Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2020620

Summary: Hosted engine setup fails on host with DISA STIG profile
Product: Red Hat Enterprise Virtualization Manager Reporter: Ales Musil <amusil>
Component: ovirt-ansible-collectionAssignee: Asaf Rachmani <arachman>
Status: CLOSED ERRATA QA Contact: Wei Wang <weiwang>
Severity: high Docs Contact:
Priority: high    
Version: 4.5.0CC: emarcus, lsurette, mperina, yaniwang
Target Milestone: ovirt-4.5.0Keywords: ZStream
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-hosted-engine-ha-2.5.0 ovirt-ansible-collection-2.0.0-0.6.BETA.el8 Doc Type: Enhancement
Doc Text:
In this release, support has been added for self-hosted engine deployment on a host with a DISA STIG profile.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-26 17:25:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2015802, 2030226, 2030596, 2050108    

Description Ales Musil 2021-11-05 12:14:18 UTC 
Description of problem:
Hosted engine setup fails on start of bootstrap VM with umask 077.


How reproducible:
100%

Steps to Reproduce:
1. umask 077
2. hosted-engine --deploy


Actual results:
 [ ERROR ] fatal: [localhost]: FAILED! =&gt; {"changed": true, "cmd": ["virt-install", "-n", "HostedEngineLocal", "--os-variant", "rhel8.0", "--virt-type", "kvm", "--memory", "3171", "--vcpus", "2", "--network", "network=default,mac=54:52:43:41:b1:87,model=virtio", "--disk", "/var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5/41500a62-6559-4b9e-baa5-29e2bc5d5c0d", "--import", "--disk", "path=/var/tmp/localvmjeby32g8/seed.iso,device=cdrom", "--noautoconsole", "--rng", "/dev/random", "--graphics", "vnc", "--video", "vga", "--sound", "none", "--controller", "usb,model=none", "--memballoon", "none", "--boot", "hd,menu=off", "--clock", "kvmclock_present=yes"], "delta": "0:00:04.124228", "end": "2021-11-05 13:11:38.316439", "msg": "non-zero return code", "rc": 1, "start": "2021-11-05 13:11:34.192211", "stderr": "WARNING  /var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5/41500a62-6559-4b9e-baa5-29e2bc5d5c0d may not be accessible by the hypervisor. You will need to grant the 'qemu' user search permissions for the following directories: ['/var/tmp/localvmjeby32g8/images', '/var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5']\nERROR    Cannot access storage file '/var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5/41500a62-6559-4b9e-baa5-29e2bc5d5c0d' (as uid:107, gid:107): Permission denied\nDomain installation does not appear to have been successful.\nIf it was, you can restart your domain by running:\n  virsh --connect qemu:///system start HostedEngineLocal\notherwise, please restart your installation.", "stderr_lines": ["WARNING  /var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5/41500a62-6559-4b9e-baa5-29e2bc5d5c0d may not be accessible by the hypervisor. You will need to grant the 'qemu' user search permissions for the following directories: ['/var/tmp/localvmjeby32g8/images', '/var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5']", "ERROR    Cannot access storage file '/var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5/41500a62-6559-4b9e-baa5-29e2bc5d5c0d' (as uid:107, gid:107): Permission denied", "Domain installation does not appear to have been successful.", "If it was, you can restart your domain by running:", "  virsh --connect qemu:///system start HostedEngineLocal", "otherwise, please restart your installation."], "stdout": "\nStarting install...", "stdout_lines": ["", "Starting install..."]}

Expected results:
Should pass
Comment 1 Martin Perina 2021-11-05 12:17:36 UTC 
umask 077 is the default value for DISA STIG host, so we need to adapt our code
Comment 3 Ales Musil 2022-01-05 08:42:27 UTC 
Just to clarify, the host should be setup with DISA STIG profile,
instead of setting the umask 077 directly before setup.
Comment 7 Asaf Rachmani 2022-02-07 11:34:14 UTC 
Following comment 3 we need to adapt the code to support disa stig profile - moving to post

Steps to Reproduce:
1. Install the latest Rhel-h 8 with DISA STIG.
2. Run hosted-engine deployment
Comment 8 Wei Wang 2022-03-30 03:35:57 UTC 
Test Version:
ovirt-hosted-engine-ha-2.5.0-1.el8ev.noarch
ovirt-ansible-collection-2.0.0-0.6.BETA.el8ev.noarch

Test Steps:
1. Install RHEL8.5 iso with STIG profile
2. Remove fapolicyd
3. Upgrade to RHEL8.6
4. Install fapolicyd
5. Install rhv
6. hosted engine deploy


Test Result:
Hosted engine deploy successfully.

Bug is fixed, move it to "VERIFIED"
Comment 13 errata-xmlrpc 2022-05-26 17:25:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Engine and Host Common Packages security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4712