Missing filters due to nova-rootwrap hardcoding paths

Bug #1013147 reported by Vincent Untz on 2012-06-14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Thierry Carrez
nova (Ubuntu)

Bug Description

I just got hit by some failure here caused by the fact that iptables-save is in /usr/sbin in my system, and not /sbin, as defined in the nova-rootwrap filters.

Of course, we don't want to use binaries from random directories, but it seems rather safe to look for the binaries in the usual /sbin:/usr/sbin:/usr/bin:/bin (and this would avoid having to duplicate the filters when there are more than one paths used by different OS).

Related branches

Thierry Carrez (ttx) on 2012-06-14
tags: added: rootwrap
Changed in nova:
assignee: nobody → Thierry Carrez (ttx)
importance: Undecided → Wishlist
status: New → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/8793

Changed in nova:
assignee: Thierry Carrez (ttx) → Ralf Haferkamp (rhafer)
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/8793
Committed: http://github.com/openstack/nova/commit/a519752eef157aaa03c9f6169eba1ff1b5a9f1bd
Submitter: Jenkins
Branch: master

commit a519752eef157aaa03c9f6169eba1ff1b5a9f1bd
Author: Ralf Haferkamp <email address hidden>
Date: Wed Jun 20 11:28:22 2012 +0200

    Addtional CommandFilters to fix rootwrap on SLES

    Fixes bug 1013147 (for SLES)

    Change-Id: Ib362c913b809f7601a9a4faedede89b22794dfb7

Changed in nova:
status: In Progress → Fix Committed

I'm reopening since the fix pushed by Ralf is not the long-term fix -- that's good to make things work on SLES, but the bug is more generic :-)

Changed in nova:
status: Fix Committed → Confirmed

Reviewed: https://review.openstack.org/8749
Committed: http://github.com/openstack/nova/commit/cf6a85a6d4ac982875c1cfab44acdea1e1962930
Submitter: Jenkins
Branch: stable/essex

commit cf6a85a6d4ac982875c1cfab44acdea1e1962930
Author: Ralf Haferkamp <email address hidden>
Date: Wed Jun 20 11:28:22 2012 +0200

    Addtional CommandFilters to fix rootwrap on SLES

    Fixes bug 1013147 (for SLES)

    (cherry picked from commit a519752eef157aaa03c9f6169eba1ff1b5a9f1bd)

    Change-Id: Ib362c913b809f7601a9a4faedede89b22794dfb7

tags: added: in-stable-essex
Dave Walker (davewalker) on 2012-08-24
Changed in nova (Ubuntu):
status: New → Fix Released
Changed in nova (Ubuntu Precise):
status: New → Confirmed

Please find the attached test log from the Ubuntu Server Team's CI infrastructure. As part of the verification process for this bug, Nova has been deployed and configured across multiple nodes using precise-proposed as an installation source. After successful bring-up and configuration of the cluster, a number of exercises and smoke tests have be invoked to ensure the updated package did not introduce any regressions. A number of test iterations were carried out to catch any possible transient errors.

Please Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the Jenkins links in the comments of the relevant upstream code-review(s):

Trunk review: https://review.openstack.org/8793
Stable review: https://review.openstack.org/8749

As per the provisional Micro Release Exception granted to this package by the Technical Board, we hope this contributes toward verification of this update.

Launchpad Janitor (janitor) wrote :
Download full text (5.4 KiB)

This bug was fixed in the package nova - 2012.1.3+stable-20120827-4d2a4afe-0ubuntu1

nova (2012.1.3+stable-20120827-4d2a4afe-0ubuntu1) precise-proposed; urgency=low

  * New upstream snapshot, fixes FTBFS in -proposed. (LP: #1041120)
  * Resynchronize with stable/essex (4d2a4afe):
    - [5d63601] Inappropriate exception handling on kvm live/block migration
      (LP: #917615)
    - [ae280ca] Deleted floating ips can cause instance delete to fail
      (LP: #1038266)

nova (2012.1.3+stable-20120824-86fb7362-0ubuntu1) precise-proposed; urgency=low

  * New upstream snapshot. (LP: #1041120)
  * Dropped, superseded by new snapshot:
    - debian/patches/CVE-2012-3447.patch: [d9577ce]
    - debian/patches/CVE-2012-3371.patch: [25f5bd3]
    - debian/patches/CVE-2012-3360+3361.patch: [b0feaff]
  * Resynchronize with stable/essex (86fb7362):
    - [86fb736] Libvirt driver reports incorrect error when volume-detach fails
      (LP: #1029463)
    - [272b98d] nova delete lxc-instance umounts the wrong rootfs (LP: #971621)
    - [09217ab] Block storage connections are NOT restored on system reboot
      (LP: #1036902)
    - [d9577ce] CVE-2012-3361 not fully addressed (LP: #1031311)
    - [e8ef050] pycrypto is unused and the existing code is potentially insecure
      to use (LP: #1033178)
    - [3b4ac31] cannot umount guestfs (LP: #1013689)
    - [f8255f3] qpid_heartbeat setting in ineffective (LP: #1030430)
    - [413c641] Deallocation of fixed IP occurs before security group refresh
      leading to potential security issue in error / race conditions
      (LP: #1021352)
    - [219c5ca] Race condition in network/deallocate_for_instance() leads to
      security issue (LP: #1021340)
    - [f2bc403] cleanup_file_locks does not remove stale sentinel files
      (LP: #1018586)
    - [4c7d671] Deleting Flavor currently in use by instance creates error
      (LP: #994935)
    - [7e88e39] nova testsuite errors on newer versions of python-boto (e.g.
      2.5.2) (LP: #1027984)
    - [80d3026] NoMoreFloatingIps: Zero floating ips available after repeatedly
      creating and destroying instances over time (LP: #1017418)
    - [4d74631] Launching with source groups under load produces lazy load error
      (LP: #1018721)
    - [08e5128] API 'v1.1/{tenant_id}/os-hosts' does not return a list of hosts
      (LP: #1014925)
    - [801b94a] Restarting nova-compute removes ip packet filters (LP: #1027105)
    - [f6d1f55] instance live migration should create virtual_size disk image
      (LP: #977007)
    - [4b89b4f] [nova][volumes] Exceeding volumes, gigabytes and floating_ips
      quotas returns general uninformative HTTP 500 error (LP: #1021373)
    - [6e873bc] [nova][volumes] Exceeding volumes, gigabytes and floating_ips
      quotas returns general uninformative HTTP 500 error (LP: #1021373)
    - [7b215ed] Use default qemu-img cluster size in libvirt connection driver
    - [d3a87a2] Listing flavors with marker set returns 400 (LP: #956096)
    - [cf6a85a] nova-rootwrap hardcodes paths instead of using
      /sbin:/usr/sbin:/usr/bin:/bin (LP: #1013147)
    - [2efc87c] affinity filters don't work if scheduler_hints is None
      (LP: #1007573)


Changed in nova (Ubuntu Precise):
status: Confirmed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Thierry Carrez (ttx) on 2012-11-16
Changed in nova:
assignee: Ralf Haferkamp (rhafer) → Thierry Carrez (ttx)
status: Confirmed → In Progress

Hmm, given that this bug has been reused to add missing duplicate filters, it's simpler to open a new one to cover the long-term fix. Will rename and redescribe.

New bug is bug 1079723

Changed in nova:
status: In Progress → Fix Released
summary: - nova-rootwrap hardcodes paths instead of using
- /sbin:/usr/sbin:/usr/bin:/bin
+ Missing filters due to nova-rootwrap hardcoding paths
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers