ovn migration: Don't use executables in /tmp/

It's a common practice to have /tmp/ mounted separately with noexec option. This effectively means no scripts can be executed from the filesystem mounted to /tmp. This patch explicitly calls sh binary to execute scripts from /tmp and removes the executable flag from the scripts. Closes-Bug: #1965183 Change-Id: I2f9cd67979a8a75848fcdd7a8c3bb56dd3590473 Signed-off-by: Jakub Libosvar <libosvar@redhat.com>
2022-03-16 16:40:21 -04:00 · 2022-03-16 16:40:21 -04:00 · 0529ccdf71
parent 2f4661c876
commit 0529ccdf71
2 changed files with 4 additions and 4 deletions
--- a/tools/ovn_migration/tripleo_environment/playbooks/roles/migration/tasks/activate-ovn.yml
+++ b/tools/ovn_migration/tripleo_environment/playbooks/roles/migration/tasks/activate-ovn.yml
@ -3,11 +3,11 @@
  template:
    src: "activate-ovn.sh.j2"
    dest: "/tmp/activate-ovn.sh"
-    mode: 0744
+    mode: 0644

 - name: Run OVN activation script
  shell: >
-    /tmp/activate-ovn.sh 2>&1 > /tmp/activate-ovn.sh.log
+    sh /tmp/activate-ovn.sh 2>&1 > /tmp/activate-ovn.sh.log

 - name: Delete OVN activate script
  file:
--- a/tools/ovn_migration/tripleo_environment/playbooks/roles/migration/tasks/clone-dataplane.yml
+++ b/tools/ovn_migration/tripleo_environment/playbooks/roles/migration/tasks/clone-dataplane.yml
@ -4,10 +4,10 @@
  template:
    src: "clone-br-int.sh.j2"
    dest: "/tmp/clone-br-int.sh"
-    mode: 0744
+    mode: 0644

 - name: Run clone script for dataplane
-  shell: /tmp/clone-br-int.sh
+  shell: sh /tmp/clone-br-int.sh

 - name: Delete clone script
  file: