Bug 907389

Summary: vdsm unable to run sudo command
Product: Red Hat Enterprise Virtualization Manager Reporter: Pavel Zhukov <pzhukov>
Component: vdsmAssignee: Yaniv Bronhaim <ybronhei>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Stehlik <pstehlik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.1.1CC: abaron, bazulay, danken, dyasny, hateya, iheim, knesenko, lpeer, nobody, pstehlik, ykaul
Target Milestone: ---   
Target Release: 3.2.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: infra
Fixed In Version: vdsm-4.10.2-11.0.el6ev Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 922807    

Description Pavel Zhukov 2013-02-04 09:31:27 UTC 
Description of problem:
failed to run vdsm cp command because of incorrect wildcard in the /etc/sudoers.d/50_vdsm

Version-Release number of selected component (if applicable):

vdsm-4.9.6-44.2.el6_3.x86_64

How reproducible:
100%


Actual results:
MainThread::DEBUG::2013-01-23 16:08:54,273::multipath::108::Storage.Misc.excCmd::(setupMultipath) '/usr/bin/sudo -n /bin/cp /etc/multipath.conf /etc/multipath.conf.1' (cwd None)
MainThread::DEBUG::2013-01-23 16:08:54,281::multipath::108::Storage.Misc.excCmd::(setupMultipath) FAILED: <err> = 'sudo: sorry, a password is required to run sudo\n'; <rc> = 1
MainThread::DEBUG::2013-01-23 16:08:54,282::multipath::108::Storage.Misc.excCmd::(setupMultipath) '/usr/bin/sudo -n /usr/sbin/persist /etc/multipath.conf.1' (cwd None)
MainThread::DEBUG::2013-01-23 16:08:54,288::multipath::108::Storage.Misc.excCmd::(setupMultipath) FAILED: <err> = 'sudo: sorry, a password is required to run sudo\n'; <rc> = 1
MainThread::DEBUG::2013-01-23 16:08:54,298::multipath::118::Storage.Misc.excCmd::(setupMultipath) '/usr/bin/sudo -n /usr/sbin/persist /etc/multipath.conf' (cwd None)
MainThread::DEBUG::2013-01-23 16:08:54,304::multipath::118::Storage.Misc.excCmd::(setupMultipath) FAILED: <err> = 'sudo: sorry, a password is required to run sudo\n'; <rc> = 1
MainThread::DEBUG::2013-01-23 16:08:54,305::multipath::121::Storage.Misc.excCmd::(setupMultipath) '/usr/bin/sudo -n /sbin/multipath -F' (cwd None)
MainThread::DEBUG::2013-01-23 16:08:54,336::multipath::121::Storage.Misc.excCmd::(setupMultipath) FAILED: <err> = ''; <rc> = 1


Expected results:


Additional info:
    /bin/cp * multipath.conf *, \
should be
    /bin/cp *multipath.conf *, \


--- a/vdsm/sudoers.vdsm.in	2013-02-04 10:30:16.551216731 +0100
+++ b/vdsm/sudoers.vdsm.in	2013-02-04 10:30:25.434215066 +0100
@@ -31,7 +31,7 @@
     @PERSIST@ /var/log/vdsm/backup/*, \
     @UNPERSIST@ multipath.conf, \
     @UNPERSIST@ /var/log/vdsm/backup/*, \
-    @CP@ * multipath.conf *, \
+    @CP@ *multipath.conf *, \
     @CP@ * /var/log/vdsm/backup/* *, \
     @MULTIPATH@, \
     @BLOCKDEV@ --getsize64 *, \
Comment 1 Pavel Zhukov 2013-02-04 09:35:02 UTC 
--- a/vdsm/sudoers.vdsm.in	2013-02-04 10:32:56.958196462 +0100
+++ b/vdsm/sudoers.vdsm.in	2013-02-04 10:34:06.744183744 +0100
@@ -27,13 +27,13 @@
     @CAT@ /etc/multipath.conf, \
     @DD@ of=/sys/class/scsi_host/host*/scan, \
     @DD@, \
-    @PERSIST@ multipath.conf, \
+    @PERSIST@ *multipath.conf, \
     @PERSIST@ /var/log/vdsm/backup/*, \
-    @UNPERSIST@ multipath.conf, \
+    @UNPERSIST@ *multipath.conf, \
     @UNPERSIST@ /var/log/vdsm/backup/*, \
-    @CP@ * multipath.conf *, \
+    @CP@ *multipath.conf *, \
     @CP@ * /var/log/vdsm/backup/* *, \
-    @MULTIPATH@, \
+    @MULTIPATH@ *, \
     @BLOCKDEV@ --getsize64 *, \
     @SETSID@ @IONICE@ -c? -n? @SU@ vdsm -s /bin/sh -c /usr/libexec/vdsm/spmprotect.sh*, \
     @SERVICE@ vdsmd *, \
Comment 2 Dan Kenigsberg 2013-02-04 10:54:45 UTC 
Pavel, what is the base version of this diff? I do not see

 @CP@ * multipath.conf *

in any recent vdsm version.

