Fuel for OpenStack

nova-rootwrap isn't used to run privsep command

Bug #1613754 reported by Dmitry Teselkin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Committed
High
Ivan Berezovskiy
Fuel for OpenStack 10.0

Bug Description

Custom system test [1] failed at OSTF phase on tests where volumes were involved. Looking into logs and env we found that it's because 'privsep' command failed to run, because of lack of permissions for nova user:

---
/var/log/nova/nova-compute.log: 2016-08-16 09:34:58.801 28203 INFO oslo.privsep.daemon [req-77f31146-b81c-4588-957c-6db8e09b4ebf 920c09eadcb84bdf9fb78a4cdf44acb3 65141265cab0494a84d1a2eea507086d - - -] Running privsep helper: ['sudo', 'privsep-helper', '--config-file', '/etc/nova/nova-compute.conf', '--config-file', '/etc/nova/nova.conf', '--privsep_context', 'os_brick.privileged.default', '--privsep_sock_path', '/tmp/tmp6_SrBA/privsep.sock']
---

---
/var/log/sudo.log:142:<81>Aug 16 09:34:59 node-3 sudo: nova : command not allowed ; TTY=unknown ; PWD=/var/lib/nova ; USER=root ; COMMAND=/usr/bin/privsep-helper --config-file /etc/nova/nova-compute.conf --config-file /etc/nova/nova.conf --privsep_context os_brick.privileged.default --privsep_sock_path /tmp/tmp6_SrBA/privsep.sock
---

---
/var/log/nova/nova-compute.log: 2016-08-16 09:34:59.080 28203 CRITICAL oslo.privsep.daemon [req-77f31146-b81c-4588-957c-6db8e09b4ebf 920c09eadcb84bdf9fb78a4cdf44acb3 65141265cab0494a84d1a2eea507086d - - -] privsep helper command exited non-zero (1)
---

Adding section privsep_osbrick (see below) to /etc/nova/nova.conf and restarting nova-compute service on every compute node fixed the issue:

---
[privsep_osbrick]
helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf
---

[1] https://custom-ci.infra.mirantis.net/job/10.0.custom.system_test/1075

See original description
Dmitry Teselkin (teselkin-d)
summary: - nova-rootwrap isn't able to run permsep command
+ nova-rootwrap isn't able to run privsep command
description: updated
Revision history for this message
Dmitry Teselkin (teselkin-d) wrote : Re: nova-rootwrap isn't able to run privsep command

It looks like the same should be done for cinder.conf, at least there are two similar commits in devstack [1], [2]

[1] https://review.openstack.org/#/c/277696/
[2] https://review.openstack.org/#/c/280031/

Revision history for this message
Dmitry Teselkin (teselkin-d) wrote :

https://review.openstack.org/#/c/355993/

summary: - nova-rootwrap isn't able to run privsep command
+ nova-rootwrap isn't used to run privsep command
Changed in fuel:
assignee: nobody → Ivan Berezovskiy (iberezovskiy)
importance: Undecided → High
Dmitry Teselkin (teselkin-d)
Changed in fuel:
status: New → In Progress
Ivan Berezovskiy (iberezovskiy)
Changed in fuel:
milestone: none → 10.0
Revision history for this message
Igor Yozhikov (iyozhikov) wrote :

We have got SUCCESSFUL deployment with passed OSTF tests: https://custom-ci.infra.mirantis.net/view/All/job/10.0.repos.custom.ubuntu.bvt_2/47/console

Test was launched with this PR - https://review.openstack.org/#/c/355993/.

Configuration files has been modified as expected.

OpenStack Infra (hudson-openstack)
Changed in fuel:
assignee: Ivan Berezovskiy (iberezovskiy) → Vladimir Kuklin (vkuklin)
Ivan Berezovskiy (iberezovskiy)
Changed in fuel:
assignee: Vladimir Kuklin (vkuklin) → Ivan Berezovskiy (iberezovskiy)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/355993
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=8791fee30b7b824142c5763e7bcb35fe0f3187d3
Submitter: Jenkins
Branch: master

commit 8791fee30b7b824142c5763e7bcb35fe0f3187d3
Author: iberezovskiy <email address hidden>
Date: Tue Aug 16 17:45:03 2016 +0300

    Configure privsep entrypoint for Nova and Cinder

    When os-brick starts using privsep, it will need to know how to invoke
    its privileged half. Amazingly the name of the rootwrap executable
    isn't anywhere else in the config, so the privsep default uses just
    "sudo" (no rootwrap). Required changes: set the privsep command line
    to use nova/cinder-rootwrap in nova/cinder.conf

    Similar changes in DevStack:
     * https://review.openstack.org/#/c/277696/
     * https://review.openstack.org/#/c/280031/

    Closes-bug: #1613754

    Change-Id: Ie2af71ff5d5a45f105d3e0395adeb2f153abf3ce

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/fuel-library 10.0.0rc1

This issue was fixed in the openstack/fuel-library 10.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/fuel-library 10.0.0

This issue was fixed in the openstack/fuel-library 10.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.