UMASK changes prescribed by PHTN-30-000114 and PHTN-30-000077 break updates to VCSA

[Aggraxis]

Describe the bug

We tried to apply an update (vCenter 7.0.3-00500.19480866 to 7.0.3-00600.19717403) last week, and it failed: Exception occurred in postInstallHook. After reviewing the logs (/var/log/vmware/applmgmt/upgrade_hook_PatchHook) we saw that the appliance was no longer able to start any services. I reached out to the r/vmware community via this post:

https://www.reddit.com/r/vmware/comments/utytvq/vcenter_7030050019480866_to_7030060019717403/

Ultimately, the files being created as part of the update process were coming up with 0640 permissions instead of 0644, which makes me think this has more to do with PHTN-30-000077 than PHTN-30-000114. Changing the UMASK back to 022 in both files and rebooting the appliance allowed me to apply the patch successfully.

Reproduction steps

1. Apply PhotonOS STIG playbook (task PHTN-30-000077) on VSA v 7.0.3-00500.19480866
2. Reboot Appliance
3. Attempt to apply patch 7.0.3-00600.19717403 - Will error out.

Expected behavior

We definitely want to be 'compliant' and be able to patch the appliance as well. I'm not sure whether the UMASK recommendation is simply unreasonable or if the vCenter applications need to take the more restrictive UMASK into account.

Additional context

No response

[rlakey]

I have an open bug to determine why this is causing problems now but yes in the meantime I would not implement this and I went ahead and excluded it from the VCSA playbook.

6cdd26826bbb09b8c4836bef0d95a7d786f8c3cc

[Aggraxis]

I forgot to mention this, but we used to have some Healthy, with warnings checks for some of our services on the VAMI page, specifically the postgres service. After the UMASK adjustment all of those warnings went away. Our services are showing healthy for everything that's actually turned on.

[rlakey]

Closing since this was removed from the vSphere 7 content.