topic Re: Installing Morpheus Agent on Rocky Linux in HPE Morpheus VM Essentials

Installing Morpheus Agent on Rocky Linux

dya — Mon, 24 Mar 2025 04:01:26 GMT

I did the following in the same way as when using Ubuntu Server on a VM.

① Install "qemu-guest-agent" on Rocky Linux and make sure it's running
② Select "Install Agent" from the virtual machine's actions

It didn't work at first, but by doing the following two things, the virtual machine's action "Install Agent" completed successfully.

・Comment out "FILTER_RPC_ARGS" in /etc/sysconfig/qemu-ga
・Set SELinux to "Permissive"

However, both seem to relax security, so when running Rocky Linux (Red Hat-based Linux) on a VME, what is the best way to handle qemu-ga's "--allow-rpcs" and SELinux?

※Sorry if this is hard to understand as it is machine translated

Re: Installing Morpheus Agent on Rocky Linux

babusude — Mon, 24 Mar 2025 01:58:18 GMT

is there a reason why you did this ? "Comment out "FILTER_RPC_ARGS" in /etc/sysconfig/qemu-ga"

If you download the agent script you will see that the script is like this.
curl -k -s "https://${applianceUrl}/api/server-script/agentInstall?apiKey=${apiKey}" | bash

If you take an SSH to Rocky linux and then run the command like this ( add the -v), then we will get the exact reason if/why the agent install is not happening.
curl -v -k -s "https://${applianceUrl}/api/server-script/agentInstall?apiKey=${apiKey}" | bash

Re: Installing Morpheus Agent on Rocky Linux

dya — Mon, 24 Mar 2025 12:20:44 GMT

Thank you.

The reason is that when I investigated the issue of being unable to install using the virtual machine action "Install Agent", I found the following error when running "journalctl -f" on the host.

libvirtd[1235]: internal error: unable to execute QEMU agent command 'guest-exec': Command guest-exec has been disabled: the command is not allowed

I believe that downloading a script from a virtual machine action and running it on the guest OS is not the best option for general users, not engineers, so I would like to be able to install it using the VME Manager web screen, and I would like to know if there is a better way to do it.

Re: Installing Morpheus Agent on Rocky Linux

babusude — Wed, 23 Apr 2025 00:31:08 GMT

The error you saw, means that Rocky Linux (like other Red Hat-based systems) blocks certain QEMU agent features by default to improve security.
One of those blocked features is guest-exec, which is needed by VME Manager to run the agent install script.
libvirtd[1235]: internal error: unable to execute QEMU agent command 'guest-exec': Command guest-exec has been disabled: the command is not allowed

Why your changes worked:
Commenting out FILTER_RPC_ARGS lets guest-exec and similar commands run, so the install could complete.
Setting SELinux to "Permissive" stops it from blocking actions, which also helped.

But yes, both of these changes reduce system security, so it’s good to find a better way.

A better approach:
Keep SELinux in Enforcing mode
Instead of turning SELinux off (Permissive), we can teach it to allow just what’s needed. You can use these commands:

ausearch -m avc -ts recent
audit2allow -M myqemu
semodule -i myqemu.pp
This watches for what SELinux blocks and then creates a rule to allow it.
Temporarily allow agent install:
You could allow guest-exec only during installation, then put the FILTER_RPC_ARGS setting back afterward. This keeps things secure most of the time.

Re: Installing Morpheus Agent on Rocky Linux

dya — Wed, 23 Apr 2025 12:12:57 GMT

thank you.