Bug 2169303 - [RHOSP17.1] ceilometer sudoers is required by ceilometer-polling to enable polling ipmi namespace
Summary: [RHOSP17.1] ceilometer sudoers is required by ceilometer-polling to enable po...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 17.1 (Wallaby)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 17.1
Assignee: Yadnesh Kulkarni
QA Contact: Leonid Natapov
URL:
Whiteboard:
Depends On:
Blocks: 2213409
TreeView+ depends on / blocked
 
Reported: 2023-02-13 09:27 UTC by Takashi Kajinami
Modified: 2023-12-15 04:26 UTC (History)
7 users (show)

Fixed In Version: openstack-tripleo-heat-templates-14.3.1-1.20230505003804.9fbc89a.el9ost
Doc Type: Bug Fix
Doc Text:
Before this update, the IPMI agent container did not spawn because the CeilometerIpmi service was not added to THT Compute roles. With this update, the CeilometerIpmi service is added to all THT Compute roles. The IPMI agent container is executed with the `--privilege` flag to execute `ipmitool` commands on the host. The data collection service (ceilometer) can now capture power metrics.
Clone Of:
: 2213409 (view as bug list)
Environment:
Last Closed: 2023-08-16 01:13:48 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 881704 0 None NEW Fix CeilometerAgentIpmi service to gather and report power metrics 2023-05-02 13:37:47 UTC
RDO 46995 0 None None None 2023-02-13 09:40:08 UTC
Red Hat Issue Tracker OSP-24635 0 None None None 2023-04-28 07:15:19 UTC
Red Hat Product Errata RHEA-2023:4577 0 None None None 2023-08-16 01:14:11 UTC

Description Takashi Kajinami 2023-02-13 09:27:52 UTC 
Description of problem:

Currently we have two methods to make ceilometer to poll ipmi namespace.
 1) Use ceilometer-polling and enable ipmi namespace
 2) Use ceilometer-ipmi and use that specific service

However sudoers is installed only for 2 and this causes the following failure in case 1 is used.

example:
https://86528e56a845f286885c-ddf4c57eb5e1f9e1a36bd74aa5f4e0cd.ssl.cf5.rackcdn.com/873444/2/check/puppet-openstack-integration-7-scenario001-tempest-centos-9-stream/7b8abc8/logs/ceilometer/polling.txt
~~~
2023-02-13 03:09:48.050 105607 INFO oslo.privsep.daemon [-] Running privsep helper: ['sudo', 'ceilometer-rootwrap', '/etc/ceilometer/rootwrap.conf', 'privsep-helper', '--privsep_context', 'ceilometer.privsep.sys_admin_pctxt', '--privsep_sock_path', '/tmp/tmpk6fsgjez/privsep.sock']
2023-02-13 03:09:48.078 105607 WARNING oslo.privsep.daemon [-] privsep log: 
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log: We trust you have received the usual lecture from the local System
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log: Administrator. It usually boils down to these three things:
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log: 
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log:     #1) Respect the privacy of others.
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log:     #2) Think before you type.
2023-02-13 03:09:48.079 105607 WARNING oslo.privsep.daemon [-] privsep log:     #3) With great power comes great responsibility.
2023-02-13 03:09:48.080 105607 WARNING oslo.privsep.daemon [-] privsep log: 
2023-02-13 03:09:48.133 105607 WARNING oslo.privsep.daemon [-] privsep log: sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
2023-02-13 03:09:48.134 105607 WARNING oslo.privsep.daemon [-] privsep log: sudo: a password is required
2023-02-13 03:09:48.137 105607 CRITICAL oslo.privsep.daemon [-] privsep helper command exited non-zero (1)
~~~



Version-Release number of selected component (if applicable):

openstack-ceilometer-common-19.1.0-0.20230206145859.39d0ef6.el9.noarch
openstack-ceilometer-notification-19.1.0-0.20230206145859.39d0ef6.el9.noarch
openstack-ceilometer-polling-19.1.0-0.20230206145859.39d0ef6.el9.noarch

How reproducible:

Always

Steps to Reproduce:
1. Start ceilometer-polling with ipminamespace enabled
2. Check polling.log

Actual results:
It fails to run the rootwrap command

Expected results:
It succeeds to run the rootwrap command

Additional info:
Comment 5 Leonid Natapov 2023-05-29 07:47:08 UTC 
ceilometer_agent_ipmi container is running on compute nodes.
No erros seen in /var/log/containers/ceilometer/ipmi.log on compute nodes.
Comment 11 Takashi Kajinami 2023-08-09 08:34:42 UTC 
I don't know how this bug was hijacked...  The tht patches linked from bug is not really related to the original problem I reported here.

We don't use the openstack-ceilometer-polling package in tripleo but we use the individual agent packages such as openstack-ceilometer-ipmi,
so the missing rootwrap in the common class does not affect TripleO deployment.

I don't know if I can push this back to the original component. You should update the description of this bug(and the cloned one)
to describe the actual problem.
Comment 12 Takashi Kajinami 2023-08-09 08:36:00 UTC 
> so the missing rootwrap in the common class does not affect TripleO deployment.

I mean the common "package"(openstack-ceilometer-common) instead of the common class.
Comment 17 errata-xmlrpc 2023-08-16 01:13:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577
Comment 18 Red Hat Bugzilla 2023-12-15 04:26:00 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.