Bug #4870
Missing entry for mkswap in sudoers (uninitialized volatile disk of type "swap")
Status: | Closed | Start date: | 10/13/2016 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 0% | |
Category: | Core & System | |||
Target version: | Release 5.2 | |||
Resolution: | fixed | Pull request: | ||
Affected Versions: | OpenNebula 5.0 |
Description
Originally discussed here: https://forum.opennebula.org/t/volatile-swap-disk-not-initialized-in-5-0-2/3126/
ONe fails to initialize volatile images of type "swap" on a CEPH system datastore, because the rbd-mapped block device in /dev/rbd/X is not accessible by mkswap. Adding a mkswap entry to /etc/sudoers.d/opennebula fixes the problem. Patch attached. The patch should be evaluated from the security point of view - adding mkswap to sudoers probably allows the oneadmin user to overwrite any file in the system. The relevant parts of the system log (/var/log/secure on CentOS 7) is here:
Oct 13 15:00:22 host4 sudo: oneadmin : TTY=unknown ; PWD=/var/lib/one ; USER=
root ; COMMAND=/bin/rbd --id libvirt map one/one-sys-620-1
Oct 13 15:00:22 host4 sudo: pam_unix(sudo:auth): conversation failed
Oct 13 15:00:22 host4 sudo: pam_unix(sudo:auth): auth could not identify pass
word for [oneadmin]
Oct 13 15:00:22 host4 sudo: oneadmin : command not allowed ; TTY=unknown ; PW
D=/var/lib/one ; USER=root ; COMMAND=/sbin/mkswap -L swap stratus4:/var/lib/one/
/datastores/0/620/disk.1
Oct 13 15:00:22 host4 sudo: oneadmin : TTY=unknown ; PWD=/var/lib/one ; USER=
root ; COMMAND=/bin/rbd --id libvirt unmap /dev/rbd/one/one-sys-620-1
Associated revisions
B #4870: missing sudo perms for mkswap
Patch submitted by Jan "Yenya" Kasprzak
History
#1 Updated by Ruben S. Montero over 4 years ago
- Target version set to Release 5.2
#2 Updated by Jan "Yenya" Kasprzak over 4 years ago
- File ceph-mkimage.patch added
Oops, one more change is needed: mkswap is run with incorrect arguments. Additional patch to /var/lib/one/remotes/tm/ceph/mkimage is attached.
#3 Updated by Jaime Melis over 4 years ago
- Status changed from Pending to Closed
- Resolution set to fixed
patch applied
thanks!!!!