Pacemaker sets umask to 026 instead of 022

Comment from https://bugs.launchpad.net/neutron/+bug/1311804:

Ryan Moe (rmoe) wrote on 2014-06-04: #8
This was only a problem on CentOS. The issue was that Pacemaker sets the umask to 026 (this is hard-coded) which gets inherited by all processes that get launched. A umask of 026 is how we ended up with 751 permissions on a bunch of different things.

Marking as medium because identifying pids and namespaces is not as an enormous security risk, as it would be to expose sensitive password data. It should be simple to include umask declarations in our OCF scripts or init scripts to ensure correct file creation behavior.

Reviewed: https://review.openstack.org/139130
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=d33dd473bf49f88f70cb1e5b693979b866d8ee60
Submitter: Jenkins
Branch: master

commit d33dd473bf49f88f70cb1e5b693979b866d8ee60
Author: Vladimir Kuklin <email address hidden>
Date: Thu Dec 4 20:51:55 2014 +0300

    Set neutron OCF scripts umask to 0022

    For some reason pacemaker sets umask to 0026
    which leads to 0751 rights set for neutron
    agents scripts, which in turn create
    some of files with these rights set, which
    in turn can make metadata proxy process
    unmanagable, making router hang.

    Change-Id: I146f96c2215aff95af9fd53682f501f3a1b90349
    Closes-bug: #1392330
    Related-bug: #1397284

Related fix proposed to branch: stable/5.1
Review: https://review.openstack.org/139938

This bug is High priority. After HCF we provide fixes only for critical bugs, create new RC, and respin QA cycle. We are about to release today or tomorrow, and this is not critical bug, so according to our workflow it is Won't fix for 5.1.1.

We also need to clarify if it affects 6.1 or it was already fixed in 6.0 (currently it's in Confirmed state for 6.1, and related fix was already landed to master).

In line with Mike's comment #5, I've set status to In Progress for 5.1.x, milestone set to 5.1.2.

Please clarify if the commit that was merged to master is sufficient to close this bug, or what else needs to be done. Status for 6.1.x set to In Progress for now.

Looks like we've tried to fix this problem a few times before in bug #1310926.

No update since my last comment, reset status back to Confirmed, target to old release series down to 4.1.x.

As per discussion with Ryan and Andrew, status changed to Opinion: the fact that Pacemaker sets umask to 026 is not something we should change, what we should change is deal with that fact in OpenStack components and Fuel OCF scripts, as was done in bug #1392330.

Reviewed: https://review.openstack.org/139938
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=4ddb9fb81d11bb4ff845ae06cee688924c6e4ce7
Submitter: Jenkins
Branch: stable/5.1

commit 4ddb9fb81d11bb4ff845ae06cee688924c6e4ce7
Author: Vladimir Kuklin <email address hidden>
Date: Thu Dec 4 20:51:55 2014 +0300

    Set neutron OCF scripts umask to 0022

    For some reason pacemaker sets umask to 0026
    which leads to 0751 rights set for neutron
    agents scripts, which in turn create
    some of files with these rights set, which
    in turn can make metadata proxy process
    unmanagable, making router hang.

    Change-Id: I146f96c2215aff95af9fd53682f501f3a1b90349
    Related-bug: #1397284

Vova - can you please bring this to closure?

Let's identify where to fix this (Fuel vs. OpenStack) and go from there. Right now it's stuck in Opinion state.

Roman, this bug is about Pacemaker (which we believe is the wrong place to fix this problem, which is why it is set to Opinion), the umask fix in the OCF scripts that resolves the same problem is tracked in bug #1392330.

The fix was commited for 4.1 5.1, 6.0 releases, see https://review.openstack.org/#/q/I146f96c2215aff95af9fd53682f501f3a1b90349,n,z

Verified on ISO #126

"build_id": "2015-02-15_22-54-44", "ostf_sha": "f9c37d0876141e1550eb4e703a8e500cd463282f", "build_number": "126", "release_versions": {"2014.2-6.1": {"VERSION": {"build_id": "2015-02-15_22-54-44", "ostf_sha": "f9c37d0876141e1550eb4e703a8e500cd463282f", "build_number": "126", "api": "1.0", "nailgun_sha": "1e3a40dd8a17abe1d38f42da1e0dc1a6d4572666", "production": "docker", "python-fuelclient_sha": "61431ed16fc00039a269424bdbaa410277eff609", "astute_sha": "1f87a9b9a47de7498b4061d15a8c7fb9435709d5", "feature_groups": ["mirantis"], "release": "6.1", "fuelmain_sha": "2054229e275d08898b5d079a6625ffcc79ae23b8", "fuellib_sha": "7f8d4382abfcd4338964182ebfea1d539f963e66"}}}, "auth_required": true, "api": "1.0", "nailgun_sha": "1e3a40dd8a17abe1d38f42da1e0dc1a6d4572666", "production": "docker", "python-fuelclient_sha": "61431ed16fc00039a269424bdbaa410277eff609", "astute_sha": "1f87a9b9a47de7498b4061d15a8c7fb9435709d5", "feature_groups": ["mirantis"], "release": "6.1", "fuelmain_sha": "2054229e275d08898b5d079a6625ffcc79ae23b8", "fuellib_sha": "7f8d4382abfcd4338964182ebfea1d539f963e66"

[root@node-13 ~]# ps aux | grep neutron
neutron 415 1.7 2.2 182244 42452 ? S Feb16 18:00 /usr/bin/python /usr/bin/neutron-dhcp-agent --config-file=/etc/neutron/neutron.conf --config-file=/etc/neutron/dhcp_agent.ini --log-file=/var/log/neutron/dhcp-agent.log
neutron 917 1.7 1.4 190524 28028 ? S Feb16 18:12 /usr/bin/python /usr/bin/neutron-l3-agent --config-file=/etc/neutron/neutron.conf --config-file=/etc/neutron/l3_agent.ini --log-file=/var/log/neutron/l3-agent.log
root 3254 0.0 0.0 78640 916 ? S Feb16 0:00 sudo neutron-rootwrap /etc/neutron/rootwrap.conf ovsdb-client monitor Interface name,ofport --format=json
root 3257 0.0 0.1 93924 2316 ? S Feb16 0:00 /usr/bin/python /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ovsdb-client monitor Interface name,ofport --format=json
nobody 4611 0.0 0.0 12984 424 ? S Feb16 0:00 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tap44425bdb-a5 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/9b778c8c-405e-49fe-999e-41dafa53cbad/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/9b778c8c-405e-49fe-999e-41dafa53cbad/host --addn-hosts=/var/lib/neutron/dhcp/9b778c8c-405e-49fe-999e-41dafa53cbad/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/9b778c8c-405e-49fe-999e-41dafa53cbad/opts --leasefile-ro --dhcp-range=set:tag0,192.168.111.0,static,600s --dhcp-lease-max=256 --conf-file= --domain=openstacklocal
neutron 4841 0.6 1.1 201312 22904 ? S Feb16 6:21 /usr/bin/python /usr/bin/neutron-metadata-agent --config-file=/etc/neutron/neutron.conf --config-file=/etc/neutron/metadata_agent.ini --log-file=/var/log/neutron/metadata-agent.log
neutron 5416 0.0 0.2 283036 4876 ? S Feb16 0:00 /usr/bin/python /usr/bin/neutron-metadata-agent --config-file=/etc/neutron/neutron.conf --config-file=/etc/neutron/metadata_agent.ini --log-file=/var/log/neutron/metadata-agent.log
root 7708 0.0 0.0 103248 880 pts/2 S+ 09:49 0:00 grep neutron
root 9331 0.0 0.0 162732 1652 ?...

customer found on 5.1

Change abandoned by Fuel DevOps Robot (<email address hidden>) on branch: stable/5.0
Review: https://review.openstack.org/146248
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.