Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 894733

Summary: packstack: keystonerc_admin file generation: assumes '/root' exists, stores keystonerc_admin file with too much permissions
Product: Red Hat OpenStack Reporter: Yaniv Kaul <ykaul>
Component: openstack-packstackAssignee: Martin Magr <mmagr>
Status: CLOSED ERRATA QA Contact: Omri Hochman <ohochman>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.0 (Folsom)CC: aortega, apevec, derekh, jkt, ykaul
Target Milestone: snapshot4Keywords: Triaged
Target Release: 2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-packstack-2012.2.3-0.1.dev454 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-21 18:23:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yaniv Kaul 2013-01-13 15:09:18 UTC 
Description of problem:
openstack_client.pp has two issues:
1. It uses hard-coded /root as the root users' homedir. We've learned that in some cases this is not the right location (but /home/root, for example).
2. The permission of the generated keystonerc_admin should be 600, now it's a too permissive (-rw-r--r--).

Version-Release number of selected component (if applicable):
openstack-packstack-2012.2.2-0.3.dev281.el6ost.noarch
(did not execute code, just looked at the puppet class).

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Derek Higgins 2013-01-16 00:57:40 UTC 
Fix for permissions submitted here
https://review.openstack.org/#/c/19763/

Still have to figure out how to unhard code /root
Comment 3 Yaniv Kaul 2013-01-16 07:33:24 UTC 
(In reply to comment #2)
> Fix for permissions submitted here
> https://review.openstack.org/#/c/19763/
> 
> Still have to figure out how to unhard code /root

In Python it'd be pwd.getpwnam('root').pw_dir
Not sure how you'd put the result of the above into the Puppet script.
Comment 4 Derek Higgins 2013-01-16 08:08:08 UTC 
yup, unfortunately I'm not running python on the server in question so its not an option thats open to me.
Comment 5 Derek Higgins 2013-01-16 10:24:07 UTC 
The solution was a custom facter fact
fix proposed upstream
https://review.openstack.org/#/c/19797/
Comment 8 Nir Magnezi 2013-01-28 11:55:28 UTC 
reopening.
I've changed root home directory to /testdir and ran packstack.
packstack failed with the following errors:

packstack output: http://pastebin.test.redhat.com/124825
Comment 9 Derek Higgins 2013-01-28 12:07:47 UTC 
Yup confirmed, although the keystonerc_admin file is now being created in the correct place. the changed home directory is causing problems with the mysql module.
Comment 10 Martin Magr 2013-02-18 16:35:05 UTC 
Fix for MySQL module comitied upstream:
https://github.com/packstack/puppetlabs-mysql/commit/0db9759988b7a24efef5bf09c486dcdfcd8e772e
https://github.com/packstack/puppetlabs-mysql/commit/1c66bf7b1254029b943ea92085729672ee5c8ebc
Comment 12 Omri Hochman 2013-03-10 11:52:02 UTC 
(In reply to comment #10)
> Fix for MySQL module comitied upstream:
> https://github.com/packstack/puppetlabs-mysql/commit/
> 0db9759988b7a24efef5bf09c486dcdfcd8e772e
> https://github.com/packstack/puppetlabs-mysql/commit/
> 1c66bf7b1254029b943ea92085729672ee5c8ebc

1) mkdir '/testdir'.
2) Changed the root home directory /etc/passwd --> root:x:0:0:root:/testdir:/bin/bash  
3) reboot.
3) Launch packstack (in interactive mode)

From some reason after changing root home directory, when running packstack, it kept asking over and over for the 'root password'. eventually failed with  error.  

Note: 
------
A) I changed the root home directory back to /root -> the Installation completed successfully. 

