kolla

ironic-base contains unnecessary sudoers entries

Bug #1678143 reported by Mark Goddard
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
kolla
Fix Released
Medium
Mark Goddard
kolla pike-2 "pike"

Bug Description

Recently the ironic-conductor image was modified to load the iscsi_tcp kernel module on startup to resolve bug 1667864. This change was applied to master and back ported to stable/ocata *after* the 4.0.0 release. That change introduced bug 1676466 which affects binary images due to the lack of a sudoers entry for the modprobe.

While the merged fix (https://review.openstack.org/#/c/450274) for bug 1676466 should resolve the issue, it adds unnecessary sudoers entries to the ironic-base image. There are two minor issues here.

1) The change reuses the sudoers file for the source build, which also provides a rootwrap entry referencing the kolla virtualenv which should not exist in the binary image.
2) The modprobe sudoers entry is required only in the ironic-conductor image, and not ironic-base or its other child images.

I think that the correct fix is to separate the modprobe iscsi_tcp bits into a separate sudoers file used by both source and binary builds in the ironic-conductor image (not ironic-base), then move the existing sudoers file in ironic-base back to just the source build.

Mark Goddard (mgoddard)
Changed in kolla:
assignee: nobody → Mark Goddard (mgoddard)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (master)

Fix proposed to branch: master
Review: https://review.openstack.org/452207

Changed in kolla:
status: New → In Progress
Duong Ha-Quang (duonghq)
Changed in kolla:
importance: Undecided → Medium
milestone: none → pike-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (master)

Reviewed: https://review.openstack.org/452207
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=1c3336c8c9c1a77964041730973b4839c9a4c441
Submitter: Jenkins
Branch: master

commit 1c3336c8c9c1a77964041730973b4839c9a4c441
Author: Mark Goddard <email address hidden>
Date: Fri Mar 31 14:32:43 2017 +0100

    Use separate sudoers for ironic conductor modprobe

    The original fix (8b101b28a1040fd6b4753c09364106274d7e6e09) for bug
    1676466 added unnecessary entries to the sudoers file in the
    ironic-base image. These included a rootwrap entry pointing to the
    virtualenv used by source type images (not present in binary type
    images) and a modprobe iscsi_tcp which is only required by the
    ironic-conductor image.

    This change adds a single sudoers file for the iscsi_tcp modprobe
    to the ironic-conductor image and reverts to the common pattern of
    adding a sudoers file to ironic-base only for source type images.

    Change-Id: I89f1c4bd741de9ba184f14fcbcb708636616e420
    Closes-bug: #1678143
    Related-bug: #1676466
    Related-bug: #1667864

Changed in kolla:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 5.0.0.0b2

This issue was fixed in the openstack/kolla 5.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/557986

Revision history for this message
Sukhdev Kapur (sukhdev-8) wrote :

Folks, this is needed in stable/ocata as well as that release is broken as well.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/ocata)

Reviewed: https://review.openstack.org/557986
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=c67d4f9fb4a4522e8fa36871d81645cf0f6bedfd
Submitter: Zuul
Branch: stable/ocata

commit c67d4f9fb4a4522e8fa36871d81645cf0f6bedfd
Author: Mark Goddard <email address hidden>
Date: Fri Mar 31 14:32:43 2017 +0100

    Use separate sudoers for ironic conductor modprobe

    The original fix (8b101b28a1040fd6b4753c09364106274d7e6e09) for bug
    1676466 added unnecessary entries to the sudoers file in the
    ironic-base image. These included a rootwrap entry pointing to the
    virtualenv used by source type images (not present in binary type
    images) and a modprobe iscsi_tcp which is only required by the
    ironic-conductor image.

    This change adds a single sudoers file for the iscsi_tcp modprobe
    to the ironic-conductor image and reverts to the common pattern of
    adding a sudoers file to ironic-base only for source type images.

    Change-Id: I89f1c4bd741de9ba184f14fcbcb708636616e420
    Closes-bug: #1678143
    Related-bug: #1676466
    Related-bug: #1667864
    (cherry picked from commit 1c3336c8c9c1a77964041730973b4839c9a4c441)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla 4.0.5

This issue was fixed in the openstack/kolla 4.0.5 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.