fixing possible umask issue

[tjungbauer]

changed database deployment from "command" to "shell" and added umask option. This is important for customer, which changed the default umask on a hosts (i.e. 027) . The hana installer will fail, since it would create folders with wrong permissions.

[tjungbauer]

current fix does not seem to work

[tjungbauer]

Current error were due mounts the customer created. Still installer should set umask I guess.

[makentenza]

Thanks for the PR @tjungbauer, these are the typical opinionated OS deployments from Customers where we can't really address all the corner cases for their specific requirements. That said, I think this is something we could easily add here as many customers are following different hardening guides that will get their umask configuration different to the default one as a result.

I'd rather prefer to implement this as an optional variable enforced by the user and documented in the README, and only change the umask for that particular execution when the user explicitly provides that information.

@berndfinger from the SAP Notes, system roles for SAP or RHEL documentation for HANA we have linked in sap.com, is there any reference for umask requirements?

[tjungbauer]

I am not sure if it is a corner case. Setting the umask to 027 is part of the CIS Benchmarks and bigger companies sometimes like to configure there :)

[makentenza]

I am not sure if it is a corner case. Setting the umask to 027 is part of the CIS Benchmarks and bigger companies sometimes like to configure there :)

Yes, I agree. The umask issue is something recurrent and that's why I think it will be great to include here. There are other corner cases that probably won't. Red Hat Engineering had similar issues as you can see here #14 and this topic has been captured here #21 as well.

Do you think you could change a bit your PR so we include a resolution for #21 and also address my request of being implemented using a variable, enforced by the user and documented in the README file?

[tjungbauer]

for this I put a workaround in the playbook to be honest. It just sets the permissions for the folders ... including /usr/sap ... we can see if we can merge it somehow

[berndfinger]

@berndfinger from the SAP Notes, system roles for SAP or RHEL documentation for HANA we have linked in sap.com, is there any reference for umask requirements?

There is no such string "umask" in any of the files in the RHEL System Roles for SAP. I'll answer the other parts of your question separately, outside of this thread.

[berndfinger]

changed database deployment from "command" to "shell" and added umask option. This is important for customer, which changed the default umask on a hosts (i.e. 027) . The hana installer will fail, since it would create folders with wrong permissions.

Hi @tjungbauer Can you please share the error messages you are getting?

[tjungbauer]

Hi,

I have two error message for example:

Wrong permission in /hana/...
15:28:35.804 - ERR : Directory '/hana/shared' is not accessible
15:28:35.804 - ERR : Missing execute permission for others at /hana/shared
15:28:35.804 - ERR : Missing read permission for others at /hana/shared
15:28:35.804 - ERR : Missing execute permission for others at /hana
15:28:35.804 - ERR : Missing read permission for others at /hana

Wrong permissions in /usr/sap
15:57:34.820 - ERR : /usr/sap/DX3/HDB00/exe/hdbnsutil call failed
15:57:34.820 - ERR : Cannot execute program /usr/sap/DX3/HDB00/exe/hdbnsutil: /usr/sap/DX3/HDB00/exe/hdbnsutil: Permission denied

Both issues were caused, because the folders were created with 750. While /hana/ was created by the customer (to mount NFS), /usr/sap is created by the hostagent as I understood.

By setting the permissions to 755 to all required folders, it worked perfectly.

As workaround I added some tasks in the playbook before execute the deployment role, to be sure the permissions are correctly set.

[berndfinger]

Hi,

I have two error message for example:

Wrong permission in /hana/...
15:28:35.804 - ERR : Directory '/hana/shared' is not accessible
15:28:35.804 - ERR : Missing execute permission for others at /hana/shared
15:28:35.804 - ERR : Missing read permission for others at /hana/shared
15:28:35.804 - ERR : Missing execute permission for others at /hana
15:28:35.804 - ERR : Missing read permission for others at /hana

Wrong permissions in /usr/sap
15:57:34.820 - ERR : /usr/sap/DX3/HDB00/exe/hdbnsutil call failed
15:57:34.820 - ERR : Cannot execute program /usr/sap/DX3/HDB00/exe/hdbnsutil: /usr/sap/DX3/HDB00/exe/hdbnsutil: Permission denied

Both issues were caused, because the folders were created with 750. While /hana/ was created by the customer (to mount NFS), /usr/sap is created by the hostagent as I understood.

By setting the permissions to 755 to all required folders, it worked perfectly.

As workaround I added some tasks in the playbook before execute the deployment role, to be sure the permissions are correctly set.

Hi @tjungbauer - Which HANA 2 revision have you been using?

[tjungbauer]

it seems to be 2.4.87

[makentenza]

As discussed, could you please include a solution for #21 and also address my request of being implemented using a variable, enforced by the user and documented in the README file?