neutron

ovn migration executes scripts from /tmp directory

Bug #1965183 reported by Jakub Libosvar on 2022-03-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Jakub Libosvar

Bug Description

Description of problem:
The /tmp are often mounted with noexec option for security reasons. The migration roles rely that scripts in /tmp/ can be executed.

Version-Release number of selected component (if applicable):
16.1

How reproducible:
Always

Steps to Reproduce:
1. Have /tmp mounted with noexec option
2. Run migration from ovs to ovn
3.

Actual results:
fatal: [tpa-vim-b-computecl-0]: FAILED! => {
    "changed": true,
    "cmd": "/tmp/clone-br-int.sh",
    "delta": "0:00:00.001773",
    "end": "2022-03-16 18:51:30.332449",
    "invocation": {
        "module_args": {
            "_raw_params": "/tmp/clone-br-int.sh",
            "_uses_shell": true,
            "argv": null,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "stdin": null,
            "stdin_add_newline": true,
            "strip_empty_ends": true,
            "warn": true
        }
    },
    "msg": "non-zero return code",
    "rc": 126,
    "start": "2022-03-16 18:51:30.330676",
    "stderr": "/bin/sh: /tmp/clone-br-int.sh: Permission denied",
    "stderr_lines": [
        "/bin/sh: /tmp/clone-br-int.sh: Permission denied"
    ],
    "stdout": "",
    "stdout_lines": []
}

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-16: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/834071

Changed in neutron:
status:	New → In Progress

Miguel Lavalle (minsel) on 2022-03-16

Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-22: Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/834071
Committed: https://opendev.org/openstack/neutron/commit/0529ccdf71dcd093a80180097eeaa5d7cb5e15fb
Submitter: "Zuul (22348)"
Branch: master

commit 0529ccdf71dcd093a80180097eeaa5d7cb5e15fb
Author: Jakub Libosvar <email address hidden>
Date: Wed Mar 16 16:40:21 2022 -0400

ovn migration: Don't use executables in /tmp/

    It's a common practice to have /tmp/ mounted separately with noexec
    option. This effectively means no scripts can be executed from the
    filesystem mounted to /tmp.

This patch explicitly calls sh binary to execute scripts from /tmp and
removes the executable flag from the scripts.

Closes-Bug: #1965183

Change-Id: I2f9cd67979a8a75848fcdd7a8c3bb56dd3590473
Signed-off-by: Jakub Libosvar <email address hidden>

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-22: Fix proposed to neutron (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/neutron/+/834609

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-22: Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/834710

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-22: Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/834711

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-22: Fix proposed to neutron (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/834712

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-22: Fix proposed to neutron (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/neutron/+/834713

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-24: Fix merged to neutron (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/834609
Committed: https://opendev.org/openstack/neutron/commit/ca3e3bc49aac4f5d55ca81d41efd92e0a03b85e6
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit ca3e3bc49aac4f5d55ca81d41efd92e0a03b85e6
Author: Jakub Libosvar <email address hidden>
Date: Wed Mar 16 16:40:21 2022 -0400

ovn migration: Don't use executables in /tmp/

    It's a common practice to have /tmp/ mounted separately with noexec
    option. This effectively means no scripts can be executed from the
    filesystem mounted to /tmp.

This patch explicitly calls sh binary to execute scripts from /tmp and
removes the executable flag from the scripts.

Closes-Bug: #1965183

    Change-Id: I2f9cd67979a8a75848fcdd7a8c3bb56dd3590473
    Signed-off-by: Jakub Libosvar <email address hidden>
    (cherry picked from commit 0529ccdf71dcd093a80180097eeaa5d7cb5e15fb)

tags:

added: in-stable-yoga

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-25: Fix included in openstack/neutron 20.0.0.0rc2

This issue was fixed in the openstack/neutron 20.0.0.0rc2 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-30: Fix merged to neutron (stable/xena)

#10

Reviewed: https://review.opendev.org/c/openstack/neutron/+/834710
Committed: https://opendev.org/openstack/neutron/commit/4fc70c09ae9fa69a0b8350f07cdb86b5094bd7d7
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 4fc70c09ae9fa69a0b8350f07cdb86b5094bd7d7
Author: Jakub Libosvar <email address hidden>
Date: Wed Mar 16 16:40:21 2022 -0400

ovn migration: Don't use executables in /tmp/

    It's a common practice to have /tmp/ mounted separately with noexec
    option. This effectively means no scripts can be executed from the
    filesystem mounted to /tmp.

