[BACKPORT 2025.1.2][PLAT-18631] Ssh broken through yugabyte user on onprem auto provisioning for RHEL 9

nkhogen · nkhogen · commit 7688a8118a2f · 2025-11-18T09:00:50.000-08:00
Summary: Original diff: https://phorge.dev.yugabyte.com/D47122 (532a20f) Selinux prevents accessing .ssh folder if the home is a non-standard location like /yb-user-home. This change labels the path to allow access. Test Plan: Manually tested with the AMI ami-0d35d4245140392e8. Used to fail before this change. ``` LYYPVYV909:my-utilities nkhogen$ ssh -i /opt/yugaware/keys/ff4224f9-9fe7-43c3-8d70-9b16a9dcc708/yb-dev-aws.pem -ostricthostkeychecking=no -p 22 yugabyte@10.9.77.220 Register this system with Red Hat Insights: insights-client --register Create an account or view all your systems at https://red.ht/insights-dashboard Last login: Wed Oct 1 02:02:51 2025 [yugabyte@ip-10-9-77-220 ~]$ cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="9.4 (Plow)" ID="rhel" ID_LIKE="fedora" VERSION_ID="9.4" PLATFORM_ID="platform:el9" PRETTY_NAME="Red Hat Enterprise Linux 9.4 (Plow)" ANSI_COLOR="0;31" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" REDHAT_BUGZILLA_PRODUCT_VERSION=9.4 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.4" [yugabyte@ip-10-9-77-220 ~]$ echo $HOME /yb-db-user ``` For the home path matching test: 1. Wrong home path ``` 2025-10-02 10:43:33,300 INFO exec_command:ssh.py:443: Executing command /tmp/preflight_checks.sh --type provision --yb_home_dir /yb-db-user/fake-home --mount_points /mnt/d0 --ports_to_check 7000,7100,9000,9100,14000,18018,12000,9042,13000,5433,9300 --sudo_pass_file /tmp/.yb_sudo_pass.sh --tmp_dir /tmp --cleanup --install_node_exporter { "SSH Connection": true, "Try Ansible Command": true, "Home directory is clean": true, "Home directory matches": false, "Data directory is clean": true, "Sudo Access to Python": true, "Internet Connection": true, "(Prometheus) No Pre-existing Node Exporter Running": true, "(Prometheus) /opt/prometheus is writable": true, "(Prometheus) /etc/prometheus is writable": true, "(Prometheus) /var/log/prometheus is writable": true, "(Prometheus) /var/run/prometheus is writable": true, "(Prometheus) /var/lib/prometheus is writable": true, "(Prometheus) /lib/systemd/system/node_exporter.service is writable": true, "/opt/prometheus has free space of 100 MB ": true, "/tmp has free space of 100 MB ": true, "(PAM Limits) /etc/security/limits.conf is writable": true, "NTP time synchronization set up": true, "ntp_skew": true, "(Mount Point) /mnt/d0 is writable": true, "Port 7000 is available": true, "Port 7100 is available": true, "Port 9000 is available": true, "Port 9100 is available": true, "Port 14000 is available": true, "Port 18018 is available": true, "Port 12000 is available": true, "Port 9042 is available": true, "Port 13000 is available": true, "Port 5433 is available": true, "Port 9300 is available": true, "Yugabyte User in Yugabyte Group": true, "/yb-db-user/fake-home has free space of 2048 MB ": true, "locale_present": true } ``` 2. Matching home path ``` 2025-10-02 10:45:05,509 INFO exec_command:ssh.py:443: Executing command /tmp/preflight_checks.sh --type provision --yb_home_dir /yb-db-user --mount_points /mnt/d0 --ports_to_check 7000,7100,9000,9100,14000,18018,12000,9042,13000,5433,9300 --sudo_pass_file /tmp/.yb_sudo_pass.sh --tmp_dir /tmp --cleanup --install_node_exporter { "SSH Connection": true, "Try Ansible Command": true, "Home directory is clean": true, "Home directory matches": true, "Data directory is clean": true, "Sudo Access to Python": true, "Internet Connection": true, "(Prometheus) No Pre-existing Node Exporter Running": true, "(Prometheus) /opt/prometheus is writable": true, "(Prometheus) /etc/prometheus is writable": true, "(Prometheus) /var/log/prometheus is writable": true, "(Prometheus) /var/run/prometheus is writable": true, "(Prometheus) /var/lib/prometheus is writable": true, "(Prometheus) /lib/systemd/system/node_exporter.service is writable": true, "/opt/prometheus has free space of 100 MB ": true, "/tmp has free space of 100 MB ": true, "(PAM Limits) /etc/security/limits.conf is writable": true, "NTP time synchronization set up": true, "ntp_skew": true, "(Mount Point) /mnt/d0 is writable": true, "Port 7000 is available": true, "Port 7100 is available": true, "Port 9000 is available": true, "Port 9100 is available": true, "Port 14000 is available": true, "Port 18018 is available": true, "Port 12000 is available": true, "Port 9042 is available": true, "Port 13000 is available": true, "Port 5433 is available": true, "Port 9300 is available": true, "Yugabyte User in Yugabyte Group": true, "/yb-db-user has free space of 2048 MB ": true, "locale_present": true } ``` Reviewers: anijhawan, skhilar, nbhatia, vkumar, dshubin Reviewed By: skhilar Subscribers: yugaware, nikhil Differential Revision: https://phorge.dev.yugabyte.com/D48355
diff --git a/managed/devops/opscli/ybops/data/preflight_checks.sh b/managed/devops/opscli/ybops/data/preflight_checks.sh
@@ -149,9 +149,6 @@ preflight_configure_check() {
   fi
   update_result_json "Yugabyte Group" "$user_status"
 
-  # Check home directory exists.
-  check_filepath "Home Directory" "$yb_home_dir" false
-
   # Check virtual memory max map limit.
   vm_max_map_count=$(cat /proc/sys/vm/max_map_count 2> /dev/null)
   test ${vm_max_map_count:-0} -ge $VM_MAX_MAP_COUNT
@@ -176,8 +173,10 @@ preflight_all_checks() {
       yb_home_dir_clean=false
     fi
   fi
-  update_result_json "yb_home_dir_clean" "$yb_home_dir_clean"
+  update_result_json "Home Directory Clean" "$yb_home_dir_clean"
 
+  # Check home directory exists and verify if it matches the expected home directory.
+  check_yugabyte_user_home_if_exists
 
   # Check whether files in data directory are cleaned up.
   data_dir_clean=true
@@ -199,7 +198,7 @@ preflight_all_checks() {
       fi
     done
   done
-  update_result_json "data_dir_clean" "$data_dir_clean"
+  update_result_json "Data Directory Clean" "$data_dir_clean"
 }
 
 # Checks for an available python executable
@@ -213,6 +212,28 @@ check_python() {
   update_result_json "Sudo Access to Python" "$python_status"
 }
 
+# Checks if the home directory exists for yugabyte and is correct.
+check_yugabyte_user_home_if_exists() {
+  # Check only if yugabyte user exists.
+  if id -u "yugabyte" >/dev/null 2>&1; then
+    # Get the local home directory
+    # Output looks like yugabyte:x:1001:1001::/home/yugabyte:/bin/bash
+    actual_home_dir=$(getent passwd yugabyte | cut -d: -f6 2>&1)
+    if [[ -z "$actual_home_dir" ]]; then
+      update_result_json "Home Directory Exists" false
+    else
+      update_result_json "Home Directory Exists" true
+      # Normalize path.
+      actual_home_dir=$(readlink -m "$actual_home_dir" 2>&1)
+      if [[ "$actual_home_dir" != "$yb_home_dir" ]]; then
+        update_result_json "Home Directory Matches" false
+      else
+        update_result_json "Home Directory Matches" true
+      fi
+    fi
+  fi
+}
+
 # Checks if given filepath is writable.
 check_filepath() {
   test_type="$1"
@@ -393,6 +414,8 @@ while [[ $# -gt 0 ]]; do
     ;;
     --yb_home_dir)
       yb_home_dir="$2"
+      # Normalize the path.
+      yb_home_dir=$(readlink -m "$yb_home_dir" 2>&1)
       shift
     ;;
     --tmp_dir)
diff --git a/managed/node-agent/resources/preflight_check.sh b/managed/node-agent/resources/preflight_check.sh
@@ -201,6 +201,27 @@ check_yugabyte_user() {
   update_result_json "user_group" "$result"
 }
 