Which version of sudo do you have installed? What is `rpm -V vdsm` ?
Comment 3 Pavel Zhukov 2013-02-04 11:43:45 UTC 
It was patch for rhev-3.0
in rhev-3.1 the similar situation: 
Checked with commit bc8e315ba242de52edf27cfc9b5d6834747a9fa7



--- a/vdsm/sudoers.vdsm.in	2013-02-04 12:41:25.183928796 +0100
+++ b/vdsm/sudoers.vdsm.in	2013-02-04 12:42:23.746927174 +0100
@@ -33,13 +33,13 @@
     @CAT_PATH@ /etc/multipath.conf, \
     @DD_PATH@ of=/sys/class/scsi_host/host*/scan, \
     @DD_PATH@, \
-    @PERSIST_PATH@ multipath.conf, \
+    @PERSIST_PATH@ */multipath.conf, \
     @PERSIST_PATH@ /var/log/vdsm/backup/*, \
-    @UNPERSIST_PATH@ multipath.conf, \
+    @UNPERSIST_PATH@ */multipath.conf, \
     @UNPERSIST_PATH@ /var/log/vdsm/backup/*, \
-    @CP_PATH@ * multipath.conf *, \
+    @CP_PATH@ *multipath.conf *, \
     @CP_PATH@ * /var/log/vdsm/backup/* *, \
-    @MULTIPATH_PATH@, \
+    @MULTIPATH_PATH@ *, \
     @BLOCKDEV_PATH@ --getsize64 *, \
     @SETSID_PATH@ @IONICE_PATH@ -c? -n? @SU_PATH@ vdsm -s /bin/sh -c /usr/libexec/vdsm/spmprotect.sh*, \
Comment 4 Dan Kenigsberg 2013-02-04 12:12:03 UTC 
Pavel would you first suggest an upstream patch? It would be great if you explain how it has ever worked.
Comment 5 Pavel Zhukov 2013-02-04 13:51:56 UTC 
Please check:
http://gerrit.ovirt.org/#/c/11687/
Comment 7 Pavel Zhukov 2013-02-04 15:35:07 UTC 
Sorry, commit message:

Change sudo wildcards to work with absolute paths

VDSM works with absolute paths of multipath,conf file but wildcards
in /etc/sudoers.d/50_vdsm don't allow it. The patch just modify wildcards
to allow absolute paths like "/usr/bin/sudo -n /usr/sbin/persist /etc/multipath.conf'"
instead of "/usr/bin/sudo -n /usr/sbin/persist multipath.conf'" and so on
Comment 8 Barak 2013-02-17 10:27:42 UTC 
Pavel, Can you please supply the exact reproduce scenario ?
Comment 9 Pavel Zhukov 2013-02-25 08:23:04 UTC 
Error messages appears every time then setupMultipath called.
I saw 3-4 systems affected. 
As workaround we use "vdsm ALL=(ALL)   NOPASSWD: ALL" and this rule fixed issue.
Comment 10 Dan Kenigsberg 2013-02-25 09:03:27 UTC 
Pavel, please help us understand how come the current code works for everybody but you. Also,

(In reply to comment #2)
> 
> Which version of sudo do you have installed?
Comment 11 Pavel Zhukov 2013-02-25 09:21:48 UTC 
Dan, systems don't be crashed after the errors, but the errors are present and It's not normal behaviour, isn't it?

Please try to run command from #1 ('/usr/bin/sudo -n /bin/cp /etc/multipath.conf /etc/multipath.conf.1 for example) on any RHEV-H system as vdsm user (enable shell before) It will failed with error.  
setupMultipath cann't rotate or persist file in current realisation.
Comment 12 Yaniv Bronhaim 2013-02-25 14:04:10 UTC 
Hey Pavel, It does not normal behavior as you said, and we want to fix it.

I updated your patch here - http://gerrit.ovirt.org/#/c/12226/2. please hit the verify if it does fix the bug, and abandon your second patch http://gerrit.ovirt.org/#/c/11687/1
Comment 14 Itamar Heim 2013-06-11 09:38:00 UTC 
3.2 has been released
Comment 15 Itamar Heim 2013-06-11 09:38:00 UTC 
3.2 has been released
Comment 16 Itamar Heim 2013-06-11 09:52:15 UTC 
3.2 has been released