-
Bug
-
Resolution: Done-Errata
-
Major
-
6.15.z, 6.16.0
-
False
-
-
False
-
foreman-fapolicyd-1.0.1-3
-
0
-
Platform
-
-
-
Pass
-
Important
-
Yes
Description of problem:
As per https://issues.redhat.com/browse/SAT-6829 and https://issues.redhat.com/browse/SAT-15991 , we should be able to install Satellite 6.15+ on a RHEL 8 OS which has DISA STIG security profile applied and fapolicyd enabled.
But that seems impossible.
How reproducible:
Always
Is this issue a regression from an earlier version:
Regression of the JIRAs mentioned above
Steps to Reproduce:
1. Install a RHEL 8.10 with DISA STIG for RHEL 8 policy applied
2. Verify that fapolicyd is running
3. Install Satellite 6.16 on top of the same.
4. If fails on step 3, stop fapolicyd and retry the satellite-installer
Actual behavior:
Step 3:
The installer fails to run the db:migrate step.
[root@satellite616 ~]# satellite-installer --scenario satellite \ --foreman-initial-organization "RedHat" \ --foreman-initial-location "GSS" \ --foreman-initial-admin-username admin \ --foreman-initial-admin-password RedHat1! --tuning development 2024-09-09 16:00:07 [NOTICE] [root] Loading installer configuration. This will take some time. 2024-09-09 16:00:10 [NOTICE] [root] Running installer with log based terminal output at level NOTICE. 2024-09-09 16:00:10 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions. 2024-09-09 16:01:55 [NOTICE] [configure] Starting system configuration. 2024-09-09 16:02:36 [NOTICE] [configure] 250 configuration steps out of 1539 steps complete. 2024-09-09 16:02:58 [NOTICE] [configure] 500 configuration steps out of 1541 steps complete. 2024-09-09 16:03:39 [NOTICE] [configure] 750 configuration steps out of 1543 steps complete. 2024-09-09 16:03:46 [NOTICE] [configure] 1000 configuration steps out of 1568 steps complete. 2024-09-09 16:04:08 [NOTICE] [configure] 1250 configuration steps out of 1568 steps complete. 2024-09-09 16:04:15 [ERROR ] [configure] '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 16:04:15 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/returns: change from 'notrun' to ['0'] failed: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 16:04:15 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: Failed to call refresh: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 16:04:15 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 16:05:37 [NOTICE] [configure] 1500 configuration steps out of 1568 steps complete. 2024-09-09 16:05:55 [NOTICE] [configure] System configuration has finished. Error 1: Puppet Exec resource 'foreman-rake-db:migrate' failed. Logs: /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate] Adding autorequire relationship with User[foreman] Starting to evaluate the resource (1327 of 1568) Failed to call refresh: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] Evaluated in 1.72 seconds Exec[foreman-rake-db:migrate](provider=posix) Executing check '/usr/sbin/foreman-rake db:abort_if_pending_migrations' Executing '/usr/sbin/foreman-rake db:migrate' Executing check '/usr/sbin/foreman-rake db:abort_if_pending_migrations' Executing '/usr/sbin/foreman-rake db:migrate' /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/unless rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/returns rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) change from 'notrun' to ['0'] failed: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) 1 error was detected during installation. Please address the errors and re-run the installer to ensure the system is properly configured. Failing to do so is likely to result in broken functionality. The full log is at /var/log/foreman-installer/satellite.log Package versions are being locked.
audit.log shows this i.e.