B) Under /root  the file 'keystonerc_admin' is not longer too permissive :
-rw-------.  1 root root   182 Mar 10 12:25 keystonerc_admin

------------------------------------------------------------------------------
Adding QPID manifest entries...                          [ DONE ]
Adding Keystone manifest entries...                      [ DONE ]
Adding Glance Keystone manifest entries...               [ DONE ]
Adding Glance manifest entries...                        [ DONE ]
Adding Cinder Keystone manifest entries...               [ DONE ]
Checking if the Cinder server has a cinder-volumes vg...root.160.11's password: 
root.160.11's password: 
 [ DONE ]
Adding Cinder manifest entries...                        [ DONE ]
Adding Nova API manifest entries...                      [ DONE ]
Adding Nova Keystone manifest entries...                 [ DONE ]
Adding Nova Cert manifest entries...                     [ DONE ]
Adding Nova Compute manifest entries...root.160.11's password: 
root.160.11's password: 
                  [ DONE ]
Adding Nova Network manifest entries...root.160.11's password: 
root.160.11's password: 
root.160.11's password: 
root.160.11's password: 
                  [ DONE ]
Adding Nova Scheduler manifest entries...                [ DONE ]
Adding Nova VNC Proxy manifest entries...                [ DONE ]
Adding Nova Common manifest entries...                   [ DONE ]
Adding OpenStack Client manifest entries...root.160.11's password: 
              [ DONE ]
Adding Horizon manifest entries...                       [ DONE ]
Adding Swift Keystone manifest entries...                [ DONE ]
Adding Swift builder manifest entries...                 [ DONE ]
Adding Swift proxy manifest entries...                   [ DONE ]
Adding Swift storage manifest entries...                 [ DONE ]
Adding Swift common manifest entries...                  [ DONE ]
Preparing servers...root.160.11's password: 
                                     [ DONE ]
Adding post install manifest entries...                  [ DONE ]
Installing Dependencies...root.160.11's password:


/var/tmp/packstack/20130310-115604-QW68UJ/openstack-setup.log:
--------------------------------------------------------------
2013-03-10 11:59:21::INFO::cinder_250::157::root:: A new cinder volumes group will be created
2013-03-10 12:05:23::ERROR::common_utils::403::root:: ============= STDERR ==========
2013-03-10 12:05:23::ERROR::common_utils::404::root:: Warning: Permanently added '10.35.160.11' (RSA) to the list of known hosts.
Connection closed by UNKNOWN

2013-03-10 12:05:23::ERROR::run_setup::605::root:: Error running remote script: 
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/packstack/installer/run_setup.py", line 593, in _main
    runSequences()
  File "/usr/lib/python2.6/site-packages/packstack/installer/run_setup.py", line 569, in runSequences
    controller.runAllSequences()
  File "/usr/lib/python2.6/site-packages/packstack/installer/setup_controller.py", line 62, in runAllSequences
    sequence.run()
  File "/usr/lib/python2.6/site-packages/packstack/installer/setup_sequences.py", line 153, in run
    step.run()
  File "/usr/lib/python2.6/site-packages/packstack/installer/setup_sequences.py", line 60, in run
    function()
  File "/usr/lib/python2.6/site-packages/packstack/plugins/puppet_950.py", line 73, in installdeps
    server.execute()
  File "/usr/lib/python2.6/site-packages/packstack/installer/common_utils.py", line 411, in execute
    '%s' % stdoutdata)
ScriptRuntimeError: Error running remote script: 
2013-03-10 12:05:23::INFO::run_setup::626::root:: Removing /var/tmp/packstack/ff45d533c62249a0a257a9fdc5d914c2 on 10.35.160.11 (if it is a remote host)
2013-03-10 12:05:26::INFO::run_setup::626::root:: Removing /var/tmp/packstack/d5048ad0525d47daad1eb48f997549da on 10.35.160.13 (if it is a remote host)
2013-03-10 12:05:26::INFO::run_setup::534::root::  * A new answerfile was created in: /testdir/packstack-answers-20130310-115858.txt
2013-03-10 12:05:26::INFO::run_setup::534::root::  * Time synchronization installation was skipped. Please note that unsynchronized time on server instances might be problem for some OpenStack components.
2013-03-10 12:05:26::INFO::run_setup::534::root::  * To use the command line tools you need to source the file /testdir/keystonerc_admin created on 10.35.160.11
2013-03-10 12:05:26::INFO::run_setup::534::root::  * ESC[0;31mNOTEESC[0m : A default self signed certificate was used for ssl, You should change the ssl certificate configured in /etc/httpd/conf.d/ssl.conf on 10.35.160.11 to use a CA signed cert.
2013-03-10 12:05:26::INFO::run_setup::534::root::  * To use the console, browse to https://10.35.160.11/dashboard
2013-03-10 12:05:26::INFO::run_setup::534::root::  * ESC[0;31mERROR : Error running remote script: ESC[0m
2013-03-10 12:05:26::INFO::run_setup::534::root::  * Please check log file /var/tmp/packstack/20130310-115604-QW68UJ/openstack-setup.log for more information
Comment 13 Omri Hochman 2013-03-10 11:58:34 UTC 
(In reply to comment #12)

