1224400 – non-root user cannot `from ovirtnode import ovirtfunctions`: permission denied: '/var/log/ovirt-node.log' and '/var/log/ovirt.log'

Bug 1224400 - non-root user cannot `from ovirtnode import ovirtfunctions`: permission denied: '/var/log/ovirt-node.log' and '/var/log/ovirt.log'

Summary: non-root user cannot `from ovirtnode import ovirtfunctions`: permission denie...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-node
Classification:	oVirt
Component:	General
Sub Component:
Version:	---
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-3.6.0-rc
Target Release:	---
Assignee:	Douglas Schilling Landgraf
QA Contact:	bugs@ovirt.org
Docs Contact:
URL:
Whiteboard:	node
Duplicates (1):	1221566 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-05-22 20:02 UTC by Douglas Schilling Landgraf
Modified:	2016-02-10 19:17 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-10-19 08:57:29 UTC
oVirt Team:	Node
Embargoed:
Dependent Products:
Flags:	ylavi: ovirt-3.6.0? ylavi: planning_ack+ rule-engine: devel_ack+ ylavi: testing_ack?

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	42007	0	master	MERGED	logging: Replace log import for logging	Never

Description Douglas Schilling Landgraf 2015-05-22 20:02:22 UTC

Description of problem:

VDSM uses persist/unpersist functions provided by ovirt-node in ovirt.node.utils.fs import Config and these calls trigger the logging /var/log/ovirt.log and /var/log/ovirt-node.log with the below permissions which vdsm doesn't have access making the start fail.

# ls -lZ /var//log/ovirt-node.log 
-rw-r--r--. root root system_u:object_r:var_log_t:s0   /var//log/ovirt-node.log


# service vdsmd status -l
Redirecting to /bin/systemctl status  -l vdsmd.service
vdsmd.service - Virtual Desktop Server Manager
   Loaded: loaded (/usr/lib/systemd/system/vdsmd.service; enabled)
   Active: activating (start-pre) since Fri 2015-05-22 15:02:15 UTC; 11s ago
  Process: 20104 ExecStopPost=/usr/libexec/vdsm/vdsmd_init_common.sh
--post-stop (code=exited, status=0/SUCCESS)
  Process: 20093 ExecStart=/usr/share/vdsm/daemonAdapter -0 /dev/null
-1 /dev/null -2 /dev/null /usr/share/vdsm/vdsm (code=exited,
status=1/FAILURE) 
           ^^^--------- HERE
 Main PID: 20093 (code=exited, status=1/FAILURE);         : 20114
(vdsmd_init_comm)
   CGroup: /system.slice/vdsmd.service
           └─control
             ├─20114 /bin/sh /usr/libexec/vdsm/vdsmd_init_common.sh --pre-start
             └─20207 /usr/bin/python /usr/bin/vdsm-tool
cleanup-transient-repository 

As vdsm, if try to start manually it will complaing about ovirt-node.log and later ovirt-node.log
bash-4.2$ /usr/share/vdsm/vdsm
Traceback (most recent call last):
  File "/usr/share/vdsm/vdsm", line 35, in <module>
    from vdsm import utils
  File "/usr/lib/python2.7/site-packages/vdsm/utils.py", line 63, in <module>
    from ovirtnode import ovirtfunctions
  File "/usr/lib/python2.7/site-packages/ovirtnode/ovirtfunctions.py",
line 41, in <module>
    from ovirt.node.config import defaults
  File "/usr/lib/python2.7/site-packages/ovirt/node/config/defaults.py",
line 22, in <module>
    from ovirt.node.config.network import NicConfig
  File "/usr/lib/python2.7/site-packages/ovirt/node/config/network.py",
line 22, in <module>
    from ovirt.node.utils import AugeasWrapper as Augeas, fs, is_fileobj
  File "/usr/lib/python2.7/site-packages/ovirt/node/utils/fs/__init__.py",
line 40, in <module>
    LOGGER = log.getLogger(__name__)
  File "/usr/lib/python2.7/site-packages/ovirt/node/log.py", line 77,
in getLogger
    configure_logging()
  File "/usr/lib/python2.7/site-packages/ovirt/node/log.py", line 71,
in configure_logging
    logging.config.fileConfig(mixedfile, disable_existing_loggers=False)
  File "/usr/lib64/python2.7/logging/config.py", line 78, in fileConfig
    handlers = _install_handlers(cp, formatters)
  File "/usr/lib64/python2.7/logging/config.py", line 156, in _install_handlers
    h = klass(*args)
  File "/usr/lib64/python2.7/logging/handlers.py", line 392, in __init__
    logging.FileHandler.__init__(self, filename, mode, encoding, delay)
  File "/usr/lib64/python2.7/logging/__init__.py", line 902, in __init__
    StreamHandler.__init__(self, self._open())
  File "/usr/lib64/python2.7/logging/__init__.py", line 925, in _open
    stream = open(self.baseFilename, self.mode)
IOError: [Errno 13] Permission denied: '/var/log/ovirt-node.log' 


