This is a fix for oravirt#453 .

bugfix set custom environment for executables with oracle_script_env

`_JAVA_OPTIONS` is only set when `oracle_tmp_stage` != /tmp due to issues
with `GridSetup.sh -applyRU` for 21c.
The default for `oracle_tmp_stage` is /tmp when `ansible-fips` is disabled
or `{{ oracle_stage }}/tmp` when enabled.

The owner, group and priviledges for `oracle_tmp_stage` are set to same
values as `/tmp` on normal linux servers.

The `CV_ASSUME_DISTID` is set to `OL{{ ansible_distribution_major_version }}` for RHEL/OL
when not RHEL9/OL9 and set to `OL8` when RHEL9/OL9.

`SLES15` is default for SuSE at the moment. This could be changed in next PRs.

`cluvfy` is always executed without `CV_ASSUME_DISTID`, because the tool is
compatible for all supported plattforms when most current version is used.

changelogs/fragments/orahost_meta_env.yml

@@ -2,3 +2,6 @@
 minor_changes:
   - "set custom environment for executables with oracle_script_env (oravirt#453)"
   - "orahost_meta: added oracle_tmp_stage for hardened systems (oravirt#453)"
+  - "bugfix set custom environment for executables with oracle_script_env (oravirt#)"
+breaking_changes:
+  - "CV_ASSUME_DISTID: SLES15 when ansible_os_family == 'SuSE' (oravirt#)"

roles/oracluvfy/tasks/execute_cluvfy.yml

@@ -10,6 +10,8 @@
           - cluvfy_args | length > 2
         success_msg: >-
           Parameter: {{ cluvfy_args }}
+          oracle_script_env:
+          {{ oracle_script_env | ansible.utils.remove_keys(target=['CV_ASSUME_DISTID']) }}
 
     - name: execute_cluvfy | Check for executable
       ansible.builtin.stat:
@@ -21,6 +23,8 @@
       when:
         - not _oracluvfy_executable_stat.stat.exists
 
+    # most current versions of cluvfy is compatible against all supported distributions.
+    # => no need to set CV_ASSUME_DISTID during execution
     - name: execute_cluvfy | Execute cluvfy
       ansible.builtin.command: >-
         {{ _oracluvfy_executable }} {{ cluvfy_args }}
@@ -30,6 +34,8 @@
       changed_when: cluvfy_execute_res.rc == 0
       become: true
       become_user: "{{ _grid_install_user }}"
+      environment: |-
+        {{ oracle_script_env | ansible.utils.remove_keys(target=['CV_ASSUME_DISTID']) }}
 
   rescue:
     - name: execute_cluvfy | cluvfy failed

roles/orahost_meta/README.md

@@ -25,6 +25,9 @@ Meta role used by other roles to share variable defaults.
   - [oracle_tmp_stage](#oracle_tmp_stage)
   - [oracle_user](#oracle_user)
   - [oracle_user_home](#oracle_user_home)
+  - [orahost_meta_cv_assume_distid](#orahost_meta_cv_assume_distid)
+  - [orahost_meta_java_options](#orahost_meta_java_options)
+  - [orahost_meta_tmpdir](#orahost_meta_tmpdir)
   - [role_separation](#role_separation)
 - [Discovered Tags](#discovered-tags)
 - [Dependencies](#dependencies)
@@ -230,11 +233,10 @@ Usually passed to shell: or command: through "environment:" keyword
 #### Default value
 
 ```YAML
-oracle_script_env:
-  TMPDIR: '{{ oracle_tmp_stage }}'
-  _JAVA_OPTIONS: -Djava.io.tmpdir={{ oracle_tmp_stage }}
-  CV_ASSUME_DISTID: |-
-    {{ (ansible_facts.os_family == 'RedHat') | ternary('OL7', omit) }}
+oracle_script_env: |-
+  {{ orahost_meta_cv_assume_distid
+  | combine(orahost_meta_java_options)
+  | combine(orahost_meta_tmpdir)
 ```
 
 ### oracle_seclimits
@@ -279,7 +281,8 @@ There is usually no need to change this variable.
 #### Default value
 
 ```YAML
-oracle_tmp_stage: '{{ oracle_stage }}/tmp'
+oracle_tmp_stage: >-
+  {% if ansible_fips | default(false) %}{{ oracle_stage }}{%- endif %}/tmp
 ```
 
