Bug 1915329
| Summary: | [Stream] Add host fails with: Destination /etc/pki/ovirt-engine/requests not writable | ||
|---|---|---|---|
| Product: | [oVirt] ovirt-engine | Reporter: | Yedidyah Bar David <didi> |
| Component: | ovirt-host-deploy-ansible | Assignee: | Dana <delfassy> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Petr Matyáš <pmatyas> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.4.4 | CC: | bugs, gdeolive, luhliari, mperina |
| Target Milestone: | ovirt-4.4.5 | Flags: | pm-rhel:
ovirt-4.4+
gdeolive: testing_ack+ |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-engine-4.4.5.3 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-18 15:14:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Lubos, any idea what might have caused this? Thanks. Now filed Stream bz 1917869. Fixed by adding this line to our policy: (allow httpd_t cert_t (dir (add_name remove_name read write))) Found with the help of Ondrej Mosnacek. Thanks! He suggests to still consider it a kind of workaround, so I am keeping the Stream bug 1917869 open. Verified on ovirt-engine-4.4.5.6-0.0.master.20210211101802.giteb733a55fff.el8.noarch This bugzilla is included in oVirt 4.4.5 release, published on March 18th 2021. Since the problem described in this bug report should be resolved in oVirt 4.4.5 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |
Description of problem: While adding a host, ansible code tries to do: - name: Copy vdsm and QEMU CSRs copy: content: "{{ item.stdout }}" dest: "{{ ovirt_pki_dir }}/{{ item.item.item.req_dir }}/{{ ovirt_vds_hostname }}.req" mode: 0644 loop: '{{ csrs.results }}' delegate_to: localhost This fails, with this in /var/log/ovirt-engine/ansible-runner-service.log : Destination /etc/pki/ovirt-engine/requests not writable See e.g. [1][2]. This is on current CentOS Stream. I suspect it's something related to httpd or ansible-runner dropping capabilities, or something like that. Reproduced also locally, using OST. If I do: # su - ovirt -s /bin/bash $ python3 -c 'import os; print(os.access("/etc/pki/ovirt-engine/requests", os.W_OK))' True But apparently httpd runs it somewhat differently. If I strace httpd, I see: 45390 13:05:42.430945 stat("/etc/pki/ovirt-engine/requests", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 45390 13:05:42.431065 access("/etc/pki/ovirt-engine/requests", W_OK) = -1 EACCES (Permission denied) [1] https://jenkins.ovirt.org/job/ovirt-system-tests_he-basic-suite-master/1881/ [2] https://jenkins.ovirt.org/job/ovirt-system-tests_he-basic-suite-master/1881/artifact/exported-artifacts/test_logs/he-basic-suite-master/post-he_deploy/lago-he-basic-suite-master-host-0/_var_log/ovirt-hosted-engine-setup/engine-logs-2021-01-12T08%3A10%3A34Z/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20210112092316-lago-he-basic-suite-master-host-0.lago.local-115ec06b.log