This patch explicitly calls sh binary to execute scripts from /tmp and
removes the executable flag from the scripts.

Closes-Bug: #1965183

    Change-Id: I2f9cd67979a8a75848fcdd7a8c3bb56dd3590473
    Signed-off-by: Jakub Libosvar <email address hidden>
    (cherry picked from commit 0529ccdf71dcd093a80180097eeaa5d7cb5e15fb)

tags:

added: in-stable-xena

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-30: Fix merged to neutron (stable/victoria)

#11

Reviewed: https://review.opendev.org/c/openstack/neutron/+/834712
Committed: https://opendev.org/openstack/neutron/commit/51e64a296ea0633a499ac486be29a4d828b47b4f
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 51e64a296ea0633a499ac486be29a4d828b47b4f
Author: Jakub Libosvar <email address hidden>
Date: Wed Mar 16 16:40:21 2022 -0400

ovn migration: Don't use executables in /tmp/

    It's a common practice to have /tmp/ mounted separately with noexec
    option. This effectively means no scripts can be executed from the
    filesystem mounted to /tmp.

This patch explicitly calls sh binary to execute scripts from /tmp and
removes the executable flag from the scripts.

Closes-Bug: #1965183

    Change-Id: I2f9cd67979a8a75848fcdd7a8c3bb56dd3590473
    Signed-off-by: Jakub Libosvar <email address hidden>
    (cherry picked from commit 0529ccdf71dcd093a80180097eeaa5d7cb5e15fb)

tags:	added: in-stable-victoria
tags:	added: in-stable-wallaby

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-30: Fix merged to neutron (stable/wallaby)

#12

Reviewed: https://review.opendev.org/c/openstack/neutron/+/834711
Committed: https://opendev.org/openstack/neutron/commit/60e416f5c80f8420003485df57a884bb1448d3cb
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 60e416f5c80f8420003485df57a884bb1448d3cb
Author: Jakub Libosvar <email address hidden>
Date: Wed Mar 16 16:40:21 2022 -0400

ovn migration: Don't use executables in /tmp/

    It's a common practice to have /tmp/ mounted separately with noexec
    option. This effectively means no scripts can be executed from the
    filesystem mounted to /tmp.

This patch explicitly calls sh binary to execute scripts from /tmp and
removes the executable flag from the scripts.

Closes-Bug: #1965183

    Change-Id: I2f9cd67979a8a75848fcdd7a8c3bb56dd3590473
    Signed-off-by: Jakub Libosvar <email address hidden>
    (cherry picked from commit 0529ccdf71dcd093a80180097eeaa5d7cb5e15fb)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-30: Fix merged to neutron (stable/ussuri)

#13

Reviewed: https://review.opendev.org/c/openstack/neutron/+/834713
Committed: https://opendev.org/openstack/neutron/commit/9b8451ee841734badbd1b1c2aa78cd31dbcb4a10
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 9b8451ee841734badbd1b1c2aa78cd31dbcb4a10
Author: Jakub Libosvar <email address hidden>
Date: Wed Mar 16 16:40:21 2022 -0400

ovn migration: Don't use executables in /tmp/

    It's a common practice to have /tmp/ mounted separately with noexec
    option. This effectively means no scripts can be executed from the
    filesystem mounted to /tmp.

This patch explicitly calls sh binary to execute scripts from /tmp and
removes the executable flag from the scripts.

Closes-Bug: #1965183

    Change-Id: I2f9cd67979a8a75848fcdd7a8c3bb56dd3590473
    Signed-off-by: Jakub Libosvar <email address hidden>
    (cherry picked from commit 0529ccdf71dcd093a80180097eeaa5d7cb5e15fb)