Tested with : openstack-packstack-2012.2.3-0.1.dev454.el6ost.noarch

The credentials 'keystonerc_admin' are fine. the issue that still relevant is - packstack failure when changing the root home directory.
Comment 14 Martin Magr 2013-03-11 16:17:48 UTC 
The problems here are ssh path permission and Selinux. If you change your root home directory, you also have to set proper mode:

chmod 0700 /testdir
chmod 0700 /testdir/.ssh
chmod 0600 /testdir/.ssh/authorized_keys

You also have to set proper Selinux booleans for /testdir/.ssh/authorized_keys. Not sure how to do that and unfortunately I don't have time to google around, but if you will test packstack in permissive mode, it will work ok even with changed root home. Just tried all-in-one installation:

[para@virtual-rhel-beta ~]$ packstack --answer-file=ans.txt
Welcome to Installer setup utility

Installing:
Clean Up...                                              [ DONE ]
Setting up ssh keys...                                   [ DONE ]
Adding pre install manifest entries...                   [ DONE ]
Adding MySQL manifest entries...                         [ DONE ]
Adding QPID manifest entries...                          [ DONE ]
Adding Keystone manifest entries...                      [ DONE ]
Adding Glance Keystone manifest entries...               [ DONE ]
Adding Glance manifest entries...                        [ DONE ]
Adding Cinder Keystone manifest entries...               [ DONE ]
Checking if the Cinder server has a cinder-volumes vg... [ DONE ]
Adding Cinder manifest entries...                        [ DONE ]
Adding Nova API manifest entries...                      [ DONE ]

.....

Applying 192.168.122.154_postscript.pp
192.168.122.154_postscript.pp :                                      [ DONE ]
                            [ DONE ]

 **** Installation completed successfully ******

     (Please allow Installer a few moments to start up.....)


Additional information:
 * Time synchronization installation was skipped. Please note that unsynchronized time on server instances might be problem for some OpenStack components.
 * Did not create a cinder volume group, one already existed
 * To use the command line tools you need to source the file /roothome/keystonerc_admin created on 192.168.122.154
 * To use the console, browse to http://192.168.122.154/dashboard
 * The installation log file is available at: /var/tmp/packstack/20130311-164930-psPxmM/openstack-setup.log
[para@virtual-rhel-beta ~]$ su -c 'echo $HOME'
Password: 
/roothome
[para@virtual-rhel-beta ~]$


I'm expecting that people which will change home directory to something else that /root will know what they are doing and set their selinux booleans properly themselves. So I'm setting this bug back to ON_QA so you can try it in permissive mode.
Comment 17 Omri Hochman 2013-03-17 15:17:18 UTC 
Verified - openstack-packstack-2012.2.3-0.5.dev475.el6ost.noarch.

Installation completed successfully -  When SELinux in Permissive and root home directory changed from /root to /testdir. 



10.35.160.15_osclient.pp :                                           [ DONE ]
10.35.160.15_horizon.pp :                                            [ DONE ]
Applying 10.35.160.15_postscript.pp
10.35.160.15_postscript.pp :                                         [ DONE ]
                            [ DONE ]

 **** Installation completed successfully ******


Additional information:
 * A new answerfile was created in: /testdir/packstack-answers-20130317-165928.txt
 * Time synchronization installation was skipped. Please note that unsynchronized time on server instances might be problem for some OpenStack components.
 * To use the command line tools you need to source the file /testdir/keystonerc_admin created on 10.35.160.15
 * To use the console, browse to http://10.35.160.15/dashboard
 * The installation log file is available at: /var/tmp/packstack/20130317-165842-_1asgB/openstack-setup.log
-bash-4.1# su -c 'echo $HOME'
/testdir
-bash-4.1# getenforce 
Permissive
-bash-4.1#
Comment 19 errata-xmlrpc 2013-03-21 18:23:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0671.html