Bug 2089332 - DISA-STIG profile sets default umask that fails HE install
Summary: DISA-STIG profile sets default umask that fails HE install
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.5.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-4.5.1
: ---
Assignee: Michal Skrivanek
QA Contact: Guilherme Santos
URL:
Whiteboard:
: 2107659 (view as bug list)
Depends On:
Blocks: 2015796
TreeView+ depends on / blocked
 
Reported: 2022-05-23 13:03 UTC by Guilherme Santos
Modified: 2022-08-04 11:06 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-07-14 12:55:59 UTC
oVirt Team: Integration
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github oVirt ovirt-ansible-collection pull 501 0 None open roles: hosted_engine_setup: fix archive permissions 2022-05-23 14:13:01 UTC
Github oVirt ovirt-system-tests pull 160 0 None open Remove HE umask workaround 2022-05-23 13:59:51 UTC
Red Hat Issue Tracker RHV-46104 0 None None None 2022-05-23 13:36:31 UTC
Red Hat Knowledge Base (Solution) 6955078 0 None None None 2022-05-25 18:47:22 UTC
Red Hat Product Errata RHBA-2022:5584 0 None None None 2022-07-14 12:56:08 UTC

Description Guilherme Santos 2022-05-23 13:03:27 UTC 
Description of problem:
DISA-STIG profile sets default umask that fails HE install.
Task "Copy configuration archive to storage" fails on HE deploy playbook due to default umask (0077) of rhel with disa stig security profile enabled.

Task failure:
02:06:07 TASK [ovirt.ovirt.hosted_engine_setup : Copy configuration archive to storage] ***
02:06:10 [WARNING]: Module remote_tmp /var/lib/vdsm/.ansible/tmp did not exist and was
02:06:10 created with a mode of 0700, this may cause issues when running as another
02:06:10 user. To avoid this, create the remote_tmp dir with the correct permissions
02:06:10 manually
02:06:10 fatal: [x.x.x.x]: FAILED! => {"changed": true, "cmd": ["dd", "bs=20480", "count=1", "oflag=direct", "if=/var/tmp/localvmdmgfg6zl/b522b14f-02d3-4818-b78a-c22bd1ace665", "of=/rhev/data-center/mnt/<mounted_storage_domain>/352c228f-d9fb-40b7-87e5-bc3242a93b29/images/91489285-8a4f-4c33-a77d-013a599698bb/b522b14f-02d3-4818-b78a-c22bd1ace665"], "delta": "0:00:00.003691", "end": "2022-05-22 20:06:09.926276", "msg": "non-zero return code", "rc": 1, "start": "2022-05-22 20:06:09.922585", "stderr": "dd: failed to open '/var/tmp/localvmdmgfg6zl/b522b14f-02d3-4818-b78a-c22bd1ace665': Permission denied", "stderr_lines": ["dd: failed to open '/var/tmp/localvmdmgfg6zl/b522b14f-02d3-4818-b78a-c22bd1ace665': Permission denied"], "stdout": "", "stdout_lines": []}
 

Version-Release number of selected component (if applicable):
latest

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
fail

Expected results:
pass

Additional info:
Comment 1 Michal Skrivanek 2022-05-23 13:16:05 UTC 
seems bug 2020620 didn't really fix it correctly, with umask 077 the tar creating is with 0600 root:root and it fails later on to open as vdsm user
Comment 7 Guilherme Santos 2022-06-30 13:05:38 UTC 
Reopening as it was tested alongside BZ2089856
Comment 8 Guilherme Santos 2022-06-30 13:06:21 UTC 
Verified on ovirt-engine-4.5.1.2-0.11.el8ev.noarch alongside BZ2089856
Comment 12 errata-xmlrpc 2022-07-14 12:55:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV Engine and Host Common Packages update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:5584
Comment 13 Asaf Rachmani 2022-07-28 07:16:28 UTC 
*** Bug 2107659 has been marked as a duplicate of this bug. ***
Comment 14 meital avital 2022-08-04 11:06:08 UTC 
Due to QE capacity, we are not going to cover this issue in our automation
Note You need to log in before you can comment on or make changes to this bug.