kolla

kolla_toolbox misconfigured kolla_ansible_sudoers file

Bug #1776461 reported by Serhat Rıfat Demircan
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
kolla
Fix Released
Undecided
Unassigned
kolla-ansible
Fix Released
Undecided
Unassigned

Bug Description

Hello,

When we run "kolla_ansible deploy" command, we get following error while configuring osd's on ceph nodes.

2018-06-12 13:07:55,631 p=1033 u=root | fatal: [ceph15]: FAILED! => {"changed": false, "cmd": ["docker", "exec", "-t", "kolla_toolbox", "sudo", "-E", "ansible", "localhost", "-m", "find_disks", "-a", "partition_name='KOLLA_CEPH_OSD_BOOTSTRAP' match_mode='prefix' use_udev=True"], "delta": "18:17:43.723299", "end": "2018-06-12 13:07:55.521106", "failed_when_result": true, "msg": "non-zero return code", "rc": -9, "start": "2018-06-11 18:50:11.797807", "stderr": "", "stderr_lines": [], "stdout": "[sudo] password for ansible: ", "stdout_lines": ["[sudo] password for ansible: "]}

After we inspected kolla_toolbox image, we have discovered kolla_ansible_sudoers file is misconfigured. ansible executable path "/usr/bin/ansible" is not in sudoers file.

(kolla-toolbox)[root@ceph15 /]# cat /etc/sudoers.d/kolla_ansible_sudoers
ansible ALL=(root) NOPASSWD: /opt/ansible/bin/ansible localhost -m find_disks -a *, /usr/local/bin/ansible localhost -m find_disks -a *

(kolla-toolbox)[root@ceph15 /]# which ansible
/usr/bin/ansible

See original description
Tags: kollatoolbox
Serhat Rıfat Demircan (serhatd)
description: updated
Revision history for this message
Robert Duncan (rduncan-t) wrote :

I have seen this on Kolla_ansible 6.0.0 deploying binary queens on Ubuntu, it hangs forever as in this bug: https://bugs.launchpad.net/kolla/+bug/1773911

you can copy the old sudoers file into kolla_toolbox, it's called 'kolla_ansible_sudoers'

docker cp kolla_ansible_sudoers kolla_toolbox:/etc/sudoers.d/

the file contents should be:

ansible ALL=(root) NOPASSWD: /usr/bin/ansible localhost -m find_disks -a *, /usr/local/bin/ansible localhost -m find_disks -a *

This patch has someone broken it
https://review.openstack.org/#/c/571723/

Revision history for this message
ByungYeol Woo (wby1089) wrote :

I faced with same issue at 'Looking up disks for Swift' task.
In my case, Ubuntu 18.04's ansible was located at /usr/bin

==== location of ansible
root@swift01:~# docker exec -u root -t kolla_toolbox cat /etc/sudoers.d/kolla_ansible_sudoers
ansible ALL=(root) NOPASSWD: /opt/ansible/bin/ansible localhost -m find_disks -a *, /usr/local/bin/ansible localhost -m find_disks -a *
root@swift01:~# docker exec -t kolla_toolbox which ansible
/usr/bin/ansible

I founded "kolla_toolbox -m find_disks" was excuted without root permision.
So I changed kolla-ansible's "ansible/roles/swift/tasks/start.yml" file instead of Robert's workaround.

===before
  command: docker exec -t kolla_toolbox sudo -E ansible localhost

===after
  command: docker exec -t kolla_toolbox ansible localhost

Revision history for this message
Jeffrey Zhang (jeffrey4l) wrote :

There are some mistake here.
A patch in kolla-ansible is merged ahead the kolla patch is merged.

https://review.openstack.org/#/q/I3c4465d5dfe4f909521fa00173f1cf8d9eec783f

this will fix the issue.

I'll mark this as fix committed.

feel free to re-open it if you still have this issue.

Changed in kolla:
status: New → Fix Committed
Changed in kolla-ansible:
status: New → Fix Committed
Mark Goddard (mgoddard)
Changed in kolla:
status: Fix Committed → Fix Released
Changed in kolla-ansible:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.