1614814 – [SHE] Remove 'sudo' from _check_service on HE Hosts

Bug 1614814 - [SHE] Remove 'sudo' from _check_service on HE Hosts

Summary: [SHE] Remove 'sudo' from _check_service on HE Hosts

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-hosted-engine-ha
Sub Component:
Version:	4.2.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.2.7
Target Release:	---
Assignee:	Simone Tiraboschi
QA Contact:	meital avital
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1629887
TreeView+	depends on / blocked

Reported:	2018-08-10 13:26 UTC by Javier Coscia
Modified:	2021-12-10 17:03 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ovirt-hosted-engine-ha-2.2.17-1.el7ev.noarch.rpm
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-11-05 15:03:31 UTC
oVirt Team:	Integration
Target Upstream Version:
Embargoed:
Flags:	pmatyas: testing_plan_complete+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHV-44246	None	None	None	2021-12-10 17:03:23 UTC
Red Hat Product Errata	RHBA-2018:3481	None	None	None	2018-11-05 15:03:38 UTC
oVirt gerrit	93657	'None'	MERGED	remove sudo from systemctl status	2020-01-29 08:02:00 UTC
oVirt gerrit	93705	'None'	MERGED	remove sudo from systemctl status	2020-01-29 08:02:00 UTC

Description Javier Coscia 2018-08-10 13:26:10 UTC

Description of problem:

When configuring sudolog@info on any Hosted Engine Host, the logs will be flooded, among other messages, with:

~~~
Aug 10 08:30:41 sudo[6278] exec /sbin/service [service vdsmd status]
Aug 10 08:30:41 sudo[6296] exec /sbin/service [service sanlock status]
~~~

If you also have LDAP configured to log this kind events on a remote system, the network traffic will increase, the call is being made every 10 seconds for each HE Host.

systemctl status $service doesn't require sudo privileges, so we should remove the 'sudo' invocation in _check_service 



Version-Release number of selected component (if applicable):

ovirt-hosted-engine-ha-2.2.16-1.el7ev.noarch.rpm

How reproducible:

100%

Steps to Reproduce:
1. Deploy a Self HostedEngine environment
2. Configure sudo to log with INFO (comment out Debug sudo line in /etc/sudo.conf) or have a remote system logging sudo commands
3. Check flood of 'systemctl status $service' in sudo log

Actual results:

'systemctl status $service' where $service is both vdsmd and sanlock, is being executed with sudo privileges

Expected results:

'systemctl status $service' doesn't need additional sudo privileges

Additional info:

We should remove sudo from _check_services in ovirt_hosted_engine_ha/agent/hosted_engine.py

Comment 1 Javier Coscia 2018-08-14 00:18:50 UTC

Is there a workaround we could share with users in regards to disabling sudo from hosted_engine.py ?

Setting NI on Ido since Simone is OOO.

Comment 2 Jiri Belka 2018-09-18 13:35:59 UTC

ok, ovirt-hosted-engine-setup-2.2.28-0.0.master.20180917152606.git1a3b790.el7.noarch

# grep 'service.*status' /var/log/sudo_debug 
# grep 'service' /var/log/sudo_debug 
Sep 14 14:21:46 sudo[30960]     0: command=/sbin/service
Sep 14 14:21:46 sudo[30960] executed /sbin/service, pid 30963
Sep 14 14:21:46 sudo[30963] exec /sbin/service [/sbin/service vhostmd stop]

Comment 5 errata-xmlrpc 2018-11-05 15:03:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3481

Comment 7 Daniel Gur 2019-08-28 13:13:27 UTC

sync2jira

Comment 8 Daniel Gur 2019-08-28 13:17:40 UTC

sync2jira

Note You need to log in before you can comment on or make changes to this bug.