Description of problem: DISA-STIG profile sets default umask that fails HE install. Task "Copy configuration archive to storage" fails on HE deploy playbook due to default umask (0077) of rhel with disa stig security profile enabled. Task failure: 02:06:07 TASK [ovirt.ovirt.hosted_engine_setup : Copy configuration archive to storage] *** 02:06:10 [WARNING]: Module remote_tmp /var/lib/vdsm/.ansible/tmp did not exist and was 02:06:10 created with a mode of 0700, this may cause issues when running as another 02:06:10 user. To avoid this, create the remote_tmp dir with the correct permissions 02:06:10 manually 02:06:10 fatal: [x.x.x.x]: FAILED! => {"changed": true, "cmd": ["dd", "bs=20480", "count=1", "oflag=direct", "if=/var/tmp/localvmdmgfg6zl/b522b14f-02d3-4818-b78a-c22bd1ace665", "of=/rhev/data-center/mnt/<mounted_storage_domain>/352c228f-d9fb-40b7-87e5-bc3242a93b29/images/91489285-8a4f-4c33-a77d-013a599698bb/b522b14f-02d3-4818-b78a-c22bd1ace665"], "delta": "0:00:00.003691", "end": "2022-05-22 20:06:09.926276", "msg": "non-zero return code", "rc": 1, "start": "2022-05-22 20:06:09.922585", "stderr": "dd: failed to open '/var/tmp/localvmdmgfg6zl/b522b14f-02d3-4818-b78a-c22bd1ace665': Permission denied", "stderr_lines": ["dd: failed to open '/var/tmp/localvmdmgfg6zl/b522b14f-02d3-4818-b78a-c22bd1ace665': Permission denied"], "stdout": "", "stdout_lines": []} Version-Release number of selected component (if applicable): latest How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: fail Expected results: pass Additional info:
seems bug 2020620 didn't really fix it correctly, with umask 077 the tar creating is with 0600 root:root and it fails later on to open as vdsm user
Reopening as it was tested alongside BZ2089856
Verified on ovirt-engine-4.5.1.2-0.11.el8ev.noarch alongside BZ2089856
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (RHV Engine and Host Common Packages update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5584
*** Bug 2107659 has been marked as a duplicate of this bug. ***
Due to QE capacity, we are not going to cover this issue in our automation