Bug 1614814

Summary: [SHE] Remove 'sudo' from _check_service on HE Hosts
Product: Red Hat Enterprise Virtualization Manager Reporter: Javier Coscia <jcoscia>
Component: ovirt-hosted-engine-haAssignee: Simone Tiraboschi <stirabos>
Status: CLOSED ERRATA QA Contact: meital avital <mavital>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.2.5CC: gdeolive, irosenzw, lsurette, lsvaty, pmatyas, stirabos
Target Milestone: ovirt-4.2.7Keywords: ZStream
Target Release: ---Flags: pmatyas: testing_plan_complete+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-hosted-engine-ha-2.2.17-1.el7ev.noarch.rpm Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-05 15:03:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1629887    

Description Javier Coscia 2018-08-10 13:26:10 UTC 
Description of problem:

When configuring sudolog@info on any Hosted Engine Host, the logs will be flooded, among other messages, with:

~~~
Aug 10 08:30:41 sudo[6278] exec /sbin/service [service vdsmd status]
Aug 10 08:30:41 sudo[6296] exec /sbin/service [service sanlock status]
~~~

If you also have LDAP configured to log this kind events on a remote system, the network traffic will increase, the call is being made every 10 seconds for each HE Host.

systemctl status $service doesn't require sudo privileges, so we should remove the 'sudo' invocation in _check_service 



Version-Release number of selected component (if applicable):

ovirt-hosted-engine-ha-2.2.16-1.el7ev.noarch.rpm

How reproducible:

100%

Steps to Reproduce:
1. Deploy a Self HostedEngine environment
2. Configure sudo to log with INFO (comment out Debug sudo line in /etc/sudo.conf) or have a remote system logging sudo commands
3. Check flood of 'systemctl status $service' in sudo log

Actual results:

'systemctl status $service' where $service is both vdsmd and sanlock, is being executed with sudo privileges

Expected results:

'systemctl status $service' doesn't need additional sudo privileges

Additional info:

We should remove sudo from _check_services in ovirt_hosted_engine_ha/agent/hosted_engine.py
Comment 1 Javier Coscia 2018-08-14 00:18:50 UTC 
Is there a workaround we could share with users in regards to disabling sudo from hosted_engine.py ?

Setting NI on Ido since Simone is OOO.
Comment 2 Jiri Belka 2018-09-18 13:35:59 UTC 
ok, ovirt-hosted-engine-setup-2.2.28-0.0.master.20180917152606.git1a3b790.el7.noarch

# grep 'service.*status' /var/log/sudo_debug 
# grep 'service' /var/log/sudo_debug 
Sep 14 14:21:46 sudo[30960]     0: command=/sbin/service
Sep 14 14:21:46 sudo[30960] executed /sbin/service, pid 30963
Sep 14 14:21:46 sudo[30963] exec /sbin/service [/sbin/service vhostmd stop]
Comment 5 errata-xmlrpc 2018-11-05 15:03:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3481
Comment 7 Daniel Gur 2019-08-28 13:13:27 UTC 
sync2jira
Comment 8 Daniel Gur 2019-08-28 13:17:40 UTC 
sync2jira