Sudoers / rootwrap - no tty present and no askpass program specified

Bug #1182616 reported by Endre Karlson
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
neutron
Invalid
Undecided
Unassigned

Bug Description

2013-05-21 19:59:54 DEBUG [quantum.agent.linux.utils]
Command: ['sudo', 'ip', 'netns', 'exec', 'qdhcp-1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', 'quantum-ns-metadata-proxy', '--pid_file=/var/lib/quantum/external/pids/1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.pid', '--network_id=1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', '--state_path=/var/lib/quantum', '--metadata_port=80', '--debug', '--verbose', '--log-file=quantum-ns-metadata-proxy1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.log', '--log-dir=/var/log/quantum']
Exit code: 1
Stdout: ''
Stderr: 'sudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: 3 incorrect password attempts\n'
2013-05-21 19:59:54 ERROR [quantum.openstack.common.rpc.amqp] Exception during message handling
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/quantum/openstack/common/rpc/amqp.py", line 430, in _process_data
    rval = self.proxy.dispatch(ctxt, version, method, **args)
  File "/usr/lib/python2.7/dist-packages/quantum/openstack/common/rpc/dispatcher.py", line 133, in dispatch
    return getattr(proxyobj, method)(ctxt, **kwargs)
  File "/usr/lib/python2.7/dist-packages/quantum/openstack/common/lockutils.py", line 242, in inner
    retval = f(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/dhcp_agent.py", line 234, in network_create_end
    self.enable_dhcp_helper(network_id)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/dhcp_agent.py", line 188, in enable_dhcp_helper
    self.enable_isolated_metadata_proxy(network)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/dhcp_agent.py", line 329, in enable_isolated_metadata_proxy
    pm.enable(callback)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/external_process.py", line 55, in enable
    ip_wrapper.netns.execute(cmd)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/ip_lib.py", line 407, in execute
    check_exit_code=check_exit_code)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/utils.py", line 61, in execute
    raise RuntimeError(m)
RuntimeError:
Command: ['sudo', 'ip', 'netns', 'exec', 'qdhcp-1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', 'quantum-ns-metadata-proxy', '--pid_file=/var/lib/quantum/external/pids/1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.pid', '--network_id=1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', '--state_path=/var/lib/quantum', '--metadata_port=80', '--debug', '--verbose', '--log-file=quantum-ns-metadata-proxy1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.log', '--log-dir=/var/log/quantum']
Exit code: 1
Stdout: ''
Stderr: 'sudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: 3 incorrect password attempts\n'

Tags: rootwrap
Revision history for this message
Mark McClain (markmcclain) wrote :

This is mostly likely an incorrectly configured sudoers file. How did you install Quantum?

Changed in quantum:
status: New → Incomplete
tags: added: rootwrap
Revision history for this message
Kristian Øllegaard (oellegaard) wrote :

I'm getting this as well using the puppet-openstack puppet modules from Stackforge. I'm using the ubuntu cloud archive.

# cat /etc/sudoers.d/quantum_sudoers
Defaults:quantum !requiretty

quantum ALL = (root) NOPASSWD: /usr/bin/quantum-rootwrap

# cat quantum.conf | grep root_helper
root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf

I'm very new to Open Stack, but as far as I can see Quantum should prefix the "ip nets exec..." with "sudo sudo quantum-rootwrap /etc/quantum/rootwrap.conf", right? That doesn't seem to be the case.

I'm using quantum-dhcp-agent version 1:2013.1-0ubuntu2~cloud0

Changed in quantum:
status: Incomplete → New
Revision history for this message
Lars Kneschke (lkneschke) wrote :

I added this lines at the end of /etc/quantum/dhcp_agent.ini

# Use "sudo quantum-rootwrap /etc/quantum/rootwrap.conf" to use the real
# root filter facility.
# Change to "sudo" to skip the filtering and just run the comand directly
root_helper = sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf

I found these lines in the folsom version of dhcp_agent.ini. In the grizzly release they seem to be missing.

Revision history for this message
Terry Wilson (otherwiseguy) wrote :

In grizzly, root_helper is generally configured in quantum.conf like
[AGENT]
root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf

As of https://github.com/stackforge/puppet-quantum/commit/dd202b9e04c9f9621b1dc5c2f3a929cd0533f28b the puppet-quantum project configures it this way by default as well.

Revision history for this message
Lars Kneschke (lkneschke) wrote :

I have these lines in quantum.conf too.

