Security hardening YUM package add/remove task sometimes corrupts yum database on target hosts
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Undecided
|
Jeff Albert |
Bug Description
The ansible-hardening role contains in its RedHat 7 implementation of STIG a single play which both adds and removes packages:
https:/
This task frequently results in RPM database corruption on the target hosts: it looks as if ansible splits the task into multiple calls to yum and triggers them simultaneously, resulting in lock conflicts that break the RPM database:
2019-11-09 18:10:01,305 p=43314 u=root | failed: [redacted_hostname] (item=absent) => {"changed": false, "item": "absent", "module_stderr": "Warning: Permanently added 'redacted_ip' (E
CDSA) to the list of known hosts.\
n* authorized user of this system. *\n----
0113 Thread/process 17868/140288263
un database recovery\nerror: cannot open Packages index using db5 - (-30973)\nerror: cannot open Packages database in /var/lib/
/tmp/ansible_
usr/lib/
/__init__.py\", line 349, in _getConfig\n startupconf = config.
n readStartupConfig\n startupconf.
+ str(e))
In my environment, where this issue has plagued our upgrade and scaling tasks, I have broken the task up into two separate plays; one for adding packages and one for removing them. This approach does not result in RPM database corruption. I recommend adopting this approach and backporting it to supported OSA releases.
Fix proposed to branch: master /review. opendev. org/693614
Review: https:/