In VDSM: vdsm/lib/vdsm/utils.py

try:
    # If failing to import old code, then try importing the legacy code
    from ovirtnode import ovirtfunctions
    persist = ovirtfunctions.ovirt_store_config
    unpersist = ovirtfunctions.remove_config
except ImportError:
    try:
        from ovirt.node.utils.fs import Config
        persist = Config().persist
        unpersist = Config().unpersist
    except ImportError:
        persist = lambda name: None
        unpersist = lambda name: None

Additional data:
   #0 VDSM 3.6 (master branch) oVirt Node 3.6 (master branch)

   #1 In Engine after approving the host, it will connect to node execute host-deploy steps and in the end will be Failed Install, Host 'node' not reachable.

   #2 As test I have changed the ovirt.log and ovirt-node.log to o+w and vdsm was able to start, setup network and make the host be UP.

Comment 1 Douglas Schilling Landgraf 2015-05-22 20:05:02 UTC

# rpm -qa | grep vdsm
vdsm-python-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-tests-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-hook-faqemu-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-hook-macspoof-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-infra-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-xmlrpc-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-jsonrpc-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-gluster-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-reg-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-hook-vhostmd-4.17.0-832.gitbd70f3d.el7.centos.noarch
ovirt-node-plugin-vdsm-0.4.7-0.0.master.el7.centos.noarch
vdsm-hook-qemucmdline-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-hook-ipv6-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-cli-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-bootstrap-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-yajsonrpc-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-hook-ethtool-options-4.17.0-832.gitbd70f3d.el7.centos.noarch
ovirt-node-plugin-vdsm-recipe-0.4.7-0.0.master.el7.centos.noarch
vdsm-hook-vmfex-dev-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-debug-plugin-4.17.0-832.gitbd70f3d.el7.centos.noarch
vdsm-hook-openstacknet-4.17.0-832.gitbd70f3d.el7.centos.noarch

# rpm -qa | grep ovirt-node
ovirt-node-3.2.3-0.0.master.el7.centos.noarch
ovirt-node-plugin-hosted-engine-0.3.0-0.0.master.20150409.gitbc80969.el7.centos.noarch
ovirt-node-recipe-3.2.3-0.0.master.el7.centos.noarch
ovirt-node-plugin-vdsm-0.4.7-0.0.master.el7.centos.noarch
ovirt-node-selinux-3.2.3-0.0.master.el7.centos.noarch
ovirt-node-branding-ovirt-3.2.3-0.0.master.el7.centos.noarch
ovirt-node-plugin-vdsm-recipe-0.4.7-0.0.master.el7.centos.noarch

# cat /etc/redhat-release 
oVirt Node Hypervisor release 3.6 (0.999.201505202311.el7.centos) (Edited)

Comment 2 Douglas Schilling Landgraf 2015-06-15 15:17:18 UTC

*** Bug 1221566 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.