OpenStack Core Infrastructure

devstack gate should remove /etc/sudoers.d/50_stack_sh before testing

Bug #1016567 reported by Thierry Carrez on 2012-06-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Core Infrastructure	Fix Released	High	James E. Blair	OpenStack Core Infrastructure folsom

Bug Description

Currently devstack creates a blanket sudoers entry to be able to run anythign as root while devstack runs:
echo "stack ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/50_stack_sh

This basically bypasses all the rootwrap security, so you don't really know if that stuff is working or not.
The devstack gate should probably remove /etc/sudoers.d/50_stack_sh before running the tests.

Warning, this may uncover fun bugs :)

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-06-22:

As an example, the tests on https://review.openstack.org/#/c/8747/ should have failed until https://review.openstack.org/#/c/8842/1 was merged... but they passed :)

Revision history for this message

James E. Blair (corvus) wrote on 2012-06-22:

Devstack-gate runs as the jenkins user, which itself has sudo permissions on the devstack jenkins slaves. Those are needed before and after the script to do things like reset and collect syslog files. Because devstack-gate runs devstack as jenkins, with sudo, devstack does _not_ create a 'stack' user and install the 50_stack_sh file.

Instead, I think we could do the following:

Have devstack-gate run devstack as root to allow it to set up the stack user and sudoers file. Then run devstack as 'stack' ("sudo -u devstack ./stack.sh"). Then remove the 50_stack_sh. Then run tests as stack.

That still may not close all the holes. For each service, devstack runs a lot of commands that require sudo before launching the service. That means that the initial startup of each service is able to run with full sudo capability, even if we remove the sudo file later on. The configuration and starting of services is interleaved, so it wouldn't even be straightforward to find a place in devstack to remove the sudoers file. Further fun: it looks like the quantum agent is started with sudo.

But I don't know if you're concerned about nova having sudo access during startup vs. just ongoing operation.

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-06-22:

Most run_as_root stuff runs at createserver/createvolume time, although I /think/ a number of network setup stuff runs at start-time.

I agree that still leaves a few corner cases, but at least that would allow us to catch the most blatant issues. Like not having installed the required filter files at all.

Worth a try, at least.

James E. Blair (corvus) on 2012-06-22

Changed in openstack-ci:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → James E. Blair (corvus)
milestone:	none → folsom

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-06-22: Fix proposed to devstack-gate (master)

Fix proposed to branch: master
Review: https://review.openstack.org/8884

Changed in openstack-ci:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-06-25: Fix merged to devstack-gate (master)

Reviewed: https://review.openstack.org/8884
Committed: http://github.com/openstack-ci/devstack-gate/commit/2a4390d13e5f46e81d898a29987385a0fe29569e
Submitter: Jenkins
Branch: master

commit 2a4390d13e5f46e81d898a29987385a0fe29569e
Author: James E. Blair <email address hidden>
Date: Fri Jun 22 16:42:08 2012 -0700

Run devstack as stack instead of jenkins.

So that sudo permissions may be revoked after they aren't needed.
Fixes bug #1016567.

Change-Id: Ib8b287e8252397a168fbe23672b2822509511d59

Changed in openstack-ci:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.