tripleo

nova and cinder containers throw sudo errors

Bug #1940068 reported by Michele Baldessari
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Cédric Jeanneret

Bug Description

Deploy from today:
Aug 16 09:53:57 controller-0.alejandro.ftw sudo[148918]: cinder : command not allowed ; TTY=unknown ; PWD=/ ; USER=cinder ; COMMAND=/usr/bin/find /proc/8/fd/ -ilname socket* -printf %l\n
Aug 16 09:53:59 controller-0.alejandro.ftw sudo[149072]: nova : command not allowed ; TTY=unknown ; PWD=/ ; USER=nova ; COMMAND=/usr/bin/find /proc/8/fd/ -ilname socket* -printf %l\n
Aug 16 09:53:59 controller-0.alejandro.ftw sudo[149075]: nova : command not allowed ; TTY=unknown ; PWD=/ ; USER=nova ; COMMAND=/usr/bin/find /proc/32/fd/ -ilname socket* -printf %l\n
Aug 16 09:53:59 controller-0.alejandro.ftw sudo[149078]: nova : command not allowed ; TTY=unknown ; PWD=/ ; USER=nova ; COMMAND=/usr/bin/find /proc/33/fd/ -ilname socket* -printf %l\n
Aug 16 09:53:59 controller-0.alejandro.ftw sudo[149205]: nova : command not allowed ; TTY=unknown ; PWD=/ ; USER=nova ; COMMAND=/usr/bin/find /proc/6/fd/ -ilname socket* -printf %l\n
Aug 16 09:53:59 controller-0.alejandro.ftw sudo[149209]: nova : command not allowed ; TTY=unknown ; PWD=/ ; USER=nova ; COMMAND=/usr/bin/find /proc/30/fd/ -ilname socket* -printf %l\n
Aug 16 09:53:59 controller-0.alejandro.ftw sudo[149212]: nova : command not allowed ; TTY=unknown ; PWD=/ ; USER=nova ; COMMAND=/usr/bin/find /proc/31/fd/ -ilname socket* -printf %l\n

Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

that spoils the healtchchecks work in it

Changed in tripleo:
importance: Low → Medium
Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

A regression after https://review.opendev.org/c/openstack/tripleo-common/+/785004

Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

We could approach fixing that via rootwrap filters based healthcheck command, like I prototyped earlier in https://review.opendev.org/c/openstack/tripleo-heat-templates/+/693369

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/804702

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-common/+/804706

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

Quick history:
- first, podman healthchecks were launched from a dedicated systemd unit, and were launched as "root" (podman exec --user root)
- now, it's using the native thing, and I suspect it's using the actual USER set in the Dockerfile (hence, "nova", "cinder", and so on)

The current way sudo is called is in order to allow the root user to run the find as the actual container user.

Soooo... I think the easiest way to correct this issue is just to drop the "sudo -u $puser"... Would that make any sense, Bogdan?

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

I think it's a win:

[root@oc0-controller-0 ~]# podman healthcheck run heat_engine
unhealthy
[root@oc0-controller-0 ~]# podman exec -u root -ti heat_engine bash
[root@oc0-controller-0 /]# vi /usr/share/openstack-tripleo-common/healthcheck/common.sh
## Here, I edit the file to remove "sudo -u $puser"
[root@oc0-controller-0 /]# exit
[root@oc0-controller-0 ~]# podman healthcheck run heat_engine
healthy

Running a "journalctl -f | grep sudo" in parallel shows the error for the first run:
Aug 17 09:17:04 oc0-controller-0 sudo[365895]: heat : command not allowed ; TTY=unknown ; PWD=/ ; USER=heat ; COMMAND=/usr/bin/find /proc/8/fd/ -ilname socket* -printf %l\n

Once I remove that sudo call, it's clean. And healthy.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-common/+/804838

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-common (master)

Change abandoned by "Bogdan Dobrelya <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-common/+/804706
Reason: sudo can be removed instead

Bogdan Dobrelya (bogdando)
Changed in tripleo:
status: In Progress → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (master)

Change abandoned by "Bogdan Dobrelya <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/804702
Reason: sudo can be removed instead

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-common/+/804838
Committed: https://opendev.org/openstack/tripleo-common/commit/36a7a4d093470ffe5d970cc288da292714b48f2a
Submitter: "Zuul (22348)"
Branch: master

commit 36a7a4d093470ffe5d970cc288da292714b48f2a
Author: Cédric Jeanneret <email address hidden>
Date: Tue Aug 17 11:51:20 2021 +0200

    Remove now useless sudo call for port check

    Back then, the "sudo" was needed because healthchecks were running as
    root, using a paunch created systemd unit/timer calling "podman exec
    --user root".

    Now that we're using native healthchecks, we can get rid of the sudo
    call, since it's already using as the intended user.

    Closes-Bug: #1940068

    Change-Id: I7eaabc91005952aa956456944c46224f08f4c7f8

Changed in tripleo:
status: Triaged → Fix Released
Cédric Jeanneret (cjeanner)
Changed in tripleo:
assignee: nobody → Cédric Jeanneret (cjeanner)
tags: added: train-backport-potential ussuri-backport-potential wallaby-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-common/+/804863

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/tripleo-common/+/804864

Cédric Jeanneret (cjeanner)
tags: added: victoria-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/tripleo-common/+/804865

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-common/+/804866

Cédric Jeanneret (cjeanner)
tags: removed: train-backport-potential ussuri-backport-potential victoria-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-common (stable/train)

Change abandoned by "Cedric Jeanneret <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-common/+/804866
Reason: no need for train

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-common (stable/ussuri)

Change abandoned by "Cedric Jeanneret <email address hidden>" on branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/tripleo-common/+/804865
Reason: no need for ussuri

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-common (stable/victoria)

Change abandoned by "Cedric Jeanneret <email address hidden>" on branch: stable/victoria
Review: https://review.opendev.org/c/openstack/tripleo-common/+/804864
Reason: no need for victoria

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-common/+/804863
Committed: https://opendev.org/openstack/tripleo-common/commit/69e5827ec6adfb0e436933bc8e03885f6254b098
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 69e5827ec6adfb0e436933bc8e03885f6254b098
Author: Cédric Jeanneret <email address hidden>
Date: Tue Aug 17 11:51:20 2021 +0200

    Remove now useless sudo call for port check

    Back then, the "sudo" was needed because healthchecks were running as
    root, using a paunch created systemd unit/timer calling "podman exec
    --user root".

    Now that we're using native healthchecks, we can get rid of the sudo
    call, since it's already using as the intended user.

    Closes-Bug: #1940068

    Change-Id: I7eaabc91005952aa956456944c46224f08f4c7f8
    (cherry picked from commit 36a7a4d093470ffe5d970cc288da292714b48f2a)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 16.2.0

This issue was fixed in the openstack/tripleo-common 16.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 15.4.0

This issue was fixed in the openstack/tripleo-common 15.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.