Cinder

incorrect rootwrap filters for lvm

Bug #1646053 reported by Matthew Thode on 2016-11-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	High	John Griffith

Bug Description

Not sure what else it could be

2016-11-30 07:18:48.263 26451 INFO cinder.volume.manager [req-bdc7d639-3aad-40d5-b364-f1bea84fb73d - - - - -] Starting volume driver LVMVolumeDriver (3.0.0)
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager [req-bdc7d639-3aad-40d5-b364-f1bea84fb73d - - - - -] Failed to initialize driver.
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager Traceback (most recent call last):
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager File "/usr/lib64/python2.7/site-packages/cinder/volume/manager.py", line 415, in init_host
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager self.driver.check_for_setup_error()
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager File "/usr/lib64/python2.7/site-packages/cinder/volume/drivers/lvm.py", line 301, in check_for_setup_error
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager self.configuration.lvm_suppress_fd_warnings))
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager File "/usr/lib64/python2.7/site-packages/cinder/brick/local_dev/lvm.py", line 105, in __init__
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager if self._vg_exists() is False:
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager File "/usr/lib64/python2.7/site-packages/cinder/brick/local_dev/lvm.py", line 138, in _vg_exists
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager run_as_root=True)
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager File "/usr/lib64/python2.7/site-packages/cinder/utils.py", line 123, in execute
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager return processutils.execute(*cmd, **kwargs)
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager File "/usr/lib64/python2.7/site-packages/oslo_concurrency/processutils.py", line 389, in execute
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager cmd=sanitized_cmd)
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager ProcessExecutionError: Unexpected error while running command.
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager Command: sudo cinder-rootwrap /etc/cinder/rootwrap.conf env LC_ALL=C LVM_SYSTEM_DIR=/etc/cinder vgs --noheadings -o name pfire-home-volumes
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager Exit code: 99
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager Stdout: u''
2016-11-30 07:18:48.557 26451 ERROR cinder.volume.manager Stderr: u'/usr/lib/python-exec/python2.7/cinder-rootwrap: Unauthorized command: LC_ALL=C LVM_SYSTEM_DIR=/etc/cinder vgs --noheadings -o name pfire-home-volumes (no filter matched)\n'

Tags:

Revision history for this message

Sean McGinnis (sean-mcginnis) wrote on 2016-12-01:

Can you provide the version of Cinder you are running?

Revision history for this message

Sean McGinnis (sean-mcginnis) wrote on 2016-12-01:

Also, make sure volumes.filter is in a directory defined in /etc/cinder/rootwrap.conf in the filters_path setting. The vgs command has been in volumes.filter since 2014, and all CI tests are passing, so the only thing I can think of is either your volumes.filter file is in the wrong location or it has been modified somehow.

Revision history for this message

Matthew Thode (prometheanfire) wrote on 2016-12-01:

f9519cca0562543c20ef9fbb23b47291d7e25db1 of stable/newton

The files are there as well, the volume.filters is the same as that which is in git.

John Griffith (john-griffith) on 2016-12-02

Changed in cinder:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

John Griffith (john-griffith) wrote on 2016-12-02:

The problem is that rootwrap doesn't deal with the duplicate filters that we have delineated via the underscore. For example, we currently have:

vgs: EnvFilter, env, root, LC_ALL=C, vgs
and
vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs

This doesn't work, the only valid filter that gets picked up for vgs cmds is the first one. Modifying the additional permutations to something like:
vgs2: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs

addresses the issue. In the past we used to do regexs for these sorts of things and have single filter entry, not sure which is better, but ez fix is probably just to modify the entries rather than risk error-prone reg-exs.

Changed in cinder:
assignee:	nobody → John Griffith (john-griffith)

John Griffith (john-griffith) on 2016-12-02

tags:

added: newton-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-02: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/405788

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-17: Fix merged to cinder (master)

Reviewed: https://review.openstack.org/405788
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=005ba243d657a1c353434fd26abb2a1d5a4c7b5e
Submitter: Jenkins
Branch: master

commit 005ba243d657a1c353434fd26abb2a1d5a4c7b5e
Author: John Griffith <email address hidden>
Date: Fri Dec 2 04:04:30 2016 +0000

Fix secondary lvm cmds rootwrap filters

    When using LVM the various cmds have a number of potential formats due
    to options like LVM_SUPPRESS_FD_WARNINGS and LVM_SYSTEM_DIR
    specifications. The volume.filters were set up to provide each
    combination by having a second, third and fourth version of the filter:

      # LVM related show commands
      pvs: EnvFilter, env, root, LC_ALL=C, pvs
      vgs: EnvFilter, env, root, LC_ALL=C, vgs
      lvs: EnvFilter, env, root, LC_ALL=C, lvs
      lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay

      # -LVM related show commands with suppress fd warnings
      pvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
      vgs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
      lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
      lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay

    This no longer works, the first pvs/vgs/lvs filters will always get picked up
    and the cmds for any special configs will fail. We used to use regexs for this
    sort of thing, but then we switched to just adding unique filters. I'm not sure
    how this was working or why it doesn't seem to work as of Newton, but regardless,
    replacing the _xxxx with just an integer seems to work fine, rootwrap apparantly
    just doesn't like '_' or '-' in the filter name, so we'll change it to just use
    a digit appended to the filter name. There are some other filters that may need
    checked here as well.

Change-Id: I1a7c3048841c095a8e92795d7dfa0cb5c2a96645
Close-Bug: #1646053

Reviewed:  https://review.openstack.org/405788
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=005ba243d657a1c353434fd26abb2a1d5a4c7b5e
Submitter: Jenkins
Branch:    master

commit 005ba243d657a1c353434fd26abb2a1d5a4c7b5e
Author: John Griffith <john.griffith8@gmail.com>
Date:   Fri Dec 2 04:04:30 2016 +0000

Fix secondary lvm cmds rootwrap filters
    
    When using LVM the various cmds have a number of potential formats due
    to options like LVM_SUPPRESS_FD_WARNINGS and LVM_SYSTEM_DIR
    specifications.  The volume.filters were set up to provide each
    combination by having a second, third and fourth version of the filter:
    
      # LVM related show commands
      pvs: EnvFilter, env, root, LC_ALL=C, pvs
      vgs: EnvFilter, env, root, LC_ALL=C, vgs
      lvs: EnvFilter, env, root, LC_ALL=C, lvs
      lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay
    
      # -LVM related show commands with suppress fd warnings
      pvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
      vgs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
      lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
      lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
    
    This no longer works, the first pvs/vgs/lvs filters will always get picked up
    and the cmds for any special configs will fail.  We used to use regexs for this
    sort of thing, but then we switched to just adding unique filters.  I'm not sure
    how this was working or why it doesn't seem to work as of Newton, but regardless,
    replacing the _xxxx with just an integer seems to work fine, rootwrap apparantly
    just doesn't like '_' or '-' in the filter name, so we'll change it to just use
    a digit appended to the filter name.  There are some other filters that may need
    checked here as well.
    
    Change-Id: I1a7c3048841c095a8e92795d7dfa0cb5c2a96645
    Close-Bug: #1646053

Revision history for this message

Matthew Thode (prometheanfire) wrote on 2016-12-17:

backports?

Revision history for this message

Matthew Thode (prometheanfire) wrote on 2016-12-17:

at least newton has this as well

Sean McGinnis (sean-mcginnis) on 2017-05-28

Changed in cinder:
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.