openstack-manuals

Document info about packages dropping their own sudo rules in /etc/sudoers.d

Bug #1311426 reported by Anne Gentle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
Medium
Matt Kassawara
openstack-manuals juno

Bug Description

Reported on the openstack mailing list:
I just spent a couple hours trying to figure this out so I thought I'd share.

I'm using the stackforge puppet modules and writing my own integration module to pull the individual modules together. That allows me to integrate better with our current puppet methodology and with local security policy.

One of the things we disallow, by accident actually, is packages dropping their own sudo rules in /etc/sudoers.d. All sudo rules must be explicitly specified and managed via puppet resources. As a side effect of this when I went to start the nova metadata api on the controller node my logs blew up (as did the inboxes of my coworkers) with security violations from the nova metadata api attempting to use the nova root wrapper via sudo.

I thought it a little odd that the nova metadata api would need to do anything as root since I'm running the neutron metadata agents which already run actions as root. I figured out that this was coming from the nova.api.manager.MetadataManager class which I'm pretty sure isn't needed for neutron. I changed the value of metadata_manager in nova.conf to nova.manager.Manager and now the api service no-longer needs the rootwrap sudo setup.

I couldn't find this documented anywhere, so hopefully this helps someone in the future.
-----
Not sure where to document this - Install Guide if it's distro-specific? Cloud Admin Guide? Maybe it's not a doc bug since it's a packaging problem?

Revision history for this message
Tom Fifield (fifieldt) wrote :

Rootwrap is currently listed at

Neutron: http://docs.openstack.org/trunk/config-reference/content/networking-options-rootwrap.html

Cinder: http://docs.openstack.org/trunk/config-reference/content/section_cinder-rootwrap.conf.html

Nova: http://docs.openstack.org/trunk/config-reference/content/list-of-compute-config-options.html

Admin guide: http://docs.openstack.org/admin-guide-cloud/content/root-wrap-reference.html

I don't think it's distro specific - I'd expect all packages to handle sudo access for OpenStack somehow.

Revision history for this message
Tom Fifield (fifieldt) wrote :

Idea: expand the "Passwords" section to be "Security", and add links to rootwrap information and firewall information.

Revision history for this message
Tom Fifield (fifieldt) wrote :

(in the install guide, that is)

Revision history for this message
Anne Gentle (annegentle) wrote :

Yes, I think the Install Guide would be good placement.

Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → Medium
Andreas Jaeger (jaegerandi)
tags: added: install-guide
Matt Kassawara (ionosphere80)
Changed in openstack-manuals:
assignee: nobody → Matt Kassawara (ionosphere80)
status: Confirmed → In Progress
milestone: none → juno
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/117888

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/117888
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=80ca377eb8c4d2a448f707cdb663d5e0f0db857e
Submitter: Jenkins
Branch: master

commit 80ca377eb8c4d2a448f707cdb663d5e0f0db857e
Author: Matthew Kassawara <email address hidden>
Date: Fri Aug 29 20:46:59 2014 +0000

    Improve install guide security content

    I improved security content in the installation guide as
    follows:

    1) Renamed basic environment 'passwords' section to 'security' to
       generalize topic.
    2) Generalized existing content.
    3) Added content about administrative privilege requirements
       including potential interference with deployment automation
       tools.

    Recommend backporting to Icehouse.

    Change-Id: Ide9785728c7b52ee1dc59a533b3486b99ee11139
    Closes-Bug: #1311426
    backport: icehouse

Changed in openstack-manuals:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/118486

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (stable/icehouse)

Reviewed: https://review.openstack.org/118486
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=ee9425a56e9f9200424f21cb372ffc6574d95b0a
Submitter: Jenkins
Branch: stable/icehouse

commit ee9425a56e9f9200424f21cb372ffc6574d95b0a
Author: Matthew Kassawara <email address hidden>
Date: Fri Aug 29 20:46:59 2014 +0000

    Improve install guide security content

    I improved security content in the installation guide as
    follows:

    1) Renamed basic environment 'passwords' section to 'security' to
       generalize topic.
    2) Generalized existing content.
    3) Added content about administrative privilege requirements
       including potential interference with deployment automation
       tools.

    Recommend backporting to Icehouse.

    Change-Id: Ide9785728c7b52ee1dc59a533b3486b99ee11139
    Closes-Bug: #1311426
    backport: icehouse
    (cherry picked from commit 80ca377eb8c4d2a448f707cdb663d5e0f0db857e)

tags: added: in-stable-icehouse
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-manuals 15.0.0

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.