Bug 1832732 - unneeded sudoers configuration for vdsm and sanlock service control
Summary: unneeded sudoers configuration for vdsm and sanlock service control
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-hosted-engine-ha
Classification: oVirt
Component: General
Version: 2.4.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ovirt-4.4.1
: ---
Assignee: Evgeny Slutsky
QA Contact: Nikolai Sednev
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-07 08:10 UTC by Evgeny Slutsky
Modified: 2020-07-08 08:26 UTC (History)
2 users (show)

Fixed In Version: ovirt-hosted-engine-ha-2.4.4
Clone Of:
Environment:
Last Closed: 2020-07-08 08:26:21 UTC
oVirt Team: Integration
Embargoed:
sbonazzo: ovirt-4.4?


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 109430 0 master MERGED vdsmd services no longer controlled by ovirt-hosted-engine-ha 2020-07-06 11:55:56 UTC

Description Evgeny Slutsky 2020-05-07 08:10:38 UTC
Description of problem:

when ovirt-hosted-engine-ha installed it create its sudoers file which grants to vsdm user permission to control vdsm  and sanlock  services.

in file /etc/sudoers.d/60_ovirt-ha:



Cmnd_Alias OVIRT_HA = \
    /usr/sbin/service vdsmd *, \
    /usr/sbin/service sanlock *, \
    /sbin/losetup --find --show --sizelimit=* /var/lib/ovirt-hosted-engine-ha/*, \
    /sbin/losetup --detach /dev/loop*, \
    /sbin/mkfs -t * /dev/loop*, \
    /usr/bin/mount /dev/loop* *, \
    /usr/bin/umount *, \
    /bin/mv -b -f -Z /var/lib/ovirt-hosted-engine-ha/* /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/bin/chown -R vdsm /var/lib/ovirt-hosted-engine-ha/*, \
    /usr/bin/chown root\:root /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/bin/chmod 644 /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/sbin/persist /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/sbin/unpersist /etc/ovirt-hosted-engine/hosted-engine.conf

"service"  command only used for checking service status, so it doesn't require sudo.

Comment 1 Nikolai Sednev 2020-07-06 13:43:39 UTC
Cmnd_Alias OVIRT_HA = \
    /sbin/losetup --find --show --sizelimit=* /var/lib/ovirt-hosted-engine-ha/*, \
    /sbin/losetup --detach /dev/loop*, \
    /sbin/mkfs -t * /dev/loop*, \
    /usr/bin/mount /dev/loop* *, \
    /usr/bin/umount *, \
    /bin/mv -b -f -Z /var/lib/ovirt-hosted-engine-ha/* /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/bin/chown -R vdsm /var/lib/ovirt-hosted-engine-ha/*, \
    /usr/bin/chown root\:root /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/bin/chmod 644 /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/sbin/persist /etc/ovirt-hosted-engine/hosted-engine.conf, \
    /usr/sbin/unpersist /etc/ovirt-hosted-engine/hosted-engine.conf

vdsm  ALL=(ALL) NOPASSWD: OVIRT_HA
/etc/sudoers.d/60_ovirt-ha (END)


Works for me on latest Software Version:4.4.1.7-0.3.el8ev.
ovirt-hosted-engine-ha-2.4.4-1.el8ev.noarch
ovirt-hosted-engine-setup-2.4.5-1.el8ev.noarch
Linux 4.18.0-193.12.1.el8_2.x86_64 #1 SMP Thu Jul 2 15:48:14 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux release 8.2 (Ootpa)

Reported issue no longer exists.

Comment 2 Sandro Bonazzola 2020-07-08 08:26:21 UTC
This bugzilla is included in oVirt 4.4.1 release, published on July 8th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.