You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running tiup cluster check ... against systems that have /tmp mounted with the noexec option then TiUP fails to run the checks.
What did you do?
Apply hardening to a Rocky Linux 9 installation, e.g. by selecting "CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server" as security profile during the installation or by manually adding the noexec option in /etc/fstab.
These profiles are used for generic hardening, compliance with government regulations and compliance with PCI-DSS.
What did you expect to see?
The check to run successfully. Depending on the configuration of the target machine individual checks could still fail, but the check itself would run completely and produce a report.
What did you see instead?
$ tiup cluster check testcluster.yml
tiup is checking updates for component cluster ...
Starting component `cluster`: /home/dvaneeden/.tiup/components/cluster/v1.14.0/tiup-cluster check testcluster.yml
The SSH identity key is encrypted. Input its passphrase:
+ Detect CPU Arch Name
- Detecting node 192.168.122.131 Arch info ... Done
+ Detect CPU OS Name
- Detecting node 192.168.122.131 OS info ... Done
+ Download necessary tools
- Downloading check tools for linux/amd64 ... Done
+ Collect basic system information
- Getting system info of 192.168.122.131:22 ... Error
Error: stderr: bash: line 1: tar: command not found
: executor.ssh.execute_failed: Failed to execute command over SSH for '[email protected]:22' {ssh_stderr: bash: line 1: tar: command not found
, ssh_stdout: , ssh_command: export LANG=C; PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin /usr/bin/sudo -H bash -c "tar --no-same-owner -zxf /tmp/tiup/bin/insight-v0.4.2-linux-amd64.tar.gz -C /tmp/tiup/bin && rm /tmp/tiup/bin/insight-v0.4.2-linux-amd64.tar.gz"}, cause: Process exited with status 127
Verbose debug logs has been written to /home/dvaneeden/.tiup/logs/tiup-cluster-debug-2024-01-11-11-04-41.log.
With tar installed (not part of a minimal install of Rocky Linux 9):
$ tiup cluster check testcluster.yml
tiup is checking updates for component cluster ...
Starting component `cluster`: /home/dvaneeden/.tiup/components/cluster/v1.14.0/tiup-cluster check testcluster.yml
The SSH identity key is encrypted. Input its passphrase:
+ Detect CPU Arch Name
- Detecting node 192.168.122.131 Arch info ... Done
+ Detect CPU OS Name
- Detecting node 192.168.122.131 OS info ... Done
+ Download necessary tools
- Downloading check tools for linux/amd64 ... Done
+ Collect basic system information
+ Collect basic system information
- Getting system info of 192.168.122.131:22 ... Error
Error: executor.ssh.execute_failed: Failed to execute command over SSH for '[email protected]:22' {ssh_stderr: bash: line 1: /tmp/tiup/bin/insight: Permission denied
, ssh_stdout: , ssh_command: export LANG=C; PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin /usr/bin/sudo -H bash -c "/tmp/tiup/bin/insight"}, cause: Process exited with status 126
Verbose debug logs has been written to /home/dvaneeden/.tiup/logs/tiup-cluster-debug-2024-01-11-11-15-24.log.
What version of TiUP are you using (tiup --version)?
Shell(
inst.GetManageHost(),
filepath.Join(task.CheckToolsPathDir, "bin", "insight"),
"",
false,
).
BuildAsStep(" - Getting system info of "+utils.JoinHostPort(inst.GetManageHost(), inst.GetSSHPort()))
With a quick-and-dirty fix applied the checks now run.
diff --git a/pkg/cluster/task/check.go b/pkg/cluster/task/check.go
index 181f38e5..8b899495 100644
--- a/pkg/cluster/task/check.go+++ b/pkg/cluster/task/check.go@@ -42,7 +42,7 @@ var (
// place the check utilities are stored
const (
- CheckToolsPathDir = "/tmp/tiup"+ CheckToolsPathDir = "/tidb-deploy/tmp/tiup"
)
// CheckSys performs checks of system information
Suggestions for a fix:
Don't execute code from /tmp. Instead use a (temporary?) subdirectory of deploy_dir.
Bug Report
When running
tiup cluster check ...
against systems that have/tmp
mounted with thenoexec
option then TiUP fails to run the checks.noexec
option in/etc/fstab
.See also: https://github.com/ComplianceAsCode/content/blob/80b540816649e3df830691fd39477421ceb8bfea/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg#L102
Note that this is included in most security profiles that are available for Rocky Linux/RHEL9/etc:
These profiles are used for generic hardening, compliance with government regulations and compliance with PCI-DSS.
The check to run successfully. Depending on the configuration of the target machine individual checks could still fail, but the check itself would run completely and produce a report.
With
tar
installed (not part of a minimal install of Rocky Linux 9):tiup --version
)?The topology yaml that I used:
Note that part of the problematic code is this:
With a quick-and-dirty fix applied the checks now run.
Suggestions for a fix:
/tmp
. Instead use a (temporary?) subdirectory ofdeploy_dir
.tar
isn't installed. This is already in the docs: Update hardware-and-software-requirements.md docs#5228CheckToolsPathDir
configurablebin/insight
fails if possible.The text was updated successfully, but these errors were encountered: