Zun

Error on running privsep helper command

Bug #1749342 reported by hongbin
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Zun
Fix Released
Critical
hongbin
Queens
Fix Committed
Undecided
hongbin

Bug Description

If the user (i.e. ubuntu, stack) doesn't have passwordless sudo privilege, zun will fail on cinder volume bindmount. Here is the error:

  http://paste.openstack.org/show/671319/

This is because we need to use "sudo" for running privsep help command (in os-brick). We need to use rootwrap this this purpose.

We need to (i) setup rootwrap in devstack and (ii) document this in installation guide.

UPDATE(2018-07-28):

Zun has switched to privsep to execute privileged command

* Code: https://review.openstack.org/#/c/544155/
* Doc: https://review.openstack.org/#/c/554021/

Kolla-ansible needs to be updated to configure rootwrap for privsep when deploying zun-compute.

hongbin (hongbin034)
Changed in zun:
importance: Undecided → Critical
status: New → Triaged
assignee: nobody → hongbin (hongbin034)
description: updated
Changed in zun:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to zun (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/554021

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to zun (master)

Reviewed: https://review.openstack.org/544155
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=d412de7100058f4a362cf58bd11f88b31b500f77
Submitter: Zuul
Branch: master

commit d412de7100058f4a362cf58bd11f88b31b500f77
Author: Hongbin Lu <email address hidden>
Date: Wed Feb 14 02:55:07 2018 +0000

    Introduce rootwrap and filter

    If the zun-compute process is owned by a user who doesn't have
    passwordless sudo privilege, zun-compute will fail to run
    privileged command (e.g. sudo privsep-helper ...).

    A native solution is to grant passwordless sudo to the user
    who owns the zun process, but the best practice is to leverage
    Rootwrap [1], which can restrict the privilege escalation.

    This patch make Zun leverage Rootwrap. In particular, it does
    the following:
    * Setup Rootwrap in the Zun devstack plugin
    * Introduce a sample rootwrap config file
    * Introduce sample rootwrap filters for executing privsep-helper
    * Introduce a root helper which basically adds "sudo zun-rootwrap"
      to the beginning of the command to be execute.
    * Initialize privsep to use the Zun's root helper

    [1] https://wiki.openstack.org/wiki/Rootwrap

    Closes-Bug: #1749342
    Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7
    Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030

Changed in zun:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to zun (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/554551

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to zun (stable/queens)

Reviewed: https://review.openstack.org/554551
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=d9098aab26b82a0f78c8c5e72f76da600279e6b9
Submitter: Zuul
Branch: stable/queens

commit d9098aab26b82a0f78c8c5e72f76da600279e6b9
Author: Hongbin Lu <email address hidden>
Date: Wed Feb 14 02:55:07 2018 +0000

    Introduce rootwrap and filter

    If the zun-compute process is owned by a user who doesn't have
    passwordless sudo privilege, zun-compute will fail to run
    privileged command (e.g. sudo privsep-helper ...).

    A native solution is to grant passwordless sudo to the user
    who owns the zun process, but the best practice is to leverage
    Rootwrap [1], which can restrict the privilege escalation.

    This patch make Zun leverage Rootwrap. In particular, it does
    the following:
    * Setup Rootwrap in the Zun devstack plugin
    * Introduce a sample rootwrap config file
    * Introduce sample rootwrap filters for executing privsep-helper
    * Introduce a root helper which basically adds "sudo zun-rootwrap"
      to the beginning of the command to be execute.
    * Initialize privsep to use the Zun's root helper

    [1] https://wiki.openstack.org/wiki/Rootwrap

    Closes-Bug: #1749342
    Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7
    Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030
    (cherry picked from commit d412de7100058f4a362cf58bd11f88b31b500f77)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to zun (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/555978

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to zun (stable/queens)

Reviewed: https://review.openstack.org/555978
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=dea6321543c1ad65890436167833cc880acf959e
Submitter: Zuul
Branch: stable/queens

commit dea6321543c1ad65890436167833cc880acf959e
Author: Hongbin Lu <email address hidden>
Date: Sun Mar 18 03:36:13 2018 +0000

    install-guide: add steps to configure rootwrap

    We need to configure rootwrap to start privsep daemon that is
    used to execute privilege commands. Otherwise, all the shell
    commands are not going to work.

    Related-Bug: #1749342
    Change-Id: I91e55f292e1ae247081e5728df70da81207e44b8

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to zun (master)

Reviewed: https://review.openstack.org/554021
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=f7e2c2defce832c155b1f0e542e75e51e63a6699
Submitter: Zuul
Branch: master

commit f7e2c2defce832c155b1f0e542e75e51e63a6699
Author: Hongbin Lu <email address hidden>
Date: Sun Mar 18 03:36:13 2018 +0000

    install-guide: add steps to configure rootwrap

    We need to configure rootwrap to start privsep daemon that is
    used to execute privilege commands. Otherwise, all the shell
    commands are not going to work.

    Related-Bug: #1749342
    Change-Id: I91e55f292e1ae247081e5728df70da81207e44b8

Revision history for this message
hongbin (hongbin034) wrote :

Zun has switched to privsep to execute privileged command

* Code: https://review.openstack.org/#/c/544155/
* Doc: https://review.openstack.org/#/c/554021/

Kolla-ansible needs to be updated to configure rootwrap for privsep when deploying zun-compute.

description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to zun (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/586842

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/zun 2.0.0

This issue was fixed in the openstack/zun 2.0.0 release.

Revision history for this message
Eduardo Gonzalez (egonzalez90) wrote :

Zun in kolla uses root user.

Could you please share some log about the issue in kolla?

Regards

Changed in kolla-ansible:
status: New → Incomplete
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to zun (master)

Reviewed: https://review.openstack.org/586842
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=7572495c997a6c5f230f0037b1f1ae36053f8f4e
Submitter: Zuul
Branch: master

commit 7572495c997a6c5f230f0037b1f1ae36053f8f4e
Author: Hongbin Lu <email address hidden>
Date: Sat Jul 28 20:46:05 2018 +0000

    Add the missing dependency on rootwrap

    Change-Id: Iaa97afabe72cd436b41d8ca7530a0e84d1888f00
    Closes-Bug: #1784177
    Related-Bug: #1749342

hongbin (hongbin034)
no longer affects: kolla-ansible
Revision history for this message
hongbin (hongbin034) wrote :

@Eduardo Gonzalez,

To better track the issue, I created a separated bug in kolla-ansible's launchpad: https://bugs.launchpad.net/kolla-ansible/+bug/1787760 . Please find the log in there.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/zun 1.0.1

This issue was fixed in the openstack/zun 1.0.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers