Description of problem: This file is wrong and makes quantum rootwrap ineffective: # tail -1 /etc/sudoers.d/quantum quantum ALL = (root) NOPASSWD: SETENV: /usr/bin/quantum-rootwrap It should be simliar to nova and cinder and specify parameters, ie: # tail -1 /etc/sudoers.d/nova nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf * See https://wiki.openstack.org/wiki/Packager/Rootwrap Version-Release number of selected component (if applicable): # rpm -qf /etc/sudoers.d/quantum openstack-quantum-2013.1.2-1.el6.noarch # cat /etc/centos-release CentOS release 6.4 (Final)
Can any Neutron folks confirm if the below fix is appropriate: $ fedpkg clone -B -a openstack-neutron $ cd openstack-neutron/master Edit neutron-sudoers file to reflect neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * $ git diff diff --git a/neutron-sudoers b/neutron-sudoers index 3786ada..b5448c8 100644 --- a/neutron-sudoers +++ b/neutron-sudoers @@ -1,3 +1,3 @@ Defaults:neutron !requiretty -neutron ALL = (root) NOPASSWD: SETENV: /usr/bin/neutron-rootwrap +neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
The correct fix is as you suspected: -neutron ALL = (root) NOPASSWD: SETENV: /usr/bin/neutron-rootwrap +neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * I've fixed this locally and tested it. Build coming soon.
Terry, Thanks for the fix. Just to note, shouldn't we need to push the same to Rawhide (F21 ), F20, branches so they can be made available for Fedora RDO users? Currently: # On Rawhide/F21 $ koji latest-build f21 openstack-neutron Build Tag Built by ---------------------------------------- -------------------- ---------------- openstack-neutron-2013.2-6.fc21 f21 otherwiseguy # On Fedora-20 $ koji latest-build f20 openstack-neutron Build Tag Built by ---------------------------------------- -------------------- ---------------- openstack-neutron-2013.2-1.fc20 f20 pbrady $ http://fedoraproject.org/wiki/Updates_Policy
Kashyap: Fedora doesn't use the old SysV init scripts. The way the script works on Fedora is it just goes in and specifically enables that which was already enabled, so things that are disabled shouldn't show up in the list to begin with. From the existing Fedora packaging: systemctl list-unit-files|grep '^quantum.*enabled\s*$'| \ sed -re 's/(\S+).*/systemctl enable \1/ s/quantum/neutron/g' > %{_localstatedir}/lib/rpm-state/UPGRADE_FROM_QUANTUM
(In reply to Terry Wilson from comment #4) > Kashyap: Fedora doesn't use the old SysV init scripts. The way the script > works on Fedora is it just goes in and specifically enables that which was > already enabled, so things that are disabled shouldn't show up in the list > to begin with. From the existing Fedora packaging: > > systemctl list-unit-files|grep '^quantum.*enabled\s*$'| \ > sed -re 's/(\S+).*/systemctl enable \1/ > s/quantum/neutron/g' > > %{_localstatedir}/lib/rpm-state/UPGRADE_FROM_QUANTUM Right! I forgot about the Fedora's systemd stuff for a moment. Thanks for the comment.