1832732 – unneeded sudoers configuration for vdsm and sanlock service control

Bug 1832732 - unneeded sudoers configuration for vdsm and sanlock service control

Summary: unneeded sudoers configuration for vdsm and sanlock service control

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-hosted-engine-ha
Classification:	oVirt
Component:	General
Sub Component:
Version:	2.4.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ovirt-4.4.1
Target Release:	---
Assignee:	Evgeny Slutsky
QA Contact:	Nikolai Sednev
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-07 08:10 UTC by Evgeny Slutsky
Modified:	2020-07-08 08:26 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ovirt-hosted-engine-ha-2.4.4
Clone Of:
Environment:
Last Closed:	2020-07-08 08:26:21 UTC
oVirt Team:	Integration
Embargoed:
Flags:	sbonazzo: ovirt-4.4?

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	109430	0	master	MERGED	vdsmd services no longer controlled by ovirt-hosted-engine-ha	2020-07-06 11:55:56 UTC

Description Evgeny Slutsky 2020-05-07 08:10:38 UTC

Description of problem:

when ovirt-hosted-engine-ha installed it create its sudoers file which grants to vsdm user permission to control vdsm  and sanlock  services.

in file /etc/sudoers.d/60_ovirt-ha:



Cmnd_Alias OVIRT_HA = \
    /usr/sbin/service vdsmd *, \
    /usr/sbin/service sanlock *, \
    /sbin/losetup --find --show --sizelimit=* /var/lib/ovirt-hosted-engine-ha/*, \
    /sbin/losetup --detach /dev/loop*, \
    /sbin/mkfs -t * /dev/loop*, \
    /usr/bin/mount /dev/loop* *, \
    /usr/bin/umount *, \
    /bin/mv -b -f -Z /var/lib/ovirt-hosted-engine-ha/* /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/bin/chown -R vdsm /var/lib/ovirt-hosted-engine-ha/*, \
    /usr/bin/chown root\:root /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/bin/chmod 644 /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/sbin/persist /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/sbin/unpersist /etc/ovirt-hosted-engine/hosted-engine.conf

"service"  command only used for checking service status, so it doesn't require sudo.

Comment 1 Nikolai Sednev 2020-07-06 13:43:39 UTC

Cmnd_Alias OVIRT_HA = \
    /sbin/losetup --find --show --sizelimit=* /var/lib/ovirt-hosted-engine-ha/*, \
    /sbin/losetup --detach /dev/loop*, \
    /sbin/mkfs -t * /dev/loop*, \
    /usr/bin/mount /dev/loop* *, \
    /usr/bin/umount *, \
    /bin/mv -b -f -Z /var/lib/ovirt-hosted-engine-ha/* /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/bin/chown -R vdsm /var/lib/ovirt-hosted-engine-ha/*, \
    /usr/bin/chown root\:root /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/bin/chmod 644 /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/sbin/persist /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/sbin/unpersist /etc/ovirt-hosted-engine/hosted-engine.conf

vdsm  ALL=(ALL) NOPASSWD: OVIRT_HA
/etc/sudoers.d/60_ovirt-ha (END)


Works for me on latest Software Version:4.4.1.7-0.3.el8ev.
ovirt-hosted-engine-ha-2.4.4-1.el8ev.noarch
ovirt-hosted-engine-setup-2.4.5-1.el8ev.noarch
Linux 4.18.0-193.12.1.el8_2.x86_64 #1 SMP Thu Jul 2 15:48:14 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux release 8.2 (Ootpa)

Reported issue no longer exists.

Comment 2 Sandro Bonazzola 2020-07-08 08:26:21 UTC

This bugzilla is included in oVirt 4.4.1 release, published on July 8th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.