Installation of Red Hat Satellite 6 on RHEL 8 fails on db:migrate step if the DISA STIG security profile has been applied on the OS

Solution Verified - Updated 15 Dec 2025

Environment

Red Hat Satellite 6.11 and later
Red Hat Enterprise Linux 8

Issue

After applying DISA STIG security profile on an RHEL 8 system, It's not possible to install a Red Hat Satellite 6.11+ on top of the same.

The following errors have been observed during the execution of the satellite-installer command.

2022-08-02 11:08:30 [ERROR ] [configure] '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0]
2022-08-02 11:08:30 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/returns: change from 'notrun' to ['0'] failed: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0]

Resolution

As mentioned in the solution article 3198782, Red Hat does not support security hardening ( DISA/CIS/STIG ) of the Operating system on which Red Hat Satellite\Capsule will be installed.

Red Hat Satellite 6.15:

Despite the necessary rulesets were created and deployed for fapolicyd in Red Hat Satellite 6.15, The installation may still fail on the same db:migrate step.

The solution is to restart the fapolicyd service and then resume the installation effort.

# systemctl restart fapolicyd
# foreman-rake db:migrate --trace --verbose
# satellite-installer -S satellite

Red Hat Satellite 6.14 and earlier:

To complete the satellite installation, follow the steps mentioned below:

Disable and stop the fapolicyd service.

# systemctl stop fapolicyd
# systemctl disable fapolicyd

Execute the foreman-rake db:migrate --trace command manually and It should end without showing any errors or tracebacks.
- If no errors, Then re-run the satellite-installer command that was failing earlier and observe its progress.
- If some new errors, Then consider removing all the hardenings done on the OS before trying to re-run the failed step.

NOTE:
It's possible to configure custom rules for fapolicyd as described in this solution article but It's neither officially recommended nor supported. Hence configure fapolicyd rules at your own risk if it's an absolute necessity.

Reach out to This content is not included.Red Hat Technical Support in case any further concerns or assistance is required.

Root Cause

The fapolicyd rules were preventing the rake binary to be executed and hence causing the db:migrate action to fail.

Diagnostic Steps

Around the time of the failure, The following errors were logged in the /var/log/foreman-installer/satellite.log file.

2022-08-02 15:55:10 [DEBUG ] [configure] Exec[foreman-rake-db:migrate](provider=posix): Executing check '/usr/sbin/foreman-rake db:abort_if_pending_migrations'
2022-08-02 15:55:10 [DEBUG ] [configure] Executing with uid=foreman: '/usr/sbin/foreman-rake db:abort_if_pending_migrations'
...
2022-08-02 15:55:10 [DEBUG ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/unless: /usr/bin/rake:23:in `load': cannot load such file -- /usr/share/gems/gems/rake-13.0.1/exe/rake (LoadError)
...
2022-08-02 15:55:10 [DEBUG ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/unless:         from /usr/bin/rake:23:in `<main>'
2022-08-02 15:55:10 [DEBUG ] [configure] Exec[foreman-rake-db:migrate](provider=posix): Executing '/usr/sbin/foreman-rake db:migrate'
2022-08-02 15:55:10 [DEBUG ] [configure] Executing with uid=foreman: '/usr/sbin/foreman-rake db:migrate'
...
2022-08-02 15:55:11 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: Failed to call refresh: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0]

The fapolicyd service was found to be running on the affected satellite server.

   * fapolicyd.service - File Access Policy Daemon
      Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)
      Active: active (running) since Tue 2022-08-02 15:28:03 GMT; 41min ago
        Docs: man:fapolicyd(8)
    Main PID: 1671 (fapolicyd)
       Tasks: 4 (limit: 204874)
      Memory: 233.3M
      CGroup: /system.slice/fapolicyd.service
              `-1671 /usr/sbin/fapolicyd

   Aug 02 15:55:21 satellite.example.com fapolicyd[1671]: Loading data from rpmdb backend
   Aug 02 15:55:21 satellite.example.com fapolicyd[1671]: Loading data from file backend
   Aug 02 15:55:21 satellite.example.com fapolicyd[1671]: Updated
   Aug 02 15:56:57 satellite.example.com fapolicyd[1671]: It looks like there was an update of the system... Syncing DB.
   Aug 02 15:56:57 satellite.example.com fapolicyd[1671]: Loading rpmdb backend
   Aug 02 15:56:58 satellite.example.com fapolicyd[1671]: Updating database
   Aug 02 15:56:58 satellite.example.com fapolicyd[1671]: Creating database
   Aug 02 15:56:58 satellite.example.com fapolicyd[1671]: Loading data from rpmdb backend
   Aug 02 15:56:59 satellite.example.com fapolicyd[1671]: Loading data from file backend
   Aug 02 15:56:59 satellite.example.com fapolicyd[1671]: Updated

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

foreman
ruby

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.