2064906 – ovn migration executes scripts from /tmp directory

Bug 2064906 - ovn migration executes scripts from /tmp directory

Summary: ovn migration executes scripts from /tmp directory

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-networking-ovn
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	z9
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Jakub Libosvar
QA Contact:	Roman Safronov
Docs Contact:
URL:
Whiteboard:
Depends On:	2074621
Blocks:
TreeView+	depends on / blocked

Reported:	2022-03-16 20:34 UTC by Jakub Libosvar
Modified:	2022-12-07 20:26 UTC (History)
CC List:	4 users (show)
Fixed In Version:	python-networking-ovn-7.3.1-1.20220412183743.4e24f4c.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2074621 (view as bug list)
Environment:
Last Closed:	2022-12-07 20:26:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1965183	None	None	None	2022-03-16 20:35:52 UTC
Red Hat Issue Tracker	OSP-13983	None	Closed	Huge unreclaimable Slab memory(slab 캐시 메모리 증가 이슈)	2022-05-10 06:03:51 UTC
Red Hat Product Errata	RHBA-2022:8795	None	None	None	2022-12-07 20:26:38 UTC

Description Jakub Libosvar 2022-03-16 20:34:17 UTC

Description of problem:
The /tmp are often mounted with noexec option for security reasons. The migration roles rely that scripts in /tmp/ can be executed.

Version-Release number of selected component (if applicable):
16.1

How reproducible:
Always

Steps to Reproduce:
1. Have /tmp mounted with noexec option
2. Run migration from ovs to ovn
3.

Actual results:
fatal: [tpa-vim-b-computecl-0]: FAILED! => {
    "changed": true,
    "cmd": "/tmp/clone-br-int.sh",
    "delta": "0:00:00.001773",
    "end": "2022-03-16 18:51:30.332449",
    "invocation": {
        "module_args": {
            "_raw_params": "/tmp/clone-br-int.sh",
            "_uses_shell": true,
            "argv": null,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "stdin": null,
            "stdin_add_newline": true,
            "strip_empty_ends": true,
            "warn": true
        }
    },
    "msg": "non-zero return code",
    "rc": 126,
    "start": "2022-03-16 18:51:30.330676",
    "stderr": "/bin/sh: /tmp/clone-br-int.sh: Permission denied",
    "stderr_lines": [
        "/bin/sh: /tmp/clone-br-int.sh: Permission denied"
    ],
    "stdout": "",
    "stdout_lines": []
}

Expected results:


Additional info:

Comment 14 errata-xmlrpc 2022-12-07 20:26:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.9 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8795

Note You need to log in before you can comment on or make changes to this bug.