-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tmp.mount restart handler will fail if /tmp is in use #46
Comments
I've been thinking about this. We could put a - name: "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition\n
SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition\n
SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition\n
| drop custom tmp.mount"
copy:
src: etc/systemd/system/tmp.mount
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: 0644
notify: systemd restart tmp.mount
tags:
- level1
- scored
- patch
- rule_1.1.3
- rule_1.1.4
- rule_1.1.5 or we could just put an Flushing the handler early will probably catch most instances of this but it isn't guaranteed. Ignoring failure is not a great option either but I'm not sure what the other options are without jumping through a bunch of hoops to find what is using |
Please make /tmp changing operations optional. |
Making it optional would work but not solve the issue with systemd reload. Optional execution is an open issue #26 |
Another option may be to just changing the |
register lsof count, separate the notify portion into next rule and notify when count < 1 ? |
what about |
What's the preferred solution for this? Ran into this issue and seems like an easy fix if there's agreement |
We change remote_tmp, that's my preference |
We use the pwd of the provisioning user for ansible and pip and docker etc, so it can be cleaned up by removing the user at the end of provisioning |
Thanks @sambanks, I tried that ansible.cfg change but unfortunately that didn't work for me. It doesn't seem to be temporary Ansible files that are keeping /tmp busy for me (lsof /tmp returns nothing). I'm going with the ignore_errors: yes approach in a private fork |
Yeah we had similar problems and couldn't catch them, but got sorted
through process of elimination, changing all the underlying tools TMP
locations. Glad you got it sorted.
…On Tue., 21 Aug. 2018, 4:19 pm Marc Jay, ***@***.***> wrote:
Thanks @sambanks <https://github.com/sambanks>, I tried that ansible.cfg
change but unfortunately that didn't work for me. It doesn't seem to be
temporary Ansible files that are keeping /tmp busy for me (lsof /tmp
returns nothing). I'm going with the ignore_errors: yes approach in a
private fork
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://github.com/MindPointGroup/RHEL7-CIS/issues/46#issuecomment-414852483>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADuZNmYlWBEpTh5ip3nJh5QNWjy-4C-_ks5uTJVpgaJpZM4PvLvq>
.
|
@sambanks that ansible.cfg change didn't work for us either. It seems like we have some files from firewalld and tuned in there. Was there something you did to move those tmp files to a different location? |
@jmcshane we had to track down the processes one by one. Does If it's only during the ansible run, then it's probably python writing to tmp. To work around this you need to set the TMPDIR environment variable before calling ansible. |
will you accept PR to simply remove line 'notify: systemd restart tmp.mount' ? above people are discussing a use case where ansible is contributing however my experience as depicted in the OP is that files are in use before ansible runs. my current view is a detached reboot is needed to ensure all changes are completely in effect and also the boot process needs to be tested before it becomes a surprise issue anyway. with that stated maybe we could avoid the issue altogether? an alternative could be variable switch for notify remounts w/default True to maintain current functionality? |
Observing the following build failure when running in AWS AWS AMI Builder - CIS: ·[0;31mfatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "Error loading unit file 'tmp.mount': org.freedesktop.DBus.Error.InconsistentMessage \"Bad message\""}·[0m Potential solutions found on https://github.com/MindPointGroup/RHEL7-CIS/issues/46
I notice this in the logs |
Hello, Hello,
|
Need to determine how to approach in use /tmp mount. I don't think we should hard fail the playbook for this condition, but certainly notify.
The text was updated successfully, but these errors were encountered: