Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-28665

Unable to install Satellite on a STIG'ed RHEL 8.10 OS having fapolicyd running

XMLWordPrintable

    • Important
    • Yes

      Description of problem:

      As per https://issues.redhat.com/browse/SAT-6829 and https://issues.redhat.com/browse/SAT-15991 , we should be able to install Satellite 6.15+ on a RHEL 8 OS which has DISA STIG security profile applied and fapolicyd enabled. 

      But that seems impossible.

       

      How reproducible:

      Always

       

      Is this issue a regression from an earlier version:

      Regression of the JIRAs mentioned above

       

      Steps to Reproduce:

      1. Install a RHEL 8.10 with DISA STIG for RHEL 8 policy applied 

      2. Verify that fapolicyd is running

      3. Install Satellite 6.16 on top of the same.

      4. If fails on step 3, stop fapolicyd and retry the satellite-installer

       

      Actual behavior:

      Step 3:

      The installer fails to run the db:migrate step.

       

      [root@satellite616 ~]# satellite-installer --scenario satellite \
      --foreman-initial-organization "RedHat" \
      --foreman-initial-location "GSS" \
      --foreman-initial-admin-username admin \
      --foreman-initial-admin-password RedHat1! --tuning development
      2024-09-09 16:00:07 [NOTICE] [root] Loading installer configuration. This will take some time.
      2024-09-09 16:00:10 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
      2024-09-09 16:00:10 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
      2024-09-09 16:01:55 [NOTICE] [configure] Starting system configuration.
      2024-09-09 16:02:36 [NOTICE] [configure] 250 configuration steps out of 1539 steps complete.
      2024-09-09 16:02:58 [NOTICE] [configure] 500 configuration steps out of 1541 steps complete.
      2024-09-09 16:03:39 [NOTICE] [configure] 750 configuration steps out of 1543 steps complete.
      2024-09-09 16:03:46 [NOTICE] [configure] 1000 configuration steps out of 1568 steps complete.
      2024-09-09 16:04:08 [NOTICE] [configure] 1250 configuration steps out of 1568 steps complete.
      2024-09-09 16:04:15 [ERROR ] [configure] '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0]
      2024-09-09 16:04:15 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/returns: change from 'notrun' to ['0'] failed: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0]
      2024-09-09 16:04:15 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: Failed to call refresh: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0]
      2024-09-09 16:04:15 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0]
      2024-09-09 16:05:37 [NOTICE] [configure] 1500 configuration steps out of 1568 steps complete.
      2024-09-09 16:05:55 [NOTICE] [configure] System configuration has finished.
      Error 1: Puppet Exec resource 'foreman-rake-db:migrate' failed. Logs:
        /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]
          Adding autorequire relationship with User[foreman]
          Starting to evaluate the resource (1327 of 1568)
          Failed to call refresh: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0]
          '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0]
          Evaluated in 1.72 seconds
        Exec[foreman-rake-db:migrate](provider=posix)
          Executing check '/usr/sbin/foreman-rake db:abort_if_pending_migrations'
          Executing '/usr/sbin/foreman-rake db:migrate'
          Executing check '/usr/sbin/foreman-rake db:abort_if_pending_migrations'
          Executing '/usr/sbin/foreman-rake db:migrate'
        /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/unless
          rake aborted!
          LoadError: cannot load such file -- /usr/share/foreman/Rakefile
          /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>'
          (See full trace by running task with --trace)
          rake aborted!
          LoadError: cannot load such file -- /usr/share/foreman/Rakefile
          /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>'
          (See full trace by running task with --trace)
        /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/returns
          rake aborted!
          LoadError: cannot load such file -- /usr/share/foreman/Rakefile
          /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>'
          (See full trace by running task with --trace)
          change from 'notrun' to ['0'] failed: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0]
          rake aborted!
          LoadError: cannot load such file -- /usr/share/foreman/Rakefile
          /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>'
          (See full trace by running task with --trace)
      1 error was detected during installation.
      Please address the errors and re-run the installer to ensure the system is properly configured.
      Failing to do so is likely to result in broken functionality.
      The full log is at /var/log/foreman-installer/satellite.log
      Package versions are being locked.
      

       

       

      audit.log shows this i.e. 

       

