neutron

Some functional tests use 'sudo' alone without rootwrap

Bug #1491581 reported by Assaf Muller
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Wishlist
Hunt Xu

Bug Description

While looking at functional tests console outputs Ihar noticed that some tests are executing 'sudo' without going through rootwrap.

Example:
http://logs.openstack.org/03/216603/4/check/gate-neutron-dsvm-functional/9ed19a4/console.html (CTRL-F for "['sudo'").
(Command: ['sudo', 'kill', '-15', '22920']).

Patch https://review.openstack.org/#/c/114717/ added a gate hook for the Neutron functional job, and it's possible that since then we've been allowing 'naked sudo' at the functional gate, because stripping the 'stack' user from 'sudo' was previously being done by the gate_hook in the devstack_gate project.

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
importance: Undecided → Medium
status: New → Confirmed
importance: Medium → Low
milestone: none → liberty-rc1
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
importance: Low → Medium
Revision history for this message
Kyle Mestery (mestery) wrote :

Removing Liberty-RC1 milestone, but if a fix pops up, we can merge this one regardless.

Changed in neutron:
milestone: liberty-rc1 → none
Assaf Muller (amuller)
Changed in neutron:
assignee: Assaf Muller (amuller) → nobody
Cedric Brandily (cbrandily)
Changed in neutron:
assignee: nobody → Cedric Brandily (cbrandily)
Revision history for this message
Sergey Belous (sbelous) wrote :

I didn't find any usage of 'sudo' command without rootwrap in a latest dsvm-functional test's log: http://logs.openstack.org/96/276096/6/check/gate-neutron-dsvm-functional/d50aa3e/console.html
Also I didn't find the same in code.
Invalid?

Revision history for this message
Assaf Muller (amuller) wrote :

That's because the tests that don't use rootwrap are the same tests that don't output logs to /tmp/dsvm-functional. See neutron.tests.functional.agent.linux.test_keepalived.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee: Cedric Brandily (cbrandily) → nobody
status: Confirmed → Incomplete
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
status: Incomplete → Confirmed
importance: Medium → Wishlist
tags: added: low-hanging-fruit
Revision history for this message
Hunt Xu (huntxu) wrote :

The log link in the original description is now gone.

Such case can still be found in the following example:

http://logs.openstack.org/04/451704/8/check/gate-neutron-dsvm-functional-ubuntu-xenial/441cee0/logs/dsvm-functional-logs/neutron.tests.functional.agent.linux.test_keepalived.KeepalivedManagerTestCase.test_keepalived_respawn_with_unexpected_exit.txt.gz

Changed in neutron:
assignee: nobody → Hunt Xu (huntxu)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/458923

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/458923
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a15c84956366456683cd7e5227c5e244e15c3e6e
Submitter: Jenkins
Branch: master

commit a15c84956366456683cd7e5227c5e244e15c3e6e
Author: Hunt Xu <email address hidden>
Date: Sat Apr 22 01:08:48 2017 +0800

    ProcessManager: honor run_as_root when stopping process

    Without this commit, the run_as_root parameter is always True when
    stopping a process, which leads to the usage of unnecessary sudo such as
    in some functional tests, like the keepalived ones.

    This commit fixes the aforemetioned problem by taking run_as_root into
    account when stopping a process. However, run_as_root will still always
    be True if the process is spawned in a netns.

    Closes-Bug: #1491581

    Change-Id: Ib40e1e3357b9a38e760f4e552bf615cdfd54ee5a
    Signed-off-by: Hunt Xu <email address hidden>

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.0.0b2

This issue was fixed in the openstack/neutron 11.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.