the following error during Hosted-engine deployment on RHVH with STIG/VPP profile: Failed to connect to the host via ssh: Bad owner or permissions on /etc/crypto-policies/back-ends/openssh.config openssh.config file permissions: # ll /etc/crypto-policies/back-ends/openssh.config -rwxrwxrwx. 1 root root 480 Nov 20 14:56 /etc/crypto-policies/back-ends/openssh.config Version-Release number of selected component (if applicable): RHVH-4.4-20201029.0-RHVH-x86_64-dvd1.iso imgbased-1.2.13-0.1.el8ev crypto-policies-scripts-20200713-1.git51d1222.el8.noarch crypto-policies-20200713-1.git51d1222.el8.noarch How reproducible: 100% Steps to Reproduce: 1. Select STIG profile during RHVH installation 2. Deploy hosted engine via cockpit Actual results: HE deployment fails to connect to the VM via ssh Expected results: He deployment should be able to connect to the VM via ssh Additional info: In el8.3, the symlink file in crypto-policies was changed from %config to %ghost file but it was kept as a symlink, and for some reason, rpm for %ghost files does record 777 permissions of the symlink, this is causing ssh connection on RHVH with active secure profile to fail (further information can be found in bug 1900662).
Test with RHVH-4.4-20201210.0-RHVH-x86_64-dvd1.iso The package imgbased-1.2.13-0.1.el8ev.noarch, so QE will verify this issue after dev add the fixed version to RHVH build.
imgbased-1.2.14-0.1.el8ev package is now in RHVH-4.4-20201217.0-RHVH-x86_64-dvd1.iso
(In reply to Asaf Rachmani from comment #4) > imgbased-1.2.14-0.1.el8ev package is now in > RHVH-4.4-20201217.0-RHVH-x86_64-dvd1.iso Test with RHVH-4.4-20201217.0-RHVH-x86_64-dvd1.iso, hosted engine setup with STIG security profile, QE detect below issue: [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Notify the user about a failure] [ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "Host is not up, please check logs, perhaps also on the engine machine"} .... [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Notify the user about a failure] [ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "The system may not be provisioned according to the playbook results: please check the logs for the issue, fix accordingly or re-deploy from scratch.\n"} ----------- engine.log ----------- 2020-12-18 11:52:07,873+08 ERROR [org.ovirt.engine.core.bll.hostdeploy.AddVdsCommand] (default task-1) [bf22a318-16bc-43c8-81bc-52584955a06b] Failed to authenticate session with host 'hp-dl388g9-04.lab.eng.pek2.redhat.com': SSH authentication to 'root.eng.pek2.redhat.com' failed. Please verify provided credentials. Make sure key is authorized at host 2020-12-18 11:52:07,874+08 WARN [org.ovirt.engine.core.bll.hostdeploy.AddVdsCommand] (default task-1) [bf22a318-16bc-43c8-81bc-52584955a06b] Validation of action 'AddVds' failed for user admin@internal-authz. Reasons: VAR__ACTION__ADD,VAR__TYPE__HOST,$server hp-dl388g9-04.lab.eng.pek2.redhat.com,VDS_CANNOT_AUTHENTICATE_TO_SERVER 2020-12-18 11:52:07,914+08 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default task-1) [] Operation Failed: [Cannot add Host. SSH authentication failed, verify authentication parameters are correct (Username/Password, public-key etc.) You may refer to the engine.log file for further details.] move it to "ASSIGNED"
Created attachment 1740132 [details] issue log files
I suspect it might be a different issue. Can you please check openssh.config file permission? and if ssh to the localVM works? If so, please open a new bug.
(In reply to Asaf Rachmani from comment #7) > I suspect it might be a different issue. > Can you please check openssh.config file permission? and if ssh to the > localVM works? [root@hp-dl388g9-04 ~]# ll /etc/crypto-policies/back-ends/openssh.config -rw-r--r--. 1 root root 480 Dec 22 09:55 /etc/crypto-policies/back-ends/openssh.config [root@hp-dl388g9-04 ~]# virsh -r net-dhcp-leases default | grep -i 52:54:00:5d:21:64 | awk '{ print $5 }' | cut -f1 -d'/' 192.168.222.176 [xxxx@xxx ~]$ ssh root.222.176 --- ssh fail > If so, please open a new bug.
After waiting for more minutes, the localvm can be ssh successfully. So open a new bug https://bugzilla.redhat.com/show_bug.cgi?id=1909956 to trace the issue in commnet 5. This bug is fixed, qe will move it to "VERIFIED" afeer dev move it to "ON_QA"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat Virtualization Host security bug fix and enhancement update [ovirt-4.4.4]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0401