#XCP on RHEL8 will not activate / install

I am trying to activate XCP on RHEL8 but it fails with [9999999] Error loading Python lib '/tmp/_MEICGewV2/libpython3.8.so.1.0': dlopen: /tmp/_MEICGEWV2/libpython3.0.so.1.0: failed to map segment from shared object
Our assumption is that it is trying to execute from /tmp, which in our environment is not allowed. (We are a dark site). Is there a way or parameter we can use to have it extract to a different temporary area?

@signal tiger @steel garden

@turbid plank

Was thatn for me Nick?

No, Pete is the engineer that created XCP originally

Is he on Discord? Can I reach out to him?

That's why I pinged him, so he can come assist when he gets a chance

Check security logs. Might be an selinux thing

It is a STIG requirement

Right. It might be failing due to some context not being set/correct

Check security logs

Not allowed to execute from /tmp

My scripts were failing also... had to start re-writting

Have you tried from a non tmp directory?

There is no option; it is physically hard coded in to the xcp script

There may be an optional argument, but it isn't documented

I know it’s not the same, I just downloaded xcp 1.9.2. Extracted into /root. Did a cd into xcp/Linux. Did xcp activate and it failed, but created directory structure. I put the license file in /opt/NetApp/xFiles/xcp/license then ran xcp activate again and it just worked

That was on them 7.9. I can’t believe 8 is that different that the same can’t be done there

Never used /tmp.

That's because in your case, the system allowed the installer to create a run-time.py script in /tmp and executed it. I can create it, but it will not allow me to execute it, so I can't get that far

It isn't 7 or 8, it is the STIGs that are being applied to our RHEL8+ systems.

It uses /tmp in the background,w ithout telling you. I used to do it to, any file I didn't want to manually clean up. 😉

And it looks like these are the buggers stopping you then:

These are for /var/tmp
https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-230520

https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-230522

These are for /tmp
https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-230511

https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-230513
(specifically, the second one: RHEL 8 must mount /var/tmp with the noexec option)

I was able to get around the, presumed, /tmp restriction by issuing:

export TMPDIR=/root/xcp_tmp
mktemp

Now when I run "./xcp activate" I get
"fips.c(145): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)

That sounds like a more difficult one.

GM

I opened a case... 😉

It looks like a dependency, but...

And I'm not telling them how to bypass /tmp

https://access.redhat.com/solutions/7035895

Look there. It gives steps on how to figure out which python module may be the culprit

(Diagnostic steps anyway)

I know... I only have 3.6, but there are a boat-load of dependencies and trying one by one is not going to be fun troubleshooting

And I have to go split a stack and retire the old 3TB's too.

BTW, NVME storage is a resource hog especially if you create a single name space like Tony had done

Oops this is a public channel isn't it

We'll talk another time

But, the question I asked you to check at Insight was answered. You can create namespaces and use NVMEoTCP on NVME/SAS/SATA storage. It is abstracted by ONTAP

So I can mirror and DR from SATA

of course, although it is debateable if you gain anything by using SATA disks as backend for NVMe/TCP 😉

I've found the XCP feedback email very helpful - it gets you to the smart folks right away. ng-xcp-feedback@netapp.com