sap_swpm: Using different TEMP dir fails playbook

[slubb]

I'm installing SAP using a different TEMP directory:

- name: Play install SAP Web Dispatcher
  hosts: hosts
  gather_facts: True
  become: true
  environment:
    TEMP: /usr/sap/tmp

Installation works as expected however there are 2 issues:

1. The summary pre start: It now shows the wrong path.

   
   TASK [community.sap_install.sap_swpm : SAP SWPM - Installation Process] ******************************************************
   ok: [xxhost] => {
   "msg": [
       "   Ready to run SWPM for SAP Software Installation  ",
       " ",
       "   SAP Product        -       NW_Webdispatcher:NW750.IND.PD  ",
       "   SID                -       WAD ",
       "   Host               -       xxhost",
       " ",
       "   The installation can take up to 3 hours. Run the following command as root",
       "   on xxhost to display the installation logs:",
       "   # tail -f $(cat /tmp/sapinst_instdir/.lastInstallationLocation)/sapinst.log"
   ]
   }

2. This step now fails because it doesn't look at the correct tmp dir.

TASK [community.sap_install.sap_swpm : SAP SWPM - Find last installation location] *** fatal: [xxhost]: FAILED! => { "changed": false, "cmd": [ "cat", "/tmp/sapinst_instdir/.lastInstallationLocation" ], "delta": "0:00:00.008100", "end": "2023-03-17 12:14:35.335597", "msg": "non-zero return code", "rc": 1, "start": "2023-03-17 12:14:35.327497", "stderr": "cat: /tmp/sapinst_instdir/.lastInstallationLocation: No such file or directory", "stderr_lines": [ "cat: /tmp/sapinst_instdir/.lastInstallationLocation: No such file or directory" ], "stdout": "", "stdout_lines": [] }

[sean-freeman]

Hi @slubb , the error occurs because these Ansible Tasks statically use /tmp.

Can you provide justification why you want to change the Temporary Directory for the installation, and why /usr/sap/tmp (which should really be reserved <sid>adm processes)?

I am unsure whether adding a variable to switch the Temporary Directory is a good idea. I would need convincing.

[slubb]

I have a customer and the have mounted their /tmp on noexec. This fails the default installation. If I change the TEMP it goes fine except for the hardcoded parts. I've started internal investigations why this is mounted like that, but it's still silent from that part. Don't know if the noexec part is convincing enough ;-) ?

[sean-freeman]

@slubb looks like there is no guidance from SAP on this topic, all we have is SAP Note 2063079 - "Child has signaled an exec error (-138)" and "Permission Denied" - Error to extract SWPM

Will ask someone from Red Hat or SUSE to comment. If I recall correctly, /tmp is frequently set by default as noexec when installing from ISO of either OS.

[wuftymerguftyguff]

Same issue here. VM hardening mandate noexec on temp folders. What about a pre and post task to change them while the install is in flight?

[sean-freeman]

@wuftymerguftyguff That would probably be considered a security vulnerability to make that alteration as part of the code. This GH Issue still needs comment from SUSE or Red Hat.

[wuftymerguftyguff]

In that case I think that the static use of /tmp needs to be removed to allow the adoption of the guidance in 2063079

[kksat]

Solution might be to use variable ansible_env (collected as part of ansible facts) instead of hard coding '/tmp'. As per SAP documentation $TEMP is used to place sapinst_instdir, not /tmp

https://help.sap.com/docs/SLTOOLSET/06f7611290ea4b8d9bc431a8d7bf05c3/84e70c5206893c3ae10000000a441470.html?version=CURRENT_VERSION_SWPM20

So this is indeed an issue - because role does not support standard SAP functionality.

[kksat]

@berndfinger is this still open issue?