1915329 – [Stream] Add host fails with: Destination /etc/pki/ovirt-engine/requests not writable

Bug 1915329 - [Stream] Add host fails with: Destination /etc/pki/ovirt-engine/requests not writable

Summary: [Stream] Add host fails with: Destination /etc/pki/ovirt-engine/requests not ...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	ovirt-host-deploy-ansible
Sub Component:
Version:	4.4.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ovirt-4.4.5
Target Release:	---
Assignee:	Dana
QA Contact:	Petr Matyáš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-12 12:52 UTC by Yedidyah Bar David
Modified:	2023-09-15 00:58 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ovirt-engine-4.4.5.3
Clone Of:
Environment:
Last Closed:	2021-03-18 15:14:27 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	pm-rhel: ovirt-4.4+ gdeolive: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	113101	0	master	MERGED	ansible-runner: selinux: Allow writing to pki requests	2021-02-12 14:24:46 UTC

Description Yedidyah Bar David 2021-01-12 12:52:53 UTC

Description of problem:

While adding a host, ansible code tries to do:

  - name: Copy vdsm and QEMU CSRs
    copy:
      content: "{{ item.stdout }}"
      dest: "{{ ovirt_pki_dir }}/{{ item.item.item.req_dir }}/{{ ovirt_vds_hostname }}.req"
      mode: 0644
    loop: '{{ csrs.results }}'
    delegate_to: localhost

This fails, with this in /var/log/ovirt-engine/ansible-runner-service.log :

    Destination /etc/pki/ovirt-engine/requests not writable

See e.g. [1][2].

This is on current CentOS Stream.

I suspect it's something related to httpd or ansible-runner dropping capabilities, or something like that.

Reproduced also locally, using OST. If I do:

# su - ovirt -s /bin/bash
$ python3 -c 'import os; print(os.access("/etc/pki/ovirt-engine/requests", os.W_OK))'
True

But apparently httpd runs it somewhat differently. If I strace httpd, I see:

45390 13:05:42.430945 stat("/etc/pki/ovirt-engine/requests", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
45390 13:05:42.431065 access("/etc/pki/ovirt-engine/requests", W_OK) = -1 EACCES (Permission denied)

[1] https://jenkins.ovirt.org/job/ovirt-system-tests_he-basic-suite-master/1881/
[2] https://jenkins.ovirt.org/job/ovirt-system-tests_he-basic-suite-master/1881/artifact/exported-artifacts/test_logs/he-basic-suite-master/post-he_deploy/lago-he-basic-suite-master-host-0/_var_log/ovirt-hosted-engine-setup/engine-logs-2021-01-12T08%3A10%3A34Z/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20210112092316-lago-he-basic-suite-master-host-0.lago.local-115ec06b.log

Comment 1 Yedidyah Bar David 2021-01-12 12:55:58 UTC

Lubos, any idea what might have caused this? Thanks.

Comment 2 Yedidyah Bar David 2021-01-19 14:48:49 UTC

Now filed Stream bz 1917869.

Comment 3 Yedidyah Bar David 2021-01-20 13:50:58 UTC

Fixed by adding this line to our policy:

(allow httpd_t cert_t (dir (add_name remove_name read write)))

Found with the help of Ondrej Mosnacek. Thanks!

He suggests to still consider it a kind of workaround, so I am keeping the Stream bug 1917869 open.

Comment 4 Petr Matyáš 2021-02-15 15:50:15 UTC

Verified on ovirt-engine-4.4.5.6-0.0.master.20210211101802.giteb733a55fff.el8.noarch

Comment 5 Sandro Bonazzola 2021-03-18 15:14:27 UTC

This bugzilla is included in oVirt 4.4.5 release, published on March 18th 2021.

Since the problem described in this bug report should be resolved in oVirt 4.4.5 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Comment 6 Red Hat Bugzilla 2023-09-15 00:58:14 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.