Red Hat Bugzilla – Bug 894733
packstack: keystonerc_admin file generation: assumes '/root' exists, stores keystonerc_admin file with too much permissions
Last modified: 2016-04-26 11:19:45 EDT
Description of problem: openstack_client.pp has two issues: 1. It uses hard-coded /root as the root users' homedir. We've learned that in some cases this is not the right location (but /home/root, for example). 2. The permission of the generated keystonerc_admin should be 600, now it's a too permissive (-rw-r--r--). Version-Release number of selected component (if applicable): openstack-packstack-2012.2.2-0.3.dev281.el6ost.noarch (did not execute code, just looked at the puppet class). How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Fix for permissions submitted here https://review.openstack.org/#/c/19763/ Still have to figure out how to unhard code /root
(In reply to comment #2) > Fix for permissions submitted here > https://review.openstack.org/#/c/19763/ > > Still have to figure out how to unhard code /root In Python it'd be pwd.getpwnam('root').pw_dir Not sure how you'd put the result of the above into the Puppet script.
yup, unfortunately I'm not running python on the server in question so its not an option thats open to me.
The solution was a custom facter fact fix proposed upstream https://review.openstack.org/#/c/19797/
reopening. I've changed root home directory to /testdir and ran packstack. packstack failed with the following errors: packstack output: http://pastebin.test.redhat.com/124825
Yup confirmed, although the keystonerc_admin file is now being created in the correct place. the changed home directory is causing problems with the mysql module.
Fix for MySQL module comitied upstream: https://github.com/packstack/puppetlabs-mysql/commit/0db9759988b7a24efef5bf09c486dcdfcd8e772e https://github.com/packstack/puppetlabs-mysql/commit/1c66bf7b1254029b943ea92085729672ee5c8ebc
(In reply to comment #10) > Fix for MySQL module comitied upstream: > https://github.com/packstack/puppetlabs-mysql/commit/ > 0db9759988b7a24efef5bf09c486dcdfcd8e772e > https://github.com/packstack/puppetlabs-mysql/commit/ > 1c66bf7b1254029b943ea92085729672ee5c8ebc 1) mkdir '/testdir'. 2) Changed the root home directory /etc/passwd --> root:x:0:0:root:/testdir:/bin/bash 3) reboot. 3) Launch packstack (in interactive mode) From some reason after changing root home directory, when running packstack, it kept asking over and over for the 'root password'. eventually failed with error. Note: ------ A) I changed the root home directory back to /root -> the Installation completed successfully. B) Under /root the file 'keystonerc_admin' is not longer too permissive : -rw-------. 1 root root 182 Mar 10 12:25 keystonerc_admin ------------------------------------------------------------------------------ Adding QPID manifest entries... [ DONE ] Adding Keystone manifest entries... [ DONE ] Adding Glance Keystone manifest entries... [ DONE ] Adding Glance manifest entries... [ DONE ] Adding Cinder Keystone manifest entries... [ DONE ] Checking if the Cinder server has a cinder-volumes vg...root@10.35.160.11's password: root@10.35.160.11's password: [ DONE ] Adding Cinder manifest entries... [ DONE ] Adding Nova API manifest entries... [ DONE ] Adding Nova Keystone manifest entries... [ DONE ] Adding Nova Cert manifest entries... [ DONE ] Adding Nova Compute manifest entries...root@10.35.160.11's password: root@10.35.160.11's password: [ DONE ] Adding Nova Network manifest entries...root@10.35.160.11's password: root@10.35.160.11's password: root@10.35.160.11's password: root@10.35.160.11's password: [ DONE ] Adding Nova Scheduler manifest entries... [ DONE ] Adding Nova VNC Proxy manifest entries... [ DONE ] Adding Nova Common manifest entries... [ DONE ] Adding OpenStack Client manifest entries...root@10.35.160.11's password: [ DONE ] Adding Horizon manifest entries... [ DONE ] Adding Swift Keystone manifest entries... [ DONE ] Adding Swift builder manifest entries... [ DONE ] Adding Swift proxy manifest entries... [ DONE ] Adding Swift storage manifest entries... [ DONE ] Adding Swift common manifest entries... [ DONE ] Preparing servers...root@10.35.160.11's password: [ DONE ] Adding post install manifest entries... [ DONE ] Installing Dependencies...root@10.35.160.11's password: /var/tmp/packstack/20130310-115604-QW68UJ/openstack-setup.log: -------------------------------------------------------------- 2013-03-10 11:59:21::INFO::cinder_250::157::root:: A new cinder volumes group will be created 2013-03-10 12:05:23::ERROR::common_utils::403::root:: ============= STDERR ========== 2013-03-10 12:05:23::ERROR::common_utils::404::root:: Warning: Permanently added '10.35.160.11' (RSA) to the list of known hosts. Connection closed by UNKNOWN 2013-03-10 12:05:23::ERROR::run_setup::605::root:: Error running remote script: Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/packstack/installer/run_setup.py", line 593, in _main runSequences() File "/usr/lib/python2.6/site-packages/packstack/installer/run_setup.py", line 569, in runSequences controller.runAllSequences() File "/usr/lib/python2.6/site-packages/packstack/installer/setup_controller.py", line 62, in runAllSequences sequence.run() File "/usr/lib/python2.6/site-packages/packstack/installer/setup_sequences.py", line 153, in