Bug 1039774

Summary: Neutron rootwrap does not follow packaging guidelines
Product: Red Hat OpenStack Reporter: Terry Wilson <twilson>
Component: openstack-neutronAssignee: RHOS Maint <rhos-maint>
Status: CLOSED DUPLICATE QA Contact: Ofer Blaut <oblaut>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: chrisw, hateya, kchamart, lpeer, yeylon
Target Milestone: asyncKeywords: Triaged, ZStream
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 984097 Environment:
Last Closed: 2013-12-13 19:54:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 984097    
Bug Blocks: 1039528, 1129685    

Description Terry Wilson 2013-12-10 00:20:27 UTC
+++ This bug was initially created as a clone of Bug #984097 +++

Description of problem:

This file is wrong and makes quantum rootwrap ineffective:

# tail -1 /etc/sudoers.d/quantum 
quantum ALL = (root) NOPASSWD: SETENV: /usr/bin/quantum-rootwrap


It should be simliar to nova and cinder and specify parameters, ie:

# tail -1 /etc/sudoers.d/nova 
nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *



See https://wiki.openstack.org/wiki/Packager/Rootwrap


Version-Release number of selected component (if applicable):

# rpm -qf /etc/sudoers.d/quantum
openstack-quantum-2013.1.2-1.el6.noarch

# cat /etc/centos-release 
CentOS release 6.4 (Final)

--- Additional comment from Kashyap Chamarthy on 2013-12-09 05:46:43 EST ---

Can any Neutron folks confirm if the below fix is appropriate:

$ fedpkg clone -B -a openstack-neutron

$ cd openstack-neutron/master

Edit neutron-sudoers file to reflect
 
 neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *

$ git diff 
diff --git a/neutron-sudoers b/neutron-sudoers
index 3786ada..b5448c8 100644
--- a/neutron-sudoers
+++ b/neutron-sudoers
@@ -1,3 +1,3 @@
 Defaults:neutron !requiretty
 
-neutron ALL = (root) NOPASSWD: SETENV: /usr/bin/neutron-rootwrap
+neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *

--- Additional comment from Terry Wilson on 2013-12-09 19:19:13 EST ---

The correct fix is as you suspected:

-neutron ALL = (root) NOPASSWD: SETENV: /usr/bin/neutron-rootwrap
+neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *

I've fixed this locally and tested it. Build coming soon.

Comment 1 Terry Wilson 2013-12-13 19:54:07 UTC

*** This bug has been marked as a duplicate of bug 1039528 ***