tjungbauer
commented
4 years ago current fix does not seem to work
Closed tjungbauer closed 1 year ago
tjungbauer
commented
4 years ago current fix does not seem to work
tjungbauer
commented
4 years ago Current error were due mounts the customer created. Still installer should set umask I guess.
makentenza
commented
4 years ago Thanks for the PR @tjungbauer, these are the typical opinionated OS deployments from Customers where we can't really address all the corner cases for their specific requirements. That said, I think this is something we could easily add here as many customers are following different hardening guides that will get their umask configuration different to the default one as a result.
I'd rather prefer to implement this as an optional variable enforced by the user and documented in the README, and only change the umask for that particular execution when the user explicitly provides that information.
@berndfinger from the SAP Notes, system roles for SAP or RHEL documentation for HANA we have linked in sap.com, is there any reference for umask requirements?
tjungbauer
commented
4 years ago I am not sure if it is a corner case. Setting the umask to 027 is part of the CIS Benchmarks and bigger companies sometimes like to configure there :)
makentenza
commented
4 years ago I am not sure if it is a corner case. Setting the umask to 027 is part of the CIS Benchmarks and bigger companies sometimes like to configure there :)
Yes, I agree. The umask issue is something recurrent and that's why I think it will be great to include here. There are other corner cases that probably won't. Red Hat Engineering had similar issues as you can see here #14 and this topic has been captured here #21 as well.
Do you think you could change a bit your PR so we include a resolution for #21 and also address my request of being implemented using a variable, enforced by the user and documented in the README file?
tjungbauer
commented
4 years ago for this I put a workaround in the playbook to be honest. It just sets the permissions for the folders ... including /usr/sap ... we can see if we can merge it somehow
berndfinger
commented
4 years ago @berndfinger from the SAP Notes, system roles for SAP or RHEL documentation for HANA we have linked in sap.com, is there any reference for
umaskrequirements?
There is no such string "umask" in any of the files in the RHEL System Roles for SAP. I'll answer the other parts of your question separately, outside of this thread.
berndfinger
commented
4 years ago changed database deployment from "command" to "shell" and added umask option. This is important for customer, which changed the default umask on a hosts (i.e. 027) . The hana installer will fail, since it would create folders with wrong permissions.
Hi @tjungbauer Can you please share the error messages you are getting?
tjungbauer
commented
4 years ago Hi,
I have two error message for example:
Wrong permission in /hana/... 15:28:35.804 - ERR : Directory '/hana/shared' is not accessible 15:28:35.804 - ERR : Missing execute permission for others at /hana/shared 15:28:35.804 - ERR : Missing read permission for others at /hana/shared 15:28:35.804 - ERR : Missing execute permission for others at /hana 15:28:35.804 - ERR : Missing read permission for others at /hana
Wrong permissions in /usr/sap 15:57:34.820 - ERR : /usr/sap/DX3/HDB00/exe/hdbnsutil call failed 15:57:34.820 - ERR : Cannot execute program /usr/sap/DX3/HDB00/exe/hdbnsutil: /usr/sap/DX3/HDB00/exe/hdbnsutil: Permission denied
Both issues were caused, because the folders were created with 750. While /hana/ was created by the customer (to mount NFS), /usr/sap is created by the hostagent as I understood.
By setting the permissions to 755 to all required folders, it worked perfectly.
As workaround I added some tasks in the playbook before execute the deployment role, to be sure the permissions are correctly set.
berndfinger
commented
4 years ago Hi,
I have two error message for example:
Wrong permission in /hana/... 15:28:35.804 - ERR : Directory '/hana/shared' is not accessible 15:28:35.804 - ERR : Missing execute permission for others at /hana/shared 15:28:35.804 - ERR : Missing read permission for others at /hana/shared 15:28:35.804 - ERR : Missing execute permission for others at /hana 15:28:35.804 - ERR : Missing read permission for others at /hana
Wrong permissions in /usr/sap 15:57:34.820 - ERR : /usr/sap/DX3/HDB00/exe/hdbnsutil call failed 15:57:34.820 - ERR : Cannot execute program /usr/sap/DX3/HDB00/exe/hdbnsutil: /usr/sap/DX3/HDB00/exe/hdbnsutil: Permission denied
Both issues were caused, because the folders were created with 750. While /hana/ was created by the customer (to mount NFS), /usr/sap is created by the hostagent as I understood.
By setting the permissions to 755 to all required folders, it worked perfectly.
As workaround I added some tasks in the playbook before execute the deployment role, to be sure the permissions are correctly set.
Hi @tjungbauer - Which HANA 2 revision have you been using?
tjungbauer
commented
4 years ago it seems to be 2.4.87
changed database deployment from "command" to "shell" and added umask option. This is important for customer, which changed the default umask on a hosts (i.e. 027) . The hana installer will fail, since it would create folders with wrong permissions.