run step.run() File "/usr/lib/python2.6/site-packages/packstack/installer/setup_sequences.py", line 60, in run function() File "/usr/lib/python2.6/site-packages/packstack/plugins/puppet_950.py", line 73, in installdeps server.execute() File "/usr/lib/python2.6/site-packages/packstack/installer/common_utils.py", line 411, in execute '%s' % stdoutdata) ScriptRuntimeError: Error running remote script: 2013-03-10 12:05:23::INFO::run_setup::626::root:: Removing /var/tmp/packstack/ff45d533c62249a0a257a9fdc5d914c2 on 10.35.160.11 (if it is a remote host) 2013-03-10 12:05:26::INFO::run_setup::626::root:: Removing /var/tmp/packstack/d5048ad0525d47daad1eb48f997549da on 10.35.160.13 (if it is a remote host) 2013-03-10 12:05:26::INFO::run_setup::534::root:: * A new answerfile was created in: /testdir/packstack-answers-20130310-115858.txt 2013-03-10 12:05:26::INFO::run_setup::534::root:: * Time synchronization installation was skipped. Please note that unsynchronized time on server instances might be problem for some OpenStack components. 2013-03-10 12:05:26::INFO::run_setup::534::root:: * To use the command line tools you need to source the file /testdir/keystonerc_admin created on 10.35.160.11 2013-03-10 12:05:26::INFO::run_setup::534::root:: * ESC[0;31mNOTEESC[0m : A default self signed certificate was used for ssl, You should change the ssl certificate configured in /etc/httpd/conf.d/ssl.conf on 10.35.160.11 to use a CA signed cert. 2013-03-10 12:05:26::INFO::run_setup::534::root:: * To use the console, browse to https://10.35.160.11/dashboard 2013-03-10 12:05:26::INFO::run_setup::534::root:: * ESC[0;31mERROR : Error running remote script: ESC[0m 2013-03-10 12:05:26::INFO::run_setup::534::root:: * Please check log file /var/tmp/packstack/20130310-115604-QW68UJ/openstack-setup.log for more information
(In reply to comment #12) Tested with : openstack-packstack-2012.2.3-0.1.dev454.el6ost.noarch The credentials 'keystonerc_admin' are fine. the issue that still relevant is - packstack failure when changing the root home directory.
The problems here are ssh path permission and Selinux. If you change your root home directory, you also have to set proper mode: chmod 0700 /testdir chmod 0700 /testdir/.ssh chmod 0600 /testdir/.ssh/authorized_keys You also have to set proper Selinux booleans for /testdir/.ssh/authorized_keys. Not sure how to do that and unfortunately I don't have time to google around, but if you will test packstack in permissive mode, it will work ok even with changed root home. Just tried all-in-one installation: [para@virtual-rhel-beta ~]$ packstack --answer-file=ans.txt Welcome to Installer setup utility Installing: Clean Up... [ DONE ] Setting up ssh keys... [ DONE ] Adding pre install manifest entries... [ DONE ] Adding MySQL manifest entries... [ DONE ] Adding QPID manifest entries... [ DONE ] Adding Keystone manifest entries... [ DONE ] Adding Glance Keystone manifest entries... [ DONE ] Adding Glance manifest entries... [ DONE ] Adding Cinder Keystone manifest entries... [ DONE ] Checking if the Cinder server has a cinder-volumes vg... [ DONE ] Adding Cinder manifest entries... [ DONE ] Adding Nova API manifest entries... [ DONE ] ..... Applying 192.168.122.154_postscript.pp 192.168.122.154_postscript.pp : [ DONE ] [ DONE ] **** Installation completed successfully ****** (Please allow Installer a few moments to start up.....) Additional information: * Time synchronization installation was skipped. Please note that unsynchronized time on server instances might be problem for some OpenStack components. * Did not create a cinder volume group, one already existed * To use the command line tools you need to source the file /roothome/keystonerc_admin created on 192.168.122.154 * To use the console, browse to http://192.168.122.154/dashboard * The installation log file is available at: /var/tmp/packstack/20130311-164930-psPxmM/openstack-setup.log [para@virtual-rhel-beta ~]$ su -c 'echo $HOME' Password: /roothome [para@virtual-rhel-beta ~]$ I'm expecting that people which will change home directory to something else that /root will know what they are doing and set their selinux booleans properly themselves. So I'm setting this bug back to ON_QA so you can try it in permissive mode.
Verified - openstack-packstack-2012.2.3-0.5.dev475.el6ost.noarch. Installation completed successfully - When SELinux in Permissive and root home directory changed from /root to /testdir. 10.35.160.15_osclient.pp : [ DONE ] 10.35.160.15_horizon.pp : [ DONE ] Applying 10.35.160.15_postscript.pp 10.35.160.15_postscript.pp : [ DONE ] [ DONE ] **** Installation completed successfully ****** Additional information: * A new answerfile was created in: /testdir/packstack-answers-20130317-165928.txt * Time synchronization installation was skipped. Please note that unsynchronized time on server instances might be problem for some OpenStack components. * To use the command line tools you need to source the file /testdir/keystonerc_admin created on 10.35.160.15 * To use the console, browse to http://10.35.160.15/dashboard * The installation log file is available at: /var/tmp/packstack/20130317-165842-_1asgB/openstack-setup.log -bash-4.1# su -c 'echo $HOME' /testdir -bash-4.1# getenforce Permissive -bash-4.1#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0671.html