Sudoers / rootwrap - no tty present and no askpass program specified

Bug #1182616 reported by Endre Karlson on 2013-05-21
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
neutron
Undecided
Unassigned

Bug Description

2013-05-21 19:59:54 DEBUG [quantum.agent.linux.utils]
Command: ['sudo', 'ip', 'netns', 'exec', 'qdhcp-1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', 'quantum-ns-metadata-proxy', '--pid_file=/var/lib/quantum/external/pids/1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.pid', '--network_id=1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', '--state_path=/var/lib/quantum', '--metadata_port=80', '--debug', '--verbose', '--log-file=quantum-ns-metadata-proxy1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.log', '--log-dir=/var/log/quantum']
Exit code: 1
Stdout: ''
Stderr: 'sudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: 3 incorrect password attempts\n'
2013-05-21 19:59:54 ERROR [quantum.openstack.common.rpc.amqp] Exception during message handling
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/quantum/openstack/common/rpc/amqp.py", line 430, in _process_data
    rval = self.proxy.dispatch(ctxt, version, method, **args)
  File "/usr/lib/python2.7/dist-packages/quantum/openstack/common/rpc/dispatcher.py", line 133, in dispatch
    return getattr(proxyobj, method)(ctxt, **kwargs)
  File "/usr/lib/python2.7/dist-packages/quantum/openstack/common/lockutils.py", line 242, in inner
    retval = f(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/dhcp_agent.py", line 234, in network_create_end
    self.enable_dhcp_helper(network_id)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/dhcp_agent.py", line 188, in enable_dhcp_helper
    self.enable_isolated_metadata_proxy(network)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/dhcp_agent.py", line 329, in enable_isolated_metadata_proxy
    pm.enable(callback)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/external_process.py", line 55, in enable
    ip_wrapper.netns.execute(cmd)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/ip_lib.py", line 407, in execute
    check_exit_code=check_exit_code)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/utils.py", line 61, in execute
    raise RuntimeError(m)
RuntimeError:
Command: ['sudo', 'ip', 'netns', 'exec', 'qdhcp-1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', 'quantum-ns-metadata-proxy', '--pid_file=/var/lib/quantum/external/pids/1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.pid', '--network_id=1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', '--state_path=/var/lib/quantum', '--metadata_port=80', '--debug', '--verbose', '--log-file=quantum-ns-metadata-proxy1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.log', '--log-dir=/var/log/quantum']
Exit code: 1
Stdout: ''
Stderr: 'sudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: 3 incorrect password attempts\n'

Mark McClain (markmcclain) wrote :

This is mostly likely an incorrectly configured sudoers file. How did you install Quantum?

Changed in quantum:
status: New → Incomplete
tags: added: rootwrap

I'm getting this as well using the puppet-openstack puppet modules from Stackforge. I'm using the ubuntu cloud archive.

# cat /etc/sudoers.d/quantum_sudoers
Defaults:quantum !requiretty

quantum ALL = (root) NOPASSWD: /usr/bin/quantum-rootwrap

# cat quantum.conf | grep root_helper
root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf

I'm very new to Open Stack, but as far as I can see Quantum should prefix the "ip nets exec..." with "sudo sudo quantum-rootwrap /etc/quantum/rootwrap.conf", right? That doesn't seem to be the case.

I'm using quantum-dhcp-agent version 1:2013.1-0ubuntu2~cloud0

Changed in quantum:
status: Incomplete → New
Lars Kneschke (lkneschke) wrote :

I added this lines at the end of /etc/quantum/dhcp_agent.ini

# Use "sudo quantum-rootwrap /etc/quantum/rootwrap.conf" to use the real
# root filter facility.
# Change to "sudo" to skip the filtering and just run the comand directly
root_helper = sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf

I found these lines in the folsom version of dhcp_agent.ini. In the grizzly release they seem to be missing.

Terry Wilson (otherwiseguy) wrote :

In grizzly, root_helper is generally configured in quantum.conf like
[AGENT]
root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf

As of https://github.com/stackforge/puppet-quantum/commit/dd202b9e04c9f9621b1dc5c2f3a929cd0533f28b the puppet-quantum project configures it this way by default as well.

