Bug 1022705 - [upgrade] neutron-rootwrap fails if "quantum" user is present at install time.
[upgrade] neutron-rootwrap fails if "quantum" user is present at install time.
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron (Show other bugs)
Unspecified Unspecified
high Severity high
: beta
: 4.0
Assigned To: Terry Wilson
Roey Dekel
Depends On:
  Show dependency treegraph
Reported: 2013-10-23 16:01 EDT by Lars Kellogg-Stedman
Modified: 2016-04-26 22:07 EDT (History)
6 users (show)

See Also:
Fixed In Version: openstack-neutron-2013.2-4.el6ost
Doc Type: Bug Fix
Doc Text:
Red Hat OpenStack 4 replaces Quantum with Neutron. Upgrading to Red Hat OpenStack 4 or installing the Neutron packages automatically configures the Neutron service with the necessary daemon names and rights previously used by Quantum. However, an ordering error in the configuration of user rights prevented sudo from correctly referencing "neutron" instead of "quantum" when needed. This prevented Neutron from performing any operations that required elevated privileges. This fix corrects the ordering error, thereby ensuring that sudo references "neutron" correctly when needed.
Story Points: ---
Clone Of:
Last Closed: 2013-12-19 19:32:10 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lars Kellogg-Stedman 2013-10-23 16:01:54 EDT
Description of problem:

After upgrading a RHOS 3 system to RHOS 4, various neutron components will fail with:

  sudo: sorry, you must have a tty to run sudo

Version-Release number of selected component (if applicable):


Additional info:

This happens because the neutron package installs /etc/sudoers.d/neutron with the following contents:

Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: SETENV: /usr/bin/neutron-rootwrap

But installs the neutron user with same UID as the quantum user in /etc/passwd:

  # egrep 'quantum|neutron' /etc/passwd
  quantum:x:164:164:OpenStack Quantum Daemons:/var/lib/quantum:/sbin/nologin
  neutron:x:164:164:OpenStack Quantum Daemons:/var/lib/neutron:/sbin/nologin

Since the sudoers configuration is name based, and quantum is earlier in the passwd file, sudo commands get evaluated for the "quantum" user.
Comment 3 Scott Lewis 2013-11-19 11:54:24 EST
Auto adding >= MODIFIED bugs to beta
Comment 5 Roey Dekel 2013-12-12 11:32:32 EST
Version-Release number of selected component (if applicable):
Grizzly Puddle: 2013-11-14.2
Havana Puddle: 2013-12-11.1

After the upgrade I created a new instance in a new network with subnet and attach it to a new floating-ip, then checked it's ingress and egress connection.

Also I run all of the following commands. All of them worked properly:
  400  neutron floatingip-list 
  422  neutron port-show f69fa3a7-18fd-4826-b8ae-1e3049789ca8
  426* neutron port-list > after/port.lis
  447  neutron security-group-rule-list 
  456  neutron net-list > after/net.list
  457  neutron subnet-list > after/subnet.list
  458  neutron router-list > after/subnet.list
  472  for i in `neutron floatingip-show | tail -n +4 | head -n -1 | cut -d" " -f2` ; do neutron floatingip-show $i ; done > after/floatingip.show
  473  for i in `neutron floatingip-list | tail -n +4 | head -n -1 | cut -d" " -f2` ; do neutron floatingip-show $i ; done > after/floatingip.show
  474  for i in `neutron net-list | tail -n +4 | head -n -1 | cut -d" " -f2` ; do neutron net-show $i ; done > after/net.show
  475  for i in `neutron subnet-list | tail -n +4 | head -n -1 | cut -d" " -f2` ; do neutron subnet-show $i ; done > after/subnet.show
  476  for i in `neutron router-list | tail -n +4 | head -n -1 | cut -d" " -f2` ; do neutron router-show $i ; done > after/router.show
  477  for i in `neutron security-group-rule-list | tail -n +4 | head -n -1 | cut -d" " -f2` ; do neutron security-group-rule-show $i ; done > after/security-group-rule.show
  506  neutron floatingip-create 
  507  neutron floatingip-create netExt233VLAN
  508  neutron floatingip-create netExt233
  518  neutron router-interface-add router01 netInt238VLAN
  519  neutron floatingip-list 
  520  neutron port-list 
  521  neutron floatingip-associate 0531e9a1-1d60-4b61-9c29-a0f57556fa51 c819d24a-58bb-4c43-8899-4ad18b3b2de9
  522  neutron floatingip-list
Comment 7 errata-xmlrpc 2013-12-19 19:32:10 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.