907389 – vdsm unable to run sudo command

Bug 907389 - vdsm unable to run sudo command

Summary: vdsm unable to run sudo command

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	vdsm
Sub Component:
Version:	3.1.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.2.0
Assignee:	Yaniv Bronhaim
QA Contact:	Pavel Stehlik
Docs Contact:
URL:
Whiteboard:	infra
Depends On:
Blocks:	922807
TreeView+	depends on / blocked

Reported:	2013-02-04 09:31 UTC by Pavel Zhukov
Modified:	2016-02-10 19:28 UTC (History)
CC List:	11 users (show)
Fixed In Version:	vdsm-4.10.2-11.0.el6ev
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	11687	0	None	ABANDONED	Change sudo wildcards to work with absolute paths	2020-11-05 19:34:44 UTC

Description Pavel Zhukov 2013-02-04 09:31:27 UTC

Description of problem:
failed to run vdsm cp command because of incorrect wildcard in the /etc/sudoers.d/50_vdsm

Version-Release number of selected component (if applicable):

vdsm-4.9.6-44.2.el6_3.x86_64

How reproducible:
100%


Actual results:
MainThread::DEBUG::2013-01-23 16:08:54,273::multipath::108::Storage.Misc.excCmd::(setupMultipath) '/usr/bin/sudo -n /bin/cp /etc/multipath.conf /etc/multipath.conf.1' (cwd None)
MainThread::DEBUG::2013-01-23 16:08:54,281::multipath::108::Storage.Misc.excCmd::(setupMultipath) FAILED: <err> = 'sudo: sorry, a password is required to run sudo\n'; <rc> = 1
MainThread::DEBUG::2013-01-23 16:08:54,282::multipath::108::Storage.Misc.excCmd::(setupMultipath) '/usr/bin/sudo -n /usr/sbin/persist /etc/multipath.conf.1' (cwd None)
MainThread::DEBUG::2013-01-23 16:08:54,288::multipath::108::Storage.Misc.excCmd::(setupMultipath) FAILED: <err> = 'sudo: sorry, a password is required to run sudo\n'; <rc> = 1
MainThread::DEBUG::2013-01-23 16:08:54,298::multipath::118::Storage.Misc.excCmd::(setupMultipath) '/usr/bin/sudo -n /usr/sbin/persist /etc/multipath.conf' (cwd None)
MainThread::DEBUG::2013-01-23 16:08:54,304::multipath::118::Storage.Misc.excCmd::(setupMultipath) FAILED: <err> = 'sudo: sorry, a password is required to run sudo\n'; <rc> = 1
MainThread::DEBUG::2013-01-23 16:08:54,305::multipath::121::Storage.Misc.excCmd::(setupMultipath) '/usr/bin/sudo -n /sbin/multipath -F' (cwd None)
MainThread::DEBUG::2013-01-23 16:08:54,336::multipath::121::Storage.Misc.excCmd::(setupMultipath) FAILED: <err> = ''; <rc> = 1


Expected results:


Additional info:
    /bin/cp * multipath.conf *, \
should be
    /bin/cp *multipath.conf *, \


--- a/vdsm/sudoers.vdsm.in	2013-02-04 10:30:16.551216731 +0100
+++ b/vdsm/sudoers.vdsm.in	2013-02-04 10:30:25.434215066 +0100
@@ -31,7 +31,7 @@
     @PERSIST@ /var/log/vdsm/backup/*, \
     @UNPERSIST@ multipath.conf, \
     @UNPERSIST@ /var/log/vdsm/backup/*, \
-    @CP@ * multipath.conf *, \
+    @CP@ *multipath.conf *, \
     @CP@ * /var/log/vdsm/backup/* *, \
     @MULTIPATH@, \
     @BLOCKDEV@ --getsize64 *, \

Comment 1 Pavel Zhukov 2013-02-04 09:35:02 UTC

--- a/vdsm/sudoers.vdsm.in	2013-02-04 10:32:56.958196462 +0100
+++ b/vdsm/sudoers.vdsm.in	2013-02-04 10:34:06.744183744 +0100
@@ -27,13 +27,13 @@
     @CAT@ /etc/multipath.conf, \
     @DD@ of=/sys/class/scsi_host/host*/scan, \
     @DD@, \
-    @PERSIST@ multipath.conf, \
+    @PERSIST@ *multipath.conf, \
     @PERSIST@ /var/log/vdsm/backup/*, \
-    @UNPERSIST@ multipath.conf, \
+    @UNPERSIST@ *multipath.conf, \
     @UNPERSIST@ /var/log/vdsm/backup/*, \
-    @CP@ * multipath.conf *, \
+    @CP@ *multipath.conf *, \
     @CP@ * /var/log/vdsm/backup/* *, \
-    @MULTIPATH@, \
+    @MULTIPATH@ *, \
     @BLOCKDEV@ --getsize64 *, \
     @SETSID@ @IONICE@ -c? -n? @SU@ vdsm -s /bin/sh -c /usr/libexec/vdsm/spmprotect.sh*, \
     @SERVICE@ vdsmd *, \

Comment 2 Dan Kenigsberg 2013-02-04 10:54:45 UTC

Pavel, what is the base version of this diff? I do not see

 @CP@ * multipath.conf *

in any recent vdsm version.

