sudo 1.8.10 is required

Bug #1336574 reported by Pavel Chekin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Won't Fix
High
MOS Linux
6.0.x
Won't Fix
High
MOS Linux
6.1.x
Won't Fix
High
MOS Linux
7.0.x
Won't Fix
High
MOS Linux

Bug Description

We need to support 'probe_interfaces' setting in sudo.conf, and this setting is only available in sudo version 1.8.10 and higher.
MOS 5.x CentOS contains sudo-1.8.6p3-12
MOX 5.x Ubuntu contains sudo_1.8.3p1-1

Tags: mos-linux
Changed in mos:
assignee: MOS Linux (mos-linux) → Alexei Sheplyakov (asheplyakov)
Revision history for this message
Alexei Sheplyakov (asheplyakov) wrote :

Are any other features available in 1.8.10 required? Can we just backport the patch which introduces the `probe_interfaces' option?

Revision history for this message
Pavel Chekin (pchekin) wrote :

Yes, we can backport `probe_interfaces' setting feature only

Revision history for this message
Alexei Sheplyakov (asheplyakov) wrote :

Apparently the code which handles sudo.conf changed radically between 1.8.3 and 1.8.10. Thus backporting is hardly a viable solution. On the other hand update to 1.8.10 might break the whole system (for one, lots of OpenStack components do use sudo). Also we'd need to maintain the sudo package during the MOS 5.1 lifetime.

Therefore I propose to disable probing network interfaces uncoditionally (with a one-line patch) to avoid sudo slowdown with many network interfaces (which is presumably the point of updating to 1.8.10).

Revision history for this message
Pavel Chekin (pchekin) wrote :

We need to maintain sudo package ether it contains a one-line patch or a whole 1.8.10 version, correct?
Anyways, please propose one-line patch you mentioned.

Revision history for this message
Pavel Chekin (pchekin) wrote :

After several internal discussions we decided that the best solution is to upgrade to 1.8.10 and verify it thoroughly, including deployment.

Revision history for this message
Alexei Sheplyakov (asheplyakov) wrote :

It looks like the version of sudo shipped with Ubuntu 14.04 supports the `probe_interfaces' option. Can we use that version (basically 1.8.9p4 with a few backports from 1.8.10) for Ubuntu? This way we get security fixes for free (14.04 is an LTS release).

Revision history for this message
Pavel Chekin (pchekin) wrote :

Sure, we can do it for Ubuntu. Any ideas for CentOS?

Revision history for this message
Alexei Sheplyakov (asheplyakov) wrote :

Backported upstream patch (commit e9dc28c7db60 from http://www.sudo.ws/repos/sudo) for the version of sudo shipped with CentOS 6.5

Revision history for this message
Alexei Sheplyakov (asheplyakov) wrote :

I've tried to build sudo 1.8.9p4 (the version included in Ubuntu 14). Obviously the build failed.
The cause is that debian/rules was trying to update libtool/autoconf/etc helper scripts/macros, and
the source contains newer versions of those scripts. I've disabled this, thus the sudo binary (and several plugins)
can be build now. However, building the package still fails with the following error:

dh_installman: Could not determine section for build-simple/doc/sudo.mdoc
make: *** [binary-arch] Error 255
dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2
debuild: fatal error at line 1350:
dpkg-buildpackage -rfakeroot -D -us -uc -b failed

Newer version of sudo use mdoc for documentation, and the dh_installman version from Ubuntu 12.04
can not handle those. Updating dh_* helpers is not an option (mixing different version of Debian build
utilities is really a bad idea). Perhaps we can move various documentation files into the right locations manually.
Any better ideas?

Revision history for this message
Pavel Chekin (pchekin) wrote :

Can we skip man pages installation for this package at the moment? This is a temporary solution and I am hoping it will be fixed after switching to Ubuntu 14.04 for MOS 6.0

Revision history for this message
Alexei Sheplyakov (asheplyakov) wrote :

Skipping man pages installation yields yet another build error (lintian complains 'binary with no manual page').
Rather than fighting with packaging scripts I've backported the `probe_interface' option for the version 1.8.3p1 (the one from Ubuntu 12.04). The patch rather small:

diffstat -p1 < sudo-1.8.3p1-probe-interfaces.patch
 plugins/sudoers/testsudoers.c | 39 +++++++++++++++++++++++++++++++++++++++
 src/load_plugins.c | 29 ++++++++++++++++++++++++++++-
 src/net_ifs.c | 8 +++++++-
 src/sudo.c | 2 ++
 4 files changed, 76 insertions(+), 2 deletions(-)

and more than a half of the patch updates the unit test (testsudoers.c)

Revision history for this message
Alexei Sheplyakov (asheplyakov) wrote :

The customized sudo package for Ubuntu 12.04 is under review at the moment, see https://gerrit.mirantis.com/#/c/18057

Unfortunately the automatic test which tries to install and remove packages fails. The cause of failure is that sudo is a bit
special in Ubuntu. Root password is blocked by default in Ubuntu, and sudo is required to gain root privileges. Therefore removing
sudo requires some additional steps (like setting the root password). The sudo-ldap package conflicts with the ordinary sudo,
so installing sudo-ldap involves removing sudo, which fails (unless the root password has been set).
Also the installation/removal tests seems to rely on sudo.

The customized sudo package for CentOS 6.5 is being reviewed here: https://gerrit.mirantis.com/#/c/18031

Revision history for this message
Alexei Sheplyakov (asheplyakov) wrote :

Pavel, could you please clarify if we actually need the customized packages?
MOS 5.1 is already frozen thus these packages won't get into 5.1.x. On the other hand 6.x is going to switch to Ubuntu 14.04 (CentOS 7), and these distributions contain the recent enough versions of sudo (which support the `probe_interfaces' option).

Revision history for this message
Pavel Chekin (pchekin) wrote :

Alexei, you are right. Let's postpone sudo upgrade at the moment and wait for updated Ubuntu/CentOS in MOS 6.0

Revision history for this message
Alexei Sheplyakov (asheplyakov) wrote :

Apparently MOS 6.0 will be based on CentOS 6.5 (switching to the new versions of both Ubuntu and CentOS is kind of risky). Therefore it looks like we do need a customized package for CentOS 6.5

Changed in mos:
milestone: 5.1 → 6.0
Changed in mos:
status: New → In Progress
Changed in mos:
milestone: 6.0 → 6.1
Revision history for this message
Michael Semenov (msemenov) wrote :
Revision history for this message
Alexei Sheplyakov (asheplyakov) wrote :

sudo version 1.8.9p5-1ubuntu1 (which is shipped with Ubuntu 14.04) supports the `probe_interfaces' option, thus no patches are necessary

Revision history for this message
Aleksander Mogylchenko (amogylchenko) wrote :

We need them for centos. But if those won't appear, 7.0 will also have proper sudo version. So we may probably close this ticket.

Revision history for this message
Alexei Sheplyakov (asheplyakov) wrote :
Revision history for this message
Michael Semenov (msemenov) wrote :

Proper version should come in MOS 7.0 with upgrade to CentOS 7.0.

Revision history for this message
Aleksander Mogylchenko (amogylchenko) wrote :

MOS 7.0 won't provide CentOS deployment.

Changed in mos:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.