Description of problem: When configuring sudolog@info on any Hosted Engine Host, the logs will be flooded, among other messages, with: ~~~ Aug 10 08:30:41 sudo[6278] exec /sbin/service [service vdsmd status] Aug 10 08:30:41 sudo[6296] exec /sbin/service [service sanlock status] ~~~ If you also have LDAP configured to log this kind events on a remote system, the network traffic will increase, the call is being made every 10 seconds for each HE Host. systemctl status $service doesn't require sudo privileges, so we should remove the 'sudo' invocation in _check_service Version-Release number of selected component (if applicable): ovirt-hosted-engine-ha-2.2.16-1.el7ev.noarch.rpm How reproducible: 100% Steps to Reproduce: 1. Deploy a Self HostedEngine environment 2. Configure sudo to log with INFO (comment out Debug sudo line in /etc/sudo.conf) or have a remote system logging sudo commands 3. Check flood of 'systemctl status $service' in sudo log Actual results: 'systemctl status $service' where $service is both vdsmd and sanlock, is being executed with sudo privileges Expected results: 'systemctl status $service' doesn't need additional sudo privileges Additional info: We should remove sudo from _check_services in ovirt_hosted_engine_ha/agent/hosted_engine.py
Is there a workaround we could share with users in regards to disabling sudo from hosted_engine.py ? Setting NI on Ido since Simone is OOO.
ok, ovirt-hosted-engine-setup-2.2.28-0.0.master.20180917152606.git1a3b790.el7.noarch # grep 'service.*status' /var/log/sudo_debug # grep 'service' /var/log/sudo_debug Sep 14 14:21:46 sudo[30960] 0: command=/sbin/service Sep 14 14:21:46 sudo[30960] executed /sbin/service, pid 30963 Sep 14 14:21:46 sudo[30963] exec /sbin/service [/sbin/service vhostmd stop]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3481
sync2jira