I am behind developpment of security enhanced linux script "el_scripts", which include an OpenSCAP profile setup for machines (in my case I use ANSSI-BP-028-High security profile.
Having applied my securitry enhancements to PMG 9.x, I couldn't setup a cluster anymore with the following error:
```
copying master database finished (got 184169 bytes)
delete local database
create new local database
GRANT
GRANT
GRANT
GRANT
insert received data into local database
cluster join failed: postgres_admin_cmd failed: pg_restore failed: pg_restore: error: could not open input file "/tmp/masterdb2717.tar": Permission denied
```
This happened since /tmp umask created masterdbxxxx.tar file with permissons 600.
In order to make thinks work, I modified `/usr/share/perl5/PMG/DBTools.pm` by adding the following on line 1380:
```
my $ocmd = ['/usr/bin/chmod', '644', $fn,];
PVE::Tools::run_command($ocmd);
```
With this, I could join the cluster.
Would it make sense to the Proxmox team to add the above modification, since the file is unlinked after import anyway ?
Btw, also made the following mods for PMG to work with secure setup:
- set `AllowTcpForwarding yes` again
- Configured firewall to allow all ports from PMG cluster members via `ufw allow from <ip autres membres cluster>`
- Install apparmor-utils via `apt install apparmor-utils`
- Run aa-logprof to allow clamav working properly
Cheers.
Having applied my securitry enhancements to PMG 9.x, I couldn't setup a cluster anymore with the following error:
```
copying master database finished (got 184169 bytes)
delete local database
create new local database
GRANT
GRANT
GRANT
GRANT
insert received data into local database
cluster join failed: postgres_admin_cmd failed: pg_restore failed: pg_restore: error: could not open input file "/tmp/masterdb2717.tar": Permission denied
```
This happened since /tmp umask created masterdbxxxx.tar file with permissons 600.
In order to make thinks work, I modified `/usr/share/perl5/PMG/DBTools.pm` by adding the following on line 1380:
```
my $ocmd = ['/usr/bin/chmod', '644', $fn,];
PVE::Tools::run_command($ocmd);
```
With this, I could join the cluster.
Would it make sense to the Proxmox team to add the above modification, since the file is unlinked after import anyway ?
Btw, also made the following mods for PMG to work with secure setup:
- set `AllowTcpForwarding yes` again
- Configured firewall to allow all ports from PMG cluster members via `ufw allow from <ip autres membres cluster>`
- Install apparmor-utils via `apt install apparmor-utils`
- Run aa-logprof to allow clamav working properly
Cheers.