Bug 2066811 - Hosted engine deployment fails when DISA STIG profile is selected for the engine VM
Summary: Hosted engine deployment fails when DISA STIG profile is selected for the eng...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-ansible-collection
Version: 4.5.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-4.5.0
: ---
Assignee: Asaf Rachmani
QA Contact: Nikolai Sednev
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-22 14:20 UTC by Asaf Rachmani
Modified: 2022-05-26 17:25 UTC (History)
1 user (show)

Fixed In Version: ovirt-ansible-collection-2.0.0-0.9.BETA
Doc Type: Bug Fix
Doc Text:
Previously, DISA STIG profile used fapolicyd that blocked ansible command execution as non-root, and self-hosted engine deployment failed. In this release, calls to psql as postgres are replaced with engine_psql.sh, and deployment succeeds.
Clone Of:
Environment:
Last Closed: 2022-05-26 17:25:09 UTC
oVirt Team: Integration
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github oVirt ovirt-ansible-collection pull 452 0 None closed roles: hosted_engine_setup: Allow postgres user in fapolicyd 2022-03-28 11:33:09 UTC
Github oVirt ovirt-ansible-collection pull 453 0 None Merged Replace calls to psql as postgres with engine_psql.sh 2022-03-28 11:32:52 UTC
Github oVirt ovirt-ansible-collection pull 459 0 None Merged roles: hosted_engine_setup: Fix call to engine-psql for vds_spm_id 2022-03-28 11:32:52 UTC
Red Hat Issue Tracker RHV-45406 0 None None None 2022-03-22 14:29:06 UTC
Red Hat Product Errata RHSA-2022:4712 0 None None None 2022-05-26 17:25:22 UTC

Description Asaf Rachmani 2022-03-22 14:20:41 UTC
Description of problem:
Hosted engine deployment fails when DISA STIG profile is selected for the engine VM


Steps to Reproduce:
1. Run hosted-engine deployment
2. Choose yes for "Do you want to apply an OpenSCAP security profile? (Yes, No) [No]:"


Actual results:
Hosted-Engine deployment fails

Expected results:
Hosted-Engine deployment succeeds

Additional info:
The deployment fails on task "Update target VM details at DB level".
fapolicyd blocks "postgres" user for executing ansible's command located in /var/tmp


TASK [redhat.rhv.hosted_engine_setup : Update target VM details at DB level] **************************************************************************************************************************************
task path: /usr/share/ansible/collections/ansible_collections/redhat/rhv/roles/hosted_engine_setup/tasks/create_target_vm/02_engine_vm_configuration.yml:11
<192.168.1.183> ESTABLISH SSH CONNECTION FOR USER: root
:
.
<192.168.1.183> SSH: EXEC sshpass -d9 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/roo
t/.ansible/cp/b36a7240de -tt 192.168.1.183 '/bin/sh -c '"'"'sudo -H -S -n  -u postgres /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-snwymfuuyqxctfkuojgwgvjmrougaazc ; LANGUAGE=en_US.UTF-8 LANG=en_US.UTF-8 LC_
MESSAGES=en_US.UTF-8 LC_ALL=en_US.UTF-8 /usr/libexec/platform-python /var/tmp/ansible-tmp-1647935594.9874861-4123834-133661441375419/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<192.168.1.183> (2, b"/usr/libexec/platform-python: can't open file '/var/tmp/ansible-tmp-1647935594.9874861-4123834-133661441375419/AnsiballZ_command.py': [Errno 1] Operation not permitted\r\n",

Comment 5 Nikolai Sednev 2022-04-12 15:40:39 UTC
Do you want to apply an OpenSCAP security profile? (Yes, No) [No]: Yes
Please provide the security profile you would like to use (stig, pci-dss) [stig]: 
.
.
.
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Initialize OpenSCAP variables]
[ INFO  ] ok: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Set OpenSCAP datastream path]
[ INFO  ] ok: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Verify OpenSCAP datastream]
[ INFO  ] ok: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Set OpenSCAP profile]
[ INFO  ] changed: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Apply OpenSCAP profile]
[ INFO  ] changed: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Reset PermitRootLogin for sshd]
[ INFO  ] ok: [localhost -> 192.168.222.17]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Enable FIPS on the engine VM]
[ INFO  ] skipping: [localhost]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Reboot the engine VM to apply security rules]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Check if FIPS mode is enabled]
[ INFO  ] skipping: [localhost]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Enforce FIPS mode]
[ INFO  ] skipping: [localhost]
.
.
.
[ INFO  ] Hosted Engine successfully deployed

rhvm-appliance-4.5-20220412.0.el8ev.x86_64
ovirt-hosted-engine-ha-2.5.0-1.el8ev.noarch
ovirt-hosted-engine-setup-2.6.3-1.el8ev.noarch
Linux 4.18.0-372.7.1.el8.x86_64 #1 SMP Wed Apr 6 12:38:30 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux release 8.6 (Ootpa)

Comment 6 Nikolai Sednev 2022-04-12 15:41:01 UTC
ovirt-ansible-collection-2.0.2-1.el8ev.noarch

Comment 11 errata-xmlrpc 2022-05-26 17:25:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Engine and Host Common Packages security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4712


Note You need to log in before you can comment on or make changes to this bug.