[AGENT]
# Use "sudo quantum-rootwrap /etc/quantum/rootwrap.conf" to use the real
# root filter facility.
# Change to "sudo" to skip the filtering and just run the comand directly
# root_helper = sudo
root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf

But I need them in /etc/quantum/dhcp_agent.ini too.

Revision history for this message
Darren Birkett (darren-birkett) wrote :

I don't think this is a misconfigured rootwrap config. In my logfiles, many commands are being executed successfully using rootwrap, The only one that fails - and it appears to be the same one in the original example - is when it tries to start up the quantum-ns-metadata-proxy service for a particular namespace.

Command: ['sudo', 'ip', 'netns', 'exec', 'qdhcp-1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', 'quantum-ns-metadata-proxy', '--pid_file=/var/lib/quantum/external/pids/1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.pid', '--network_id=1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5', '--state_path=/var/lib/quantum', '--metadata_port=80', '--debug', '--verbose', '--log-file=quantum-ns-metadata-proxy1f93a3a9-a4fa-473a-a1b6-23aee3a92ca5.log', '--log-dir=/var/log/quantum']

I would say that looking at this as an issue with rootwrap configs is a red herring. It's an issue with starting that service in an environment without a tty.

Revision history for this message
Brian Cline (briancline) wrote :

Adding the root_helper line to dhcp_agent.ini, identical to the one I already have in quantum.conf, resolved the problem for me as well.

A notable difference seems to be that in quantum.conf it resides under the AGENT section by default; in dhcp_agent.ini it resides under the DEFAULT section.

Revision history for this message
Francois Deppierraz (francois-ctrlaltdel) wrote :

Same problem here on a freshly installed controller running grizzly on ubuntu 12.04 and configured with the puppet-openstack modules[1].

Workaround as a puppet recipe:

-----
# https://bugs.launchpad.net/neutron/+bug/1182616
quantum_dhcp_agent_config { 'DEFAULT/root_helper':
    value => 'sudo quantum-rootwrap /etc/quantum/rootwrap.conf',
}
-----

[1] https://github.com/stackforge/puppet-openstack/

Jiajun Liu (ljjjustin)
Changed in neutron:
assignee: nobody → Jiajun Liu (ljjjustin)
Revision history for this message
Dan Bode (bodepd) wrote :

A patch has been submitted against puppet-quantum to resolve the issue by making Francois's recommended root_helper the default.

    https://review.openstack.org/#/c/39400/1

Feedback would be greatly appreciated.

Revision history for this message
Jiajun Liu (ljjjustin) wrote :

since the patch https://review.openstack.org/#/c/39400/1 have been merged, change status to fix committed.

Changed in neutron:
assignee: Jiajun Liu (ljjjustin) → nobody
status: New → Fix Committed
Changed in neutron:
milestone: none → havana-3
Revision history for this message
Mark McClain (markmcclain) wrote :

Since the fix is outside Neutron closing this ticket.

Changed in neutron:
status: Fix Committed → Invalid
milestone: havana-3 → none
Revision history for this message
Boy Yuan (bo-y-yuan) wrote :

I meet some problem when I put Quantum packages scripts in /etc/init.d directory and try to start Quantum packages by quantum user, when I start agent: service quantum-openvswitch-agent start, I find error in /var/log/quantum/quantum-openvswitch-agent.log:
Stderr: 'sudo: no tty present and no askpass program specified\n'
2013-11-15 09:44:21 ERROR [quantum.agent.linux.ovs_lib] Unable to execute ['ovs-vsctl', '--timeout=2', '--', '--if-exists'
, 'del-port', 'br-int', 'patch-tun']. Exception:
Command: ['sudo', 'ovs-vsctl', '--timeout=2', '--', '--if-exists', 'del-port', 'br-int', 'patch-tun']
Exit code: 1
I check the /etc/quantum/rootwrap.conf and /etc/quantum/quantum/rootwrap.d/ and /etc/sudoers.d/quantum, it seems no problem, I check with controller node's nova setting, it seems all are OK.
Finally I find I miss below two lines in /etc/quantum/quantum.conf
    root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf
    rootwrap_config=/etc/quantum/rootwrap.conf
After I add them in, the quantum packages start without SUDO error.

Revision history for this message
Saibal Dey (saibaldey) wrote :

I think this is related to Neutron only. & the fix worked for me was to add a new section in the /etc/neutron/neutron.conf file:

[agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf

Please update the installation document.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.