node=localhost.localdomain type=CRED_ACQ msg=audit(1725878245.395:119439): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root" node=localhost.localdomain type=USER_START msg=audit(1725878245.398:119440): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_systemd,pam_keyinit,pam_limits,pam_unix acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root" node=localhost.localdomain type=FANOTIFY msg=audit(1725878246.349:119441): resp=2 fan_type=1 fan_info=D subj_trust=2 obj_trust=0 node=localhost.localdomain type=SYSCALL msg=audit(1725878246.349:119441): arch=c000003e syscall=257 success=no exit=-1 a0=ffffff9c a1=5594ff3c2f40 a2=80800 a3=0 items=1 ppid=37738 pid=37739 auid=0 uid=984 gid=984 euid=984 suid=984 fsuid=984 egid=984 sgid=984 fsgid=984 tty=(none) ses=1 comm="rake" exe="/usr/bin/ruby" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID="root" UID="foreman" GID="foreman" EUID="foreman" SUID="foreman" FSUID="foreman" EGID="foreman" SGID="foreman" FSGID="foreman" node=localhost.localdomain type=CWD msg=audit(1725878246.349:119441): cwd="/usr/share/foreman" node=localhost.localdomain type=PATH msg=audit(1725878246.349:119441): item=0 name="/usr/share/foreman/Rakefile" inode=353494 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" node=localhost.localdomain type=PROCTITLE msg=audit(1725878246.349:119441): proctitle=2F7573722F62696E2F72756279002F7573722F62696E2F72616B650064623A6D696772617465002D2D7472616365 node=localhost.localdomain type=FANOTIFY msg=audit(1725878246.350:119442): resp=2 fan_type=1 fan_info=D subj_trust=2 obj_trust=0 node=localhost.localdomain type=SYSCALL msg=audit(1725878246.350:119442): arch=c000003e syscall=257 success=no exit=-1 a0=ffffff9c a1=5594ff3c2f40 a2=80800 a3=0 items=1 ppid=37738 pid=37739 auid=0 uid=984 gid=984 euid=984 suid=984 fsuid=984 egid=984 sgid=984 fsgid=984 tty=(none) ses=1 comm="rake" exe="/usr/bin/ruby" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID="root" UID="foreman" GID="foreman" EUID="foreman" SUID="foreman" FSUID="foreman" EGID="foreman" SGID="foreman" FSGID="foreman" node=localhost.localdomain type=CWD msg=audit(1725878246.350:119442): cwd="/usr/share/foreman" node=localhost.localdomain type=PATH msg=audit(1725878246.350:119442): item=0 name="/usr/share/foreman/Rakefile" inode=353494 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" node=localhost.localdomain type=PROCTITLE msg=audit(1725878246.350:119442): proctitle=2F7573722F62696E2F72756279002F7573722F62696E2F72616B650064623A6D696772617465002D2D7472616365 node=localhost.localdomain type=USER_END msg=audit(1725878246.354:119443): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_systemd,pam_keyinit,pam_limits,pam_unix acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root" node=localhost.localdomain type=CRED_DISP msg=audit(1725878246.354:119444): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root"
Step 4:
[root@satellite616 ~]# systemctl stop fapolicyd [root@satellite616 ~]# foreman-rake db:migrate --trace ** Invoke db:migrate (first_time) ** Invoke db:load_config (first_time) ** Invoke environment (first_time) ** Execute environment ** Execute db:load_config ** Invoke plugin:refresh_migrations (first_time) ** Invoke environment ** Execute plugin:refresh_migrations ** Execute db:migrate == 20090714132448 CreateHosts: migrating ====================================== -- create_table(:hosts, {:id=>:integer}) -> 0.0322s -- add_index(:hosts, :source_file_id) -> 0.0141s .. .. .. == 20240729192228 AddConvert2rhelToHostFacets: migrating ====================== -- add_column(:katello_subscription_facets, :convert2rhel_through_foreman, :int4) -> 0.0004s == 20240729192228 AddConvert2rhelToHostFacets: migrated (0.0005s) ============= ** Invoke db:_dump (first_time) ** Execute db:_dump ** Invoke dynflow:migrate (first_time) ** Invoke environment ** Execute dynflow:migrate [root@satellite616 ~]# satellite-installer --scenario satellite --foreman-initial-organization "RedHat" --foreman-initial-location "GSS" --foreman-initial-admin-username admin --foreman-initial-admin-password RedHat1! --tuning development 2024-09-09 16:10:52 [NOTICE] [root] Loading installer configuration. This will take some time. 2024-09-09 16:10:55 [NOTICE] [root] Running installer with log based terminal output at level NOTICE. 2024-09-09 16:10:55 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions. Package versions are locked. Continuing with unlock. 2024-09-09 16:11:03 [NOTICE] [configure] Starting system configuration. 2024-09-09 16:11:11 [NOTICE] [configure] 250 configuration steps out of 1539 steps complete. 2024-09-09 16:11:12 [NOTICE] [configure] 500 configuration steps out of 1541 steps complete. 2024-09-09 16:11:13 [NOTICE] [configure] 750 configuration steps out of 1543 steps complete. 2024-09-09 16:11:13 [NOTICE] [configure] 1000 configuration steps out of 1549 steps complete. 2024-09-09 16:11:14 [NOTICE] [configure] 1250 configuration steps out of 1549 steps complete. 2024-09-09 16:13:35 [NOTICE] [configure] 1500 configuration steps out of 1549 steps complete. 2024-09-09 16:13:37 [NOTICE] [configure] System configuration has finished. Success! * Satellite is running at https://satellite616.lab.example.com Initial credentials are admin / RedHat1! * To install an additional Capsule on separate machine continue by running: capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar" * Capsule is running at https://satellite616.lab.example.com:9090 The full log is at /var/log/foreman-installer/satellite.log Package versions are being locked.
Expected behavior:
It should work fine without disabling fapolicyd
Business Impact / Additional info:
High as many organizations rely on STIG`ing their OS but fapolicyd seems to be blocking the installation here.
- clones
-
SAT-27834 Unable to install Satellite on a STIG'ed RHEL 8.10 OS having fapolicyd running
- Closed
- links to
-
RHSA-2024:143599 Satellite 6.15.5 Async Update