hw-health-charm

ilorest doesn't start on CIS hardened system

Bug #1935032 reported by Nikolay Vinogradov on 2021-07-08

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	hw-health-charm	Fix Released	High	John Lettman	hw-health-charm 22.04

Bug Description

Hi,

We're deploying hw-health charm to Bionic hardened with recent Ubuntu Bionic CIS benchmark 18.04.17 (based on CIS 2.0.1). ilorest tool that charm uses for hardware monitoring fails to start:

$ ilorest
ilorest: error while loading shared libraries: libz.so.1: failed to map segment from shared object

As strace ilorest shows (the loader attempts to load a number of .so files with randomized names from /tmp, see below comments for why), the root cause is this CIS remediation:

# 1.1.5 Ensure noexec option set on /tmp partition (Automated)
rule-1.1.5()
{
ensure_opt_mountpoint /tmp noexec
}

Which breaks pyinstaller as documented in https://pyinstaller.readthedocs.io/en/stable/when-things-go-wrong.html#operation-not-permitted-error. ilorest seems to be using pyinstaller (see https://pastebin.ubuntu.com/p/PpzvwdSwBZ/, based on https://github.com/extremecoders-re/pyinstxtractor/wiki/Extracting-Linux-ELF-binaries). So ilorest is essentially ELF binary that has a number of .so files packaged in it that are being unpacked to /tmp when the script starts. The same problem also causes other problems, like the one described here: https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1791241

The workaround is to remount /tmp as described below:

$ sudo mount /tmp -o remount,exec
ubuntu@cz20420g87:/var/log$ ilorest
iLOrest : RESTful Interface Tool version 3.1.1
....

See original description

Tags:

Related branches

~mertkirpici/charm-hw-health:lp/1979587

Merged into charm-hw-health:master at revision 27c38cd9129285de453b12b287fdf818d439d0d1

Martin Kalcok (community): Approve on 2022-10-13

🤖 prod-jenkaas-bootstack (community): Approve (continuous-integration) on 2022-10-13

Erhan Sunar (community): Approve on 2022-10-13

Eric Chen: Approve on 2022-10-13

Robert Gildein: Approve on 2022-10-13

~jplettman/charm-hw-health:fix/ilorest-noexec-tmp

Merged into charm-hw-health:master at revision b8dd269853aa54408c5b38f1edcf14814a12c3f5

🤖 prod-jenkaas-bootstack (community): Approve (continuous-integration) on 2022-02-10

BootStack Reviewers: Pending requested 2022-02-09

Nikolay Vinogradov (nikolay.vinogradov) on 2021-07-09

description:

updated

Nikolay Vinogradov (nikolay.vinogradov) on 2021-07-09

description:

updated

Revision history for this message

Jose Guedez (jfguedez) wrote on 2022-01-31:

Another option would be to use a specific directory for the charm without the `noexec` restriction. It can be specified using the TMP environment variable. This allows the tool to run without remounting /tmp with `exec` (which is being specifically checked by CIS), for example:

# original issue
root@myhost:~# /usr/sbin/ilorest list -j --selector=Chassis
/usr/sbin/ilorest: error while loading shared libraries: libz.so.1: failed to map segment from shared object

# workaround via TMP
root@myhost:~# mkdir /var/lib/hw-health
root@myhost:~# export TMP=/var/lib/health
root@myhost:~# /usr/sbin/ilorest list -j --selector=Chassis
iLOrest : RESTful Interface Tool version 3.2.2
Copyright (c) 2014-2021 Hewlett Packard Enterprise Development LP
--------------------------------------------------------------------------------------------------------------------------------------------------------------
[
  {
    "@odata.context": "/redfish/v1/$metadata#Chassis.Chassis",
    "@odata.etag": "<redacted>",
    "@odata.id": "/redfish/v1/Chassis/1/",
    "@odata.type": "#Chassis.v1_10_2.Chassis",
    "AssetTag": " ",
(...)

Changed in charm-hw-health:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

Stephan Pampel (stephanpampel) wrote on 2022-02-09:

Potential workaround without compromising CIS hardening:

$ mkdir /var/lib/nagios/ipmi_sensors_tmp
$ cat /etc/cron.d/hwhealth_ilorest
2,7,12,17,22,27,32,37,42,47,52,57 * * * * root export TMP=/var/lib/nagios/ipmi_sensors_tmp; /usr/local/lib/nagios/plugins/cron_ilorest.py

John Lettman (jplettman) on 2022-02-09

Changed in charm-hw-health:
assignee:	nobody → John Lettman (jplettman)

John Lettman (jplettman) on 2022-02-09

Changed in charm-hw-health:
status:	Confirmed → In Progress

Celia Wang (ziyiwang) on 2022-03-03

Changed in charm-hw-health:
status:	In Progress → Fix Committed

Xav Paice (xavpaice) on 2022-04-11

Changed in charm-hw-health:
milestone:	none → 22.04

Alvaro Uria (aluria) on 2022-04-15

tags:

added: bseng-60

Przemyslaw Lal (przemeklal) on 2022-04-29

Changed in charm-hw-health:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.