Lars Kneschke (lkneschke) wrote :

I have these lines in quantum.conf too.

[AGENT]
# Use "sudo quantum-rootwrap /etc/quantum/rootwrap.conf" to use the real
# root filter facility.
# Change to "sudo" to skip the filtering and just run the comand directly
# root_helper = sudo
root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf

But I need them in /etc/quantum/dhcp_agent.ini too.

Darren Birkett (darren-birkett) wrote :

I don't think this is a misconfigured rootwrap config. In my logfiles, many commands are being executed successfully using rootwrap, The only one that fails - and it appears to be the same one in the original example - is when it tries to start up the quantum-ns-metadata-proxy service for a particular namespace.

Command: ['sudo', 'ip', 'netns', 'exec', 'qdhcp-1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', 'quantum-ns-metadata-proxy', '--pid_file=/var/lib/quantum/external/pids/1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.pid', '--network_id=1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', '--state_path=/var/lib/quantum', '--metadata_port=80', '--debug', '--verbose', '--log-file=quantum-ns-metadata-proxy1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.log', '--log-dir=/var/log/quantum']

I would say that looking at this as an issue with rootwrap configs is a red herring. It's an issue with starting that service in an environment without a tty.

Brian Cline (briancline) wrote :

Adding the root_helper line to dhcp_agent.ini, identical to the one I already have in quantum.conf, resolved the problem for me as well.

A notable difference seems to be that in quantum.conf it resides under the AGENT section by default; in dhcp_agent.ini it resides under the DEFAULT section.

Same problem here on a freshly installed controller running grizzly on ubuntu 12.04 and configured with the puppet-openstack modules[1].

Workaround as a puppet recipe:

-----
# https://bugs.launchpad.net/neutron/+bug/1182616
quantum_dhcp_agent_config { 'DEFAULT/root_helper':
    value => 'sudo quantum-rootwrap /etc/quantum/rootwrap.conf',
}
-----

[1] https://github.com/stackforge/puppet-openstack/

Jiajun Liu (ljjjustin) on 2013-07-26
Changed in neutron:
assignee: nobody → Jiajun Liu (ljjjustin)
Dan Bode (bodepd) wrote :

A patch has been submitted against puppet-quantum to resolve the issue by making Francois's recommended root_helper the default.

    https://review.openstack.org/#/c/39400/1

Feedback would be greatly appreciated.

Jiajun Liu (ljjjustin) wrote :

since the patch https://review.openstack.org/#/c/39400/1 have been merged, change status to fix committed.

Changed in neutron:
assignee: Jiajun Liu (ljjjustin) → nobody
status: New → Fix Committed
Changed in neutron:
milestone: none → havana-3
Mark McClain (markmcclain) wrote :

Since the fix is outside Neutron closing this ticket.

Changed in neutron:
status: Fix Committed → Invalid
milestone: havana-3 → none
Boy Yuan (bo-y-yuan) wrote :

I meet some problem when I put Quantum packages scripts in /etc/init.d directory and try to start Quantum packages by quantum user, when I start agent: service quantum-openvswitch-agent start, I find error in /var/log/quantum/quantum-openvswitch-agent.log:
Stderr: 'sudo: no tty present and no askpass program specified\n'
2013-11-15 09:44:21 ERROR [quantum.agent.linux.ovs_lib] Unable to execute ['ovs-vsctl', '--timeout=2', '--', '--if-exists'
, 'del-port', 'br-int', 'patch-tun']. Exception:
Command: ['sudo', 'ovs-vsctl', '--timeout=2', '--', '--if-exists', 'del-port', 'br-int', 'patch-tun']
Exit code: 1
I check the /etc/quantum/rootwrap.conf and /etc/quantum/quantum/rootwrap.d/ and /etc/sudoers.d/quantum, it seems no problem, I check with controller node's nova setting, it seems all are OK.
Finally I find I miss below two lines in /etc/quantum/quantum.conf
    root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf
    rootwrap_config=/etc/quantum/rootwrap.conf
After I add them in, the quantum packages start without SUDO error.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers