Description of problem: Hosted engine deployment fails when DISA STIG profile is selected for the engine VM Steps to Reproduce: 1. Run hosted-engine deployment 2. Choose yes for "Do you want to apply an OpenSCAP security profile? (Yes, No) [No]:" Actual results: Hosted-Engine deployment fails Expected results: Hosted-Engine deployment succeeds Additional info: The deployment fails on task "Update target VM details at DB level". fapolicyd blocks "postgres" user for executing ansible's command located in /var/tmp TASK [redhat.rhv.hosted_engine_setup : Update target VM details at DB level] ************************************************************************************************************************************** task path: /usr/share/ansible/collections/ansible_collections/redhat/rhv/roles/hosted_engine_setup/tasks/create_target_vm/02_engine_vm_configuration.yml:11 <192.168.1.183> ESTABLISH SSH CONNECTION FOR USER: root : . <192.168.1.183> SSH: EXEC sshpass -d9 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/roo t/.ansible/cp/b36a7240de -tt 192.168.1.183 '/bin/sh -c '"'"'sudo -H -S -n -u postgres /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-snwymfuuyqxctfkuojgwgvjmrougaazc ; LANGUAGE=en_US.UTF-8 LANG=en_US.UTF-8 LC_ MESSAGES=en_US.UTF-8 LC_ALL=en_US.UTF-8 /usr/libexec/platform-python /var/tmp/ansible-tmp-1647935594.9874861-4123834-133661441375419/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"'' Escalation succeeded <192.168.1.183> (2, b"/usr/libexec/platform-python: can't open file '/var/tmp/ansible-tmp-1647935594.9874861-4123834-133661441375419/AnsiballZ_command.py': [Errno 1] Operation not permitted\r\n",
Do you want to apply an OpenSCAP security profile? (Yes, No) [No]: Yes Please provide the security profile you would like to use (stig, pci-dss) [stig]: . . . [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Initialize OpenSCAP variables] [ INFO ] ok: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Set OpenSCAP datastream path] [ INFO ] ok: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Verify OpenSCAP datastream] [ INFO ] ok: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Set OpenSCAP profile] [ INFO ] changed: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Apply OpenSCAP profile] [ INFO ] changed: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Reset PermitRootLogin for sshd] [ INFO ] ok: [localhost -> 192.168.222.17] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Enable FIPS on the engine VM] [ INFO ] skipping: [localhost] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Reboot the engine VM to apply security rules] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Check if FIPS mode is enabled] [ INFO ] skipping: [localhost] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Enforce FIPS mode] [ INFO ] skipping: [localhost] . . . [ INFO ] Hosted Engine successfully deployed rhvm-appliance-4.5-20220412.0.el8ev.x86_64 ovirt-hosted-engine-ha-2.5.0-1.el8ev.noarch ovirt-hosted-engine-setup-2.6.3-1.el8ev.noarch Linux 4.18.0-372.7.1.el8.x86_64 #1 SMP Wed Apr 6 12:38:30 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux release 8.6 (Ootpa)
ovirt-ansible-collection-2.0.2-1.el8ev.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Engine and Host Common Packages security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4712