Which version of sudo do you have installed? What is `rpm -V vdsm` ?

Comment 3 Pavel Zhukov 2013-02-04 11:43:45 UTC

It was patch for rhev-3.0
in rhev-3.1 the similar situation: 
Checked with commit bc8e315ba242de52edf27cfc9b5d6834747a9fa7



--- a/vdsm/sudoers.vdsm.in	2013-02-04 12:41:25.183928796 +0100
+++ b/vdsm/sudoers.vdsm.in	2013-02-04 12:42:23.746927174 +0100
@@ -33,13 +33,13 @@
     @CAT_PATH@ /etc/multipath.conf, \
     @DD_PATH@ of=/sys/class/scsi_host/host*/scan, \
     @DD_PATH@, \
-    @PERSIST_PATH@ multipath.conf, \
+    @PERSIST_PATH@ */multipath.conf, \
     @PERSIST_PATH@ /var/log/vdsm/backup/*, \
-    @UNPERSIST_PATH@ multipath.conf, \
+    @UNPERSIST_PATH@ */multipath.conf, \
     @UNPERSIST_PATH@ /var/log/vdsm/backup/*, \
-    @CP_PATH@ * multipath.conf *, \
+    @CP_PATH@ *multipath.conf *, \
     @CP_PATH@ * /var/log/vdsm/backup/* *, \
-    @MULTIPATH_PATH@, \
+    @MULTIPATH_PATH@ *, \
     @BLOCKDEV_PATH@ --getsize64 *, \
     @SETSID_PATH@ @IONICE_PATH@ -c? -n? @SU_PATH@ vdsm -s /bin/sh -c /usr/libexec/vdsm/spmprotect.sh*, \

Comment 4 Dan Kenigsberg 2013-02-04 12:12:03 UTC

Pavel would you first suggest an upstream patch? It would be great if you explain how it has ever worked.

Comment 5 Pavel Zhukov 2013-02-04 13:51:56 UTC

Please check:
http://gerrit.ovirt.org/#/c/11687/

Comment 7 Pavel Zhukov 2013-02-04 15:35:07 UTC

Sorry, commit message:

Change sudo wildcards to work with absolute paths

VDSM works with absolute paths of multipath,conf file but wildcards
in /etc/sudoers.d/50_vdsm don't allow it. The patch just modify wildcards
to allow absolute paths like "/usr/bin/sudo -n /usr/sbin/persist /etc/multipath.conf'"
instead of "/usr/bin/sudo -n /usr/sbin/persist multipath.conf'" and so on

Comment 8 Barak 2013-02-17 10:27:42 UTC

Pavel, Can you please supply the exact reproduce scenario ?

Comment 9 Pavel Zhukov 2013-02-25 08:23:04 UTC

Error messages appears every time then setupMultipath called.
I saw 3-4 systems affected. 
As workaround we use "vdsm ALL=(ALL)   NOPASSWD: ALL" and this rule fixed issue.

Comment 10 Dan Kenigsberg 2013-02-25 09:03:27 UTC

Pavel, please help us understand how come the current code works for everybody but you. Also,

(In reply to comment #2)
> 
> Which version of sudo do you have installed?

Comment 11 Pavel Zhukov 2013-02-25 09:21:48 UTC

Dan, systems don't be crashed after the errors, but the errors are present and It's not normal behaviour, isn't it?

Please try to run command from #1 ('/usr/bin/sudo -n /bin/cp /etc/multipath.conf /etc/multipath.conf.1 for example) on any RHEV-H system as vdsm user (enable shell before) It will failed with error.  
setupMultipath cann't rotate or persist file in current realisation.

Comment 12 Yaniv Bronhaim 2013-02-25 14:04:10 UTC

Hey Pavel, It does not normal behavior as you said, and we want to fix it.

I updated your patch here - http://gerrit.ovirt.org/#/c/12226/2. please hit the verify if it does fix the bug, and abandon your second patch http://gerrit.ovirt.org/#/c/11687/1

Comment 14 Itamar Heim 2013-06-11 09:38:00 UTC

3.2 has been released

Comment 15 Itamar Heim 2013-06-11 09:38:00 UTC

3.2 has been released

Comment 16 Itamar Heim 2013-06-11 09:52:15 UTC

3.2 has been released

Note You need to log in before you can comment on or make changes to this bug.