OpenStack-Ansible

Keepalived is logging warnings and security violations

Bug #1742487 reported by Major Hayden
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Low
Major Hayden

Bug Description

I found this in the systemd journal of a CentOS 7 deployment from master today:

    Unable to access script `kill`
    Disabling track script haproxy_check_script since not found
    WARNING - script `ping` resolved by path search to `/usr/bin/ping`. Please specify full path.
    SECURITY VIOLATION - scripts are being executed but script_security not enabled.

We should clean up the keepalived conf to avoid these.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/532573

Changed in openstack-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/532573
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=21e27fd890b5f880adea4a60f8ffe0685baa038d
Submitter: Zuul
Branch: master

commit 21e27fd890b5f880adea4a60f8ffe0685baa038d
Author: Major Hayden <email address hidden>
Date: Wed Jan 24 12:57:25 2018 -0600

    Fix keepalived warnings

    Relative paths for keepalived scripts cause warnings to appear in
    the systemd journal:

        Unable to access script `kill`
        Disabling track script haproxy_check_script since not found
        WARNING - script `ping` resolved by path search to
          `/usr/bin/ping`. Please specify full path.

    This patch ensures that full paths are used for both of the current
    keepalived scripts and it removes the warnings from the logs.

    It also ensures that script security is enabled. This prevents
    keepalived from running a script as root that a normal user can
    write to.

    Closes-Bug: 1742487
    Change-Id: Ie3bc334a1669c976298d7ef1eb7361e85fade7e1

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible 17.0.0.0rc1

This issue was fixed in the openstack/openstack-ansible 17.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.