+check_yugabyte_user_home_if_exists() {
+  # Check only if yugabyte user exists.
+  if id -u "yugabyte" >/dev/null 2>&1; then
+    # Get the local home directory
+    # Output looks like yugabyte:x:1001:1001::/home/yugabyte:/bin/bash
+    actual_home_dir=$(getent passwd yugabyte | cut -d: -f6 2>&1)
+    if [[ -z "$actual_home_dir" ]]; then
+      update_result_json "home_dir_exists" false
+    else
+      update_result_json "home_dir_exists" true
+      # Normalize path.
+      actual_home_dir=$(readlink -m "$actual_home_dir" 2>&1)
+      if [[ "$actual_home_dir" != "$yb_home_dir" ]]; then
+        update_result_json "home_dir_matches" false
+      else
+        update_result_json "home_dir_matches" true
+      fi
+    fi
+  fi
+}
+
 check_packages_installed() {
 
   check_package_installed "openssl" # Required.
@@ -292,12 +313,8 @@ preflight_all_checks() {
   fi
   update_result_json "python_version" "$result"
 
-  # Check home directory exists.
-  if [[ -d "$yb_home_dir" ]]; then
-    update_result_json "home_dir_exists" true
-  else
-    update_result_json "home_dir_exists" false
-  fi
+  # Check home directory exists and verify if it matches the expected home directory.
+  check_yugabyte_user_home_if_exists
 
   # Check all the communication ports
   check_port "master_http_port" "$master_http_port"
@@ -569,6 +586,8 @@ while [[ $# -gt 0 ]]; do
     ;;
     --yb_home_dir)
       yb_home_dir=${2//\'/}
+      # Normalize the path.
+      yb_home_dir=$(readlink -m "$yb_home_dir" 2>&1)
       shift
     ;;
     --cleanup)
diff --git a/managed/node-agent/resources/ynp/modules/provision/yugabyte/templates/run.j2 b/managed/node-agent/resources/ynp/modules/provision/yugabyte/templates/run.j2
@@ -34,21 +34,28 @@ fi
 # Determine the PLATFORM_ID
 platform_id=$(grep -oP '(?<=^PLATFORM_ID=).+' /etc/os-release | tr -d '"' || echo "unknown")
 
-if [[ "$platform_id" == "platform:el8" ]]; then
+if [[ "{{ os_family }}" == "RedHat" ]]; then
     # Check SELinux status
     SELINUX_STATUS=$(sestatus | grep 'SELinux status' | awk '{print $3}')
     if [[ "$SELINUX_STATUS" == "enabled" ]]; then
         # Configuring the correct SELinux context
         current_context=$(ls -Zd "{{ yb_home_dir }}" | awk '{print $1}' | cut -d: -f3)
         if [[ "$current_context" != "ssh_home_t" ]]; then
-            chcon -R -t ssh_home_t "{{ yb_home_dir }}"
+            if command -v semanage >/dev/null 2>&1; then
+                echo "semanage command found, using semanage"
+                semanage fcontext -a -t ssh_home_t "{{ yb_home_dir }}(/.*)?"
+                restorecon -ir "{{ yb_home_dir }}"
+            else
+                echo "semanage command not found, using chcon"
+                chcon -R -t ssh_home_t "{{ yb_home_dir }}"
+            fi
             echo "SELinux context for {{ yb_home_dir }} changed to ssh_home_t"
         else
             echo "SELinux context for {{ yb_home_dir }} is already set to ssh_home_t"
         fi
     fi
 else
-    echo "el8 not detected, skipping changing selinux context"
+    echo "RedHat not detected, skipping changing selinux context"
 fi
 
 {% if cloud_type is defined and cloud_type != '' %}
