2020620 – Hosted engine setup fails on host with DISA STIG profile

Bug 2020620 - Hosted engine setup fails on host with DISA STIG profile

Summary: Hosted engine setup fails on host with DISA STIG profile

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-ansible-collection
Sub Component:
Version:	4.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ovirt-4.5.0
Target Release:	4.5.0
Assignee:	Asaf Rachmani
QA Contact:	Wei Wang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2015802 2030226 2030596 2050108
TreeView+	depends on / blocked

Reported:	2021-11-05 12:14 UTC by Ales Musil
Modified:	2022-05-26 17:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ovirt-hosted-engine-ha-2.5.0 ovirt-ansible-collection-2.0.0-0.6.BETA.el8
Doc Type:	Enhancement
Doc Text:	In this release, support has been added for self-hosted engine deployment on a host with a DISA STIG profile.
Clone Of:
Environment:
Last Closed:	2022-05-26 17:25:09 UTC
oVirt Team:	Integration
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	oVirt ovirt-ansible-collection pull 409	None	open	roles: hosted_engine_setup: Adjust files permissions	2021-12-23 07:12:48 UTC
Github	oVirt ovirt-ansible-collection pull 426	None	open	roles: hosted_engine_setup: Support disa stig profile	2022-02-07 11:44:18 UTC
Red Hat Issue Tracker	RHV-43931	None	None	None	2021-11-05 12:17:05 UTC
Red Hat Product Errata	RHSA-2022:4712	None	None	None	2022-05-26 17:25:31 UTC

Description Ales Musil 2021-11-05 12:14:18 UTC

Description of problem:
Hosted engine setup fails on start of bootstrap VM with umask 077.


How reproducible:
100%

Steps to Reproduce:
1. umask 077
2. hosted-engine --deploy


Actual results:
 [ ERROR ] fatal: [localhost]: FAILED! =&gt; {"changed": true, "cmd": ["virt-install", "-n", "HostedEngineLocal", "--os-variant", "rhel8.0", "--virt-type", "kvm", "--memory", "3171", "--vcpus", "2", "--network", "network=default,mac=54:52:43:41:b1:87,model=virtio", "--disk", "/var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5/41500a62-6559-4b9e-baa5-29e2bc5d5c0d", "--import", "--disk", "path=/var/tmp/localvmjeby32g8/seed.iso,device=cdrom", "--noautoconsole", "--rng", "/dev/random", "--graphics", "vnc", "--video", "vga", "--sound", "none", "--controller", "usb,model=none", "--memballoon", "none", "--boot", "hd,menu=off", "--clock", "kvmclock_present=yes"], "delta": "0:00:04.124228", "end": "2021-11-05 13:11:38.316439", "msg": "non-zero return code", "rc": 1, "start": "2021-11-05 13:11:34.192211", "stderr": "WARNING  /var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5/41500a62-6559-4b9e-baa5-29e2bc5d5c0d may not be accessible by the hypervisor. You will need to grant the 'qemu' user search permissions for the following directories: ['/var/tmp/localvmjeby32g8/images', '/var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5']\nERROR    Cannot access storage file '/var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5/41500a62-6559-4b9e-baa5-29e2bc5d5c0d' (as uid:107, gid:107): Permission denied\nDomain installation does not appear to have been successful.\nIf it was, you can restart your domain by running:\n  virsh --connect qemu:///system start HostedEngineLocal\notherwise, please restart your installation.", "stderr_lines": ["WARNING  /var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5/41500a62-6559-4b9e-baa5-29e2bc5d5c0d may not be accessible by the hypervisor. You will need to grant the 'qemu' user search permissions for the following directories: ['/var/tmp/localvmjeby32g8/images', '/var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5']", "ERROR    Cannot access storage file '/var/tmp/localvmjeby32g8/images/ca1a3e6e-5f56-4453-9582-7dfda2057cb5/41500a62-6559-4b9e-baa5-29e2bc5d5c0d' (as uid:107, gid:107): Permission denied", "Domain installation does not appear to have been successful.", "If it was, you can restart your domain by running:", "  virsh --connect qemu:///system start HostedEngineLocal", "otherwise, please restart your installation."], "stdout": "\nStarting install...", "stdout_lines": ["", "Starting install..."]}

Expected results:
Should pass

Comment 1 Martin Perina 2021-11-05 12:17:36 UTC

umask 077 is the default value for DISA STIG host, so we need to adapt our code

Comment 3 Ales Musil 2022-01-05 08:42:27 UTC

Just to clarify, the host should be setup with DISA STIG profile,
instead of setting the umask 077 directly before setup.

Comment 7 Asaf Rachmani 2022-02-07 11:34:14 UTC

Following comment 3 we need to adapt the code to support disa stig profile - moving to post

Steps to Reproduce:
1. Install the latest Rhel-h 8 with DISA STIG.
2. Run hosted-engine deployment

Comment 8 Wei Wang 2022-03-30 03:35:57 UTC

Test Version:
ovirt-hosted-engine-ha-2.5.0-1.el8ev.noarch
ovirt-ansible-collection-2.0.0-0.6.BETA.el8ev.noarch

Test Steps:
1. Install RHEL8.5 iso with STIG profile
2. Remove fapolicyd
3. Upgrade to RHEL8.6
4. Install fapolicyd
5. Install rhv
6. hosted engine deploy


Test Result:
Hosted engine deploy successfully.

Bug is fixed, move it to "VERIFIED"

Comment 13 errata-xmlrpc 2022-05-26 17:25:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Engine and Host Common Packages security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4712

Note You need to log in before you can comment on or make changes to this bug.