 ### oracle_user
@@ -303,6 +306,61 @@ home directory for `oracle_user`.
 oracle_user_home: /home/oracle
 ```
 
+### orahost_meta_cv_assume_distid
+
+The variable is used by `oracle_script_env` and passed
+to shell: or command: through "environment:" keyword
+
+Riles:
+- Redhat/OL and ansible_distribution_major_version <= 8
+
+`CV_ASSUME_DISTID: OL{{ ansible_distribution_major_version }}`
+
+- Redhat/OL and ansible_distribution_major_version = 9
+
+`CV_ASSUME_DISTID: OL8`
+
+- SuSE
+
+`CV_ASSUME_DISTID: SLES15`
+
+#### Default value
+
+```YAML
+orahost_meta_cv_assume_distid:
+  CV_ASSUME_DISTID: |-
+    {% if ansible_os_family == 'RedHat' %}OL
+    {%- if ansible_distribution_major_version is version('8', '<=') %}{{ ansible_distribution_major_version }}
+    {%- elif ansible_distribution_major_version is version('9', '=') %}8
+    {%- endif %}
+    {%- elif ansible_os_family == 'SuSE' %}SUSE{{ ansible_distribution_major_version }}
+    {%- endif %}
+```
+
+### orahost_meta_java_options
+
+The variable is used by `oracle_script_env` and passed
+to shell: or command: through "environment:" keyword
+
+#### Default value
+
+```YAML
+orahost_meta_java_options:
+  _JAVA_OPTIONS: >-
+    {% if oracle_tmp_stage != '/tmp' -%}
+    -Djava.io.tmpdir={{ oracle_tmp_stage }}
+    {%- endif %}
+```
+
+### orahost_meta_tmpdir
+
+#### Default value
+
+```YAML
+orahost_meta_tmpdir:
+  TMPDIR: '{{ oracle_tmp_stage }}'
+```
+
 ### role_separation
 
 Should role separation be used for Oracle Restart/Grid-Infrastructure.

roles/orahost_meta/defaults/main.yml

@@ -76,19 +76,65 @@ oracle_rsp_stage: "{{ oracle_stage }}/rsp"
 #
 # There is usually no need to change this variable.
 # @end
-oracle_tmp_stage: "{{ oracle_stage }}/tmp"
+oracle_tmp_stage: >-
+  {% if ansible_fips | default(false) %}{{ oracle_stage }}{%- endif %}/tmp
+
+# @var orahost_meta_cv_assume_distid:description: >
+# The variable is used by `oracle_script_env` and passed
+# to shell: or command: through "environment:" keyword
+#
+# Riles:
+#   - Redhat/OL and ansible_distribution_major_version <= 8
+#
+#     `CV_ASSUME_DISTID: OL{{ ansible_distribution_major_version }}`
+#
+#   - Redhat/OL and ansible_distribution_major_version = 9
+#
+#     `CV_ASSUME_DISTID: OL8`
+#
+#  - SuSE
+#
+#    `CV_ASSUME_DISTID: SLES15`
+#
+# @end
+orahost_meta_cv_assume_distid:
+  CV_ASSUME_DISTID: |-
+    {% if ansible_os_family == 'RedHat' %}OL
+    {%- if ansible_distribution_major_version is version('8', '<=') %}{{ ansible_distribution_major_version }}
+    {%- elif ansible_distribution_major_version is version('9', '=') %}8
+    {%- endif %}
+    {%- elif ansible_os_family == 'SuSE' %}SUSE{{ ansible_distribution_major_version }}
+    {%- endif %}
+
+# @var orahost_meta_java_options:description: >
+# The variable is used by `oracle_script_env` and passed
+# to shell: or command: through "environment:" keyword
+#
+# `java.io.tmpdir` is needed for FIPS configured systems,
+# because starting tools from `/tmp` is forbidden.
+# @end
+orahost_meta_java_options:
+  _JAVA_OPTIONS: >-
+    {% if oracle_tmp_stage != '/tmp' -%}
+    -Djava.io.tmpdir={{ oracle_tmp_stage }}
+    {%- endif %}
+
+# @var orahost_meta_java_options:description: >
+# The variable is used by `oracle_script_env` and passed
+# to shell: or command: through "environment:" keyword
+# @end
+orahost_meta_tmpdir:
+  TMPDIR: "{{ oracle_tmp_stage }}"
 
 # @var oracle_script_env:description: >
 # (Minimum) environment settings to pass to Oracle scripts.
 # Usually passed to shell: or command: through "environment:" keyword
 #
 # @end
-oracle_script_env:
-  TMPDIR: "{{ oracle_tmp_stage }}"
-  _JAVA_OPTIONS: "-Djava.io.tmpdir={{ oracle_tmp_stage }}"
-  # forward compatibility for GI < 19.7 on Linux 8/9
-  CV_ASSUME_DISTID: |-
-    {{ (ansible_facts.os_family == 'RedHat') | ternary('OL7', omit) }}
+oracle_script_env: |-
+  {{ orahost_meta_cv_assume_distid
+  | combine(orahost_meta_java_options)
+  | combine(orahost_meta_tmpdir)
 
 # @var oracle_seclimits:description: ulimit definition for orahost role.
 oracle_seclimits:

roles/oraswdb_install/vars/main.yml

@@ -23,7 +23,7 @@ _oraswdb_install_oracle_sw_image_db:
 _oraswdb_install_oracle_directories:
   - {name: "{{ oracle_stage }}", owner: "{{ oracle_user }}", group: "{{ oracle_group }}", mode: 775}
   - {name: "{{ oracle_rsp_stage }}", owner: "{{ oracle_user }}", group: "{{ oracle_group }}", mode: 775}
-  - {name: "{{ oracle_tmp_stage }}", owner: "{{ oracle_user }}", group: "{{ oracle_group }}", mode: 775}
+  - {name: "{{ oracle_tmp_stage }}", owner: root, group: root, mode: "u+rwx,g+rwx,o+rwxt"}
   - {name: "{{ oracle_base }}", owner: "{{ oracle_user }}", group: "{{ oracle_group }}", mode: 775}
   - {name: "{{ oracle_base }}/cfgtoollogs", owner: "{{ oracle_user }}", group: "{{ oracle_group }}", mode: 775}
   - {name: "{{ oracle_base }}/admin", owner: "{{ oracle_user }}", group: "{{ oracle_group }}", mode: 775}

roles/oraswgi_install/tasks/19.3.0.0.yml

@@ -169,6 +169,7 @@
           - "oracle_home_gi: {{ oracle_home_gi }}"
           - "apply RU before configuration: {{ patch_before_rootsh }}"
           - "{{ patch_before_rootsh | bool | ternary('patchru_dir: ' + __patchru_dir, '') }}"
+          - "oracle_script_env:   {{ oracle_script_env | default({}) }}"
       when:
         - _orasw_meta_primary_node | bool