Zun

Error on running privsep helper command

Bug #1749342 reported by hongbin on 2018-02-14

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Zun	Fix Released	Critical	hongbin
	Queens	Fix Committed	Undecided	hongbin

Bug Description

If the user (i.e. ubuntu, stack) doesn't have passwordless sudo privilege, zun will fail on cinder volume bindmount. Here is the error:

http://paste.openstack.org/show/671319/

This is because we need to use "sudo" for running privsep help command (in os-brick). We need to use rootwrap this this purpose.

We need to (i) setup rootwrap in devstack and (ii) document this in installation guide.

UPDATE(2018-07-28):

Zun has switched to privsep to execute privileged command

* Code: https://review.openstack.org/#/c/544155/
* Doc: https://review.openstack.org/#/c/554021/

Kolla-ansible needs to be updated to configure rootwrap for privsep when deploying zun-compute.

See original description

Tags:

hongbin (hongbin034) on 2018-02-14

Changed in zun:
importance:	Undecided → Critical
status:	New → Triaged
assignee:	nobody → hongbin (hongbin034)
description:	updated

OpenStack Infra (hudson-openstack) on 2018-03-12

Changed in zun:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-18: Related fix proposed to zun (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/554021

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-20: Fix merged to zun (master)

Reviewed: https://review.openstack.org/544155
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=d412de7100058f4a362cf58bd11f88b31b500f77
Submitter: Zuul
Branch: master

commit d412de7100058f4a362cf58bd11f88b31b500f77
Author: Hongbin Lu <email address hidden>
Date: Wed Feb 14 02:55:07 2018 +0000

Introduce rootwrap and filter

    If the zun-compute process is owned by a user who doesn't have
    passwordless sudo privilege, zun-compute will fail to run
    privileged command (e.g. sudo privsep-helper ...).

    A native solution is to grant passwordless sudo to the user
    who owns the zun process, but the best practice is to leverage
    Rootwrap [1], which can restrict the privilege escalation.

    This patch make Zun leverage Rootwrap. In particular, it does
    the following:
    * Setup Rootwrap in the Zun devstack plugin
    * Introduce a sample rootwrap config file
    * Introduce sample rootwrap filters for executing privsep-helper
    * Introduce a root helper which basically adds "sudo zun-rootwrap"
      to the beginning of the command to be execute.
    * Initialize privsep to use the Zun's root helper

[1] https://wiki.openstack.org/wiki/Rootwrap

    Closes-Bug: #1749342
    Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7
    Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030

Changed in zun:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-20: Fix proposed to zun (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/554551

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-22: Fix merged to zun (stable/queens)

Reviewed: https://review.openstack.org/554551
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=d9098aab26b82a0f78c8c5e72f76da600279e6b9
Submitter: Zuul
Branch: stable/queens

commit d9098aab26b82a0f78c8c5e72f76da600279e6b9
Author: Hongbin Lu <email address hidden>
Date: Wed Feb 14 02:55:07 2018 +0000

Introduce rootwrap and filter

    If the zun-compute process is owned by a user who doesn't have
    passwordless sudo privilege, zun-compute will fail to run
    privileged command (e.g. sudo privsep-helper ...).

    A native solution is to grant passwordless sudo to the user
    who owns the zun process, but the best practice is to leverage
    Rootwrap [1], which can restrict the privilege escalation.

[1] https://wiki.openstack.org/wiki/Rootwrap

    Closes-Bug: #1749342
    Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7
    Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030
    (cherry picked from commit d412de7100058f4a362cf58bd11f88b31b500f77)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-24: Related fix proposed to zun (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/555978

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-28: Related fix merged to zun (stable/queens)

Reviewed: https://review.openstack.org/555978
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=dea6321543c1ad65890436167833cc880acf959e
Submitter: Zuul
Branch: stable/queens

commit dea6321543c1ad65890436167833cc880acf959e
Author: Hongbin Lu <email address hidden>
Date: Sun Mar 18 03:36:13 2018 +0000

install-guide: add steps to configure rootwrap

    We need to configure rootwrap to start privsep daemon that is
    used to execute privilege commands. Otherwise, all the shell
    commands are not going to work.

Related-Bug: #1749342
Change-Id: I91e55f292e1ae247081e5728df70da81207e44b8

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-28: Related fix merged to zun (master)

Reviewed: https://review.openstack.org/554021
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=f7e2c2defce832c155b1f0e542e75e51e63a6699
Submitter: Zuul
Branch: master

commit f7e2c2defce832c155b1f0e542e75e51e63a6699
Author: Hongbin Lu <email address hidden>
Date: Sun Mar 18 03:36:13 2018 +0000

install-guide: add steps to configure rootwrap

    We need to configure rootwrap to start privsep daemon that is
    used to execute privilege commands. Otherwise, all the shell
    commands are not going to work.

Related-Bug: #1749342
Change-Id: I91e55f292e1ae247081e5728df70da81207e44b8

Revision history for this message

hongbin (hongbin034) wrote on 2018-07-28:

Zun has switched to privsep to execute privileged command

* Code: https://review.openstack.org/#/c/544155/
* Doc: https://review.openstack.org/#/c/554021/

Kolla-ansible needs to be updated to configure rootwrap for privsep when deploying zun-compute.

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-28: Related fix proposed to zun (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/586842

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-30: Fix included in openstack/zun 2.0.0

#10

This issue was fixed in the openstack/zun 2.0.0 release.

Revision history for this message

Eduardo Gonzalez (egonzalez90) wrote on 2018-07-31:

#11

Zun in kolla uses root user.

Could you please share some log about the issue in kolla?

Regards

Changed in kolla-ansible:
status:	New → Incomplete

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-02: Related fix merged to zun (master)

#12

Reviewed: https://review.openstack.org/586842
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=7572495c997a6c5f230f0037b1f1ae36053f8f4e
Submitter: Zuul
Branch: master

commit 7572495c997a6c5f230f0037b1f1ae36053f8f4e
Author: Hongbin Lu <email address hidden>
Date: Sat Jul 28 20:46:05 2018 +0000

Add the missing dependency on rootwrap

    Change-Id: Iaa97afabe72cd436b41d8ca7530a0e84d1888f00
    Closes-Bug: #1784177
    Related-Bug: #1749342

hongbin (hongbin034) on 2018-08-18

no longer affects:

kolla-ansible

Revision history for this message

hongbin (hongbin034) wrote on 2018-08-18:

#13

@Eduardo Gonzalez,

To better track the issue, I created a separated bug in kolla-ansible's launchpad: https://bugs.launchpad.net/kolla-ansible/+bug/1787760 . Please find the log in there.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-20: Fix included in openstack/zun 1.0.1

#14

This issue was fixed in the openstack/zun 1.0.1 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.