Bug 2213409

Summary: [RHOSP16.2] ceilometer sudoers is required by ceilometer-polling to enable polling ipmi namespace
Product: Red Hat OpenStack Reporter: Yadnesh Kulkarni <ykulkarn>
Component: openstack-tripleo-heat-templatesAssignee: Yadnesh Kulkarni <ykulkarn>
Status: CLOSED ERRATA QA Contact: Leonid Natapov <lnatapov>
Severity: high Docs Contact: mgeary <mgeary>
Priority: high    
Version: 16.2 (Train)CC: apevec, jelynch, lnatapov, mariel, mburns, mrunge, srevivo, ykulkarn
Target Milestone: z6Keywords: Bugfix, Triaged
Target Release: 16.2 (Train on RHEL 8.4)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-11.6.1-2.20230717085025.1608f56.el8ost Doc Type: Bug Fix
Doc Text:
Before this update, the IPMI agent container did not spawn because the CeilometerIpmi service was not added to THT Compute roles. With this update, the CeilometerIpmi service is added to all THT Compute roles, and the IPMI agent container is spawned with the `--privilege` flag to run `ipmitool` commands on the host. The data collection service (ceilometer) now captures power metrics.
 Story Points: ---
Clone Of: 2169303 Environment:
Last Closed: 2023-11-08 19:18:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2169303    
Bug Blocks:    

Description Yadnesh Kulkarni 2023-06-08 05:23:38 UTC 
+++ This bug was initially created as a clone of Bug #2169303 +++

Description of problem:

Currently we have two methods to make ceilometer to poll ipmi namespace.
 1) Use ceilometer-polling and enable ipmi namespace
 2) Use ceilometer-ipmi and use that specific service

However sudoers is installed only for 2 and this causes the following failure in case 1 is used.

example:
https://86528e56a845f286885c-ddf4c57eb5e1f9e1a36bd74aa5f4e0cd.ssl.cf5.rackcdn.com/873444/2/check/puppet-openstack-integration-7-scenario001-tempest-centos-9-stream/7b8abc8/logs/ceilometer/polling.txt
~~~
2023-02-13 03:09:48.050 105607 INFO oslo.privsep.daemon [-] Running privsep helper: ['sudo', 'ceilometer-rootwrap', '/etc/ceilometer/rootwrap.conf', 'privsep-helper', '--privsep_context', 'ceilometer.privsep.sys_admin_pctxt', '--privsep_sock_path', '/tmp/tmpk6fsgjez/privsep.sock']
2023-02-13 03:09:48.078 105607 WARNING oslo.privsep.daemon [-] privsep log: 
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log: We trust you have received the usual lecture from the local System
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log: Administrator. It usually boils down to these three things:
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log: 
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log:     #1) Respect the privacy of others.
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log:     #2) Think before you type.
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log:     #3) With great power comes great responsibility.
2023-02-13 03:09:48.080 105607 WARNING oslo.privsep.daemon [-] privsep log: 
2023-02-13 03:09:48.133 105607 WARNING oslo.privsep.daemon [-] privsep log: sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
2023-02-13 03:09:48.134 105607 WARNING oslo.privsep.daemon [-] privsep log: sudo: a password is required
2023-02-13 03:09:48.137 105607 CRITICAL oslo.privsep.daemon [-] privsep helper command exited non-zero (1)
~~~


How reproducible:

Always

Steps to Reproduce:
1. Start ceilometer-polling with ipminamespace enabled
2. Check polling.log

Actual results:
It fails to run the rootwrap command

Expected results:
It succeeds to run the rootwrap command
Comment 6 Leonid Natapov 2023-09-30 05:39:25 UTC 
ceilometer_agent_ipmi is running on compute nodes and there are no errors in the ipmi.log file
Comment 16 errata-xmlrpc 2023-11-08 19:18:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.2.6 (Train) bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6307