Ubuntu
nova package

/etc/nova/nova-compute.conf not owned by nova

Bug #861459 reported by Scott Moser
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nova (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

On a freshly installed system, I ran:
 apt-get install -y cloud-utils euca2ools glance nova-api nova-common nova-compute-lxc nova-doc nova-network nova-objectstore nova-scheduler python-greenlet python-mysqldb python-nova rabbitmq-server unzip qemu-kvm

$ ls -l /etc/nova/
total 12
-rw-r--r-- 1 root root 3080 2011-09-23 13:35 api-paste.ini
-rw-r--r-- 1 root root 19 2011-09-23 14:25 nova-compute.conf
-rw------- 1 nova root 276 2011-09-23 13:35 nova.conf

There are 2 possible issues I see here:
a.) nova-compute.conf is world readable and root owned. that may not be an issue.
   Note, though, in nova-common.postinst, nova.conf is expllictly set to nova:nova and 600. The other files in that dir are not touched. That may well be by design.

b.) in the apt output I see:

Setting up nova-common (2011.3-0ubuntu2) ...
Adding system user `nova' (UID 107) ...
Adding new user `nova' (UID 107) with group `nogroup' ...
Not creating home directory `/var/lib/nova'.
[Errno 2] No such file or directory: '/etc/nova/nova-compute.conf'
ERROR:: Unable to open flagfile: /etc/nova/nova-compute.conf
/usr/lib/python2.7/dist-packages/migrate/changeset/schema.py:124: MigrateDeprecationWarning: Passing a Column object to alter_column is deprecated. Just pass in keyword parameters instead.
  MigrateDeprecationWarning

nova-common's /etc/nova/nova.conf has '--flagfile=/etc/nova/nova-compute.conf' and nova-compute-lxc (or any nova-compute for that matter) has not been installed yet. So this is probably just ignorable.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: nova-compute-lxc 2011.3-0ubuntu2
ProcVersionSignature: Ubuntu 3.0.0-12.19-server 3.0.4
Uname: Linux 3.0.0-12-server x86_64
ApportVersion: 1.23-0ubuntu1
Architecture: amd64
Date: Wed Sep 28 10:26:52 2011
NovaConf: Error: [Errno 13] Permission denied: '/etc/nova/nova.conf'
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_US:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: nova
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

lp:~openstack-ubuntu-testing/nova/precise-essex-proposed
Chuck Short: Pending requested
Diff: 56 lines (+14/-4)
3 files modified
debian/changelog (+8/-0)
debian/control (+6/-3)
debian/nova-console.install (+0/-1)
lp:ubuntu/precise/nova
lp:~openstack-ubuntu-testing/nova/raring-grizzly

CVE References

Revision history for this message
Scott Moser (smoser) wrote :
Changed in nova (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
Adam Gandelman (gandelman-a) wrote :

a.) nova-compute.conf is world readable and root owned. that may not be an issue.

I'm not sure if this is by design, but currently the only flag contained in nova-compute.conf is '--libvirt_type='. nova.conf usually contains credentials for accessing things like the database and messaging queue. I imagine nova-compute.conf could contain credentials for use with certain hypervisors (Xenserver, ie) but currently none of the nova-compute-* packages install anything other than --libvirt-type={kvm,uml,lxc,xen}

b.) in the apt output I see:

Bug #839796

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2012.1~rc2-0ubuntu1

---------------
nova (2012.1~rc2-0ubuntu1) precise; urgency=low

  [ Adam Gandelman ]
  * debian/control: Remove unncessary nova-cert dependency from nova-api.
    (LP: #965356)
  * debian/nova-common.postinst: Clean up spacing, remove redundant chown,
    set blanket 0700 nova.nova permissions on /etc/nova/
  * debian/nova-compute-{kvm, lxc, uml, xen}.postinst: Set proper permissions
    on /etc/nova/nova-compute.conf (LP: #861459)
  * debian/nova-common.postinst: Ensure default nova.sqlite database is not
    world-readable.
  * debian/{rules, nova-common.{install, postinst}}: Install api-paste.ini 0600
    with nova-common (in prepartion for proper nova-api-* package separation)
  * debian/{nova-common.nova-manage.logrotate,
    nova-network.nova-dhcpbridge.logrotate, rules}: Add lograte files,
    override_dh_installlogrotate. (LP: #942646)
  * Add manpage stubs for nova-api-ec2, nova-api-metadata,
    nova-api-os-{volume, compute}, nova-rootwrap. Use sphinx built manpage
    for nova-manage (nova-common.manpages)
  * debian/nova-compute-{kvm, xen, uml, qemu}.postinst: Remove calls to
    adduser since this is already handled from nova-compute.postsinst in a
    vendor neutral way. Silences lintian errors regarding adduser dependency

  [ Chuck Short ]
  * New upstream version.
  * debian/patches/libvirt-use-console-pipe.patch: Dropped.
  * debian/patches/nova-console-monitor.patch: Add console-monitor
    option.
  * debian/nova.conf: Enable use_console_monitor
  * debian/patches/fix-ubuntu-tests.patch: Fix nova testsuite.
  * debian/rules: fail package build if testsuite fails.
  * debian/patches/validate_server_name_length.patch: Dropped no longer
    needed.
  * debian/patches/fix-docs-build-without-network.patch: Some docs need
    a network connection in order to build. Disable fetching docs from
    the internet.
  * debian/patches/0001-fix-useexisting-deprecation-warnings.patch:
    Remove deprecated warnings with sqlalchemy.

  [ Tyler Hicks ]
  * SECURITY UPDATE: Denial of service via resource exhaustion in nova-api
    (LP: #968411)
    - debian/patches/validate_server_name_length.patch: Limit server names
      to a maximum of 255 characters to prevent nova-api log files from
      exhausting storage space. Based on upstream patch.
    - CVE-2012-1585
 -- Chuck Short <email address hidden> Mon, 02 Apr 2012 11:17:33 -0400

Changed in nova (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.