Bug #24741
openKatello installer incompatibility with DISA STIG security policy
Description
When attempting to install Katello on a fresh, minimal CentOS 7 host with the out-of-the-box DISA STIG applied, "foreman-installer --scenario katello" fails.
The first point of failure occurs when /var is a separate partition and is too small, but no indication is given of a minimum size nor of the failure cause-- just that mongod failed to start with status 100. Increasing the partition size to 30G+ prevents this issue.
The second point of failure occurs when attempting to start the qpidd service, which fails with "couldnt find any network address to listen to". Manually attempting to start the sevice with systemctl start qpidd generates the same error.
Performing the same installation steps on minimal install with a 30G /var and no security policy applied works.
Steps to reproduce:
- Install CentOS 7 minimal with DISA STIG policy applied. Keep /var at 1G.
- Run the following commands:
yum -y --nogpgcheck localinstall https://fedorapeople.org/groups/katello/releases/yum/3.5/katello/el7/x86_64/katello-repos-latest.rpm
yum -y --nogpgcheck localinstall https://yum.theforeman.org/releases/1.16/el7/x86_64/foreman-release.rpm
yum -y --nogpgcheck localinstall https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
yum -y --nogpgcheck localinstall https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y --nogpgcheck install foreman-release-scl python-django
yum -y update
yum -y install katello - Attempt to install Foreman/Katello:
foreman-installer --scenario katello
What should happen:
During installer checks, a warning should be raised if /var is too small. A warning should be raised if DISA STIG policy is applied.
Updated by Tomer Brisker about 4 years ago
- Project changed from Foreman to Installer
- Category deleted (
47)