      node=localhost.localdomain type=CRED_ACQ msg=audit(1725878245.395:119439): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root"
      node=localhost.localdomain type=USER_START msg=audit(1725878245.398:119440): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_systemd,pam_keyinit,pam_limits,pam_unix acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root"
      node=localhost.localdomain type=FANOTIFY msg=audit(1725878246.349:119441): resp=2 fan_type=1 fan_info=D subj_trust=2 obj_trust=0
      node=localhost.localdomain type=SYSCALL msg=audit(1725878246.349:119441): arch=c000003e syscall=257 success=no exit=-1 a0=ffffff9c a1=5594ff3c2f40 a2=80800 a3=0 items=1 ppid=37738 pid=37739 auid=0 uid=984 gid=984 euid=984 suid=984 fsuid=984 egid=984 sgid=984 fsgid=984 tty=(none) ses=1 comm="rake" exe="/usr/bin/ruby" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID="root" UID="foreman" GID="foreman" EUID="foreman" SUID="foreman" FSUID="foreman" EGID="foreman" SGID="foreman" FSGID="foreman"
      node=localhost.localdomain type=CWD msg=audit(1725878246.349:119441): cwd="/usr/share/foreman"
      node=localhost.localdomain type=PATH msg=audit(1725878246.349:119441): item=0 name="/usr/share/foreman/Rakefile" inode=353494 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
      node=localhost.localdomain type=PROCTITLE msg=audit(1725878246.349:119441): proctitle=2F7573722F62696E2F72756279002F7573722F62696E2F72616B650064623A6D696772617465002D2D7472616365
      node=localhost.localdomain type=FANOTIFY msg=audit(1725878246.350:119442): resp=2 fan_type=1 fan_info=D subj_trust=2 obj_trust=0
      node=localhost.localdomain type=SYSCALL msg=audit(1725878246.350:119442): arch=c000003e syscall=257 success=no exit=-1 a0=ffffff9c a1=5594ff3c2f40 a2=80800 a3=0 items=1 ppid=37738 pid=37739 auid=0 uid=984 gid=984 euid=984 suid=984 fsuid=984 egid=984 sgid=984 fsgid=984 tty=(none) ses=1 comm="rake" exe="/usr/bin/ruby" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID="root" UID="foreman" GID="foreman" EUID="foreman" SUID="foreman" FSUID="foreman" EGID="foreman" SGID="foreman" FSGID="foreman"
      node=localhost.localdomain type=CWD msg=audit(1725878246.350:119442): cwd="/usr/share/foreman"
      node=localhost.localdomain type=PATH msg=audit(1725878246.350:119442): item=0 name="/usr/share/foreman/Rakefile" inode=353494 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
      node=localhost.localdomain type=PROCTITLE msg=audit(1725878246.350:119442): proctitle=2F7573722F62696E2F72756279002F7573722F62696E2F72616B650064623A6D696772617465002D2D7472616365
      node=localhost.localdomain type=USER_END msg=audit(1725878246.354:119443): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_systemd,pam_keyinit,pam_limits,pam_unix acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root"
      node=localhost.localdomain type=CRED_DISP msg=audit(1725878246.354:119444): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root"

       

      Step 4:

       

      [root@satellite616 ~]# systemctl stop fapolicyd
      
      [root@satellite616 ~]# foreman-rake db:migrate --trace
      ** Invoke db:migrate (first_time)
      ** Invoke db:load_config (first_time)
      ** Invoke environment (first_time)
      ** Execute environment
      ** Execute db:load_config
      ** Invoke plugin:refresh_migrations (first_time)
      ** Invoke environment 
      ** Execute plugin:refresh_migrations
      ** Execute db:migrate
      == 20090714132448 CreateHosts: migrating ======================================
      -- create_table(:hosts, {:id=>:integer})
         -> 0.0322s
      -- add_index(:hosts, :source_file_id)
         -> 0.0141s
      ..
      ..
      ..
      == 20240729192228 AddConvert2rhelToHostFacets: migrating ======================
      -- add_column(:katello_subscription_facets, :convert2rhel_through_foreman, :int4)
         -> 0.0004s
      == 20240729192228 AddConvert2rhelToHostFacets: migrated (0.0005s) =============
      ** Invoke db:_dump (first_time)
      ** Execute db:_dump
      ** Invoke dynflow:migrate (first_time)
      ** Invoke environment 
      ** Execute dynflow:migrate
       
      [root@satellite616 ~]# satellite-installer --scenario satellite --foreman-initial-organization "RedHat" --foreman-initial-location "GSS" --foreman-initial-admin-username admin --foreman-initial-admin-password RedHat1! --tuning development
      2024-09-09 16:10:52 [NOTICE] [root] Loading installer configuration. This will take some time.
      2024-09-09 16:10:55 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
      2024-09-09 16:10:55 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
      Package versions are locked. Continuing with unlock.
      2024-09-09 16:11:03 [NOTICE] [configure] Starting system configuration.
      2024-09-09 16:11:11 [NOTICE] [configure] 250 configuration steps out of 1539 steps complete.
      2024-09-09 16:11:12 [NOTICE] [configure] 500 configuration steps out of 1541 steps complete.
      2024-09-09 16:11:13 [NOTICE] [configure] 750 configuration steps out of 1543 steps complete.
      2024-09-09 16:11:13 [NOTICE] [configure] 1000 configuration steps out of 1549 steps complete.
      2024-09-09 16:11:14 [NOTICE] [configure] 1250 configuration steps out of 1549 steps complete.
      2024-09-09 16:13:35 [NOTICE] [configure] 1500 configuration steps out of 1549 steps complete.
      2024-09-09 16:13:37 [NOTICE] [configure] System configuration has finished.
        Success!
        * Satellite is running at https://satellite616.lab.example.com
            Initial credentials are admin / RedHat1!
        * To install an additional Capsule on separate machine continue by running:
            capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar"
        * Capsule is running at https://satellite616.lab.example.com:9090
      The full log is at /var/log/foreman-installer/satellite.log
      Package versions are being locked.
      

       

       

      Expected behavior:

      It should work fine without disabling fapolicyd 

       

      Business Impact / Additional info:

      High as many organizations rely on STIG`ing their OS but fapolicyd seems to be blocking the installation here. 

              ehelms@redhat.com Eric Helms
              rhn-support-saydas Sayan Das
              Jameer Pathan Jameer Pathan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: