Project

General

Profile

Actions
Copy link

Bug #47112

closed

cephadm RPM package installs /etc/sudoers.d/cephadm - review whether this file is still needed

Added by Nathan Cutler over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Nathan Cutler
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
octopus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
36972
Crash signature (v1):
Crash signature (v2):

Description

The cephadm user was introduced by https://github.com/ceph/ceph/pull/31698 (originally as the "cephdaemon" user). It was renamed to "cephadm" by https://github.com/ceph/ceph/pull/32193

When the "cephadm" RPM is installed on the system, a new "cephadm" is created and a file /etc/sudoers.d/cephadm is created. Apparently, until now nobody noticed the following discrepancy:

The file /etc/sudoers.d/cephadm refers to "/usr/bin/cephadm":

(venv) smithfarm@wilbur:~/src/ceph/smithfarm/ceph> cat sudoers.d/cephadm
# allow cephadm user to sudo cephadm
cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * ls
cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * unit *
cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * shell *
cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * deploy *
cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * ceph-volume *
cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * rm-daemon *

But THERE IS NO /usr/bin/cephadm in the system, because the cephadm binary is installed under /usr/sbin.

Instead of just blindly doing s/bin/sbin/g in /etc/sudoers.d/cephadm, though, I thought I'd ask the following questions:

How is it that this was not noticed before?

Given that it was not noticed, maybe /etc/sudoers.d/cephadm is not needed and could be dropped?

Related issues 1 (0 open1 closed)

Copied to Ceph - Backport #47644: octopus: cephadm RPM package installs /etc/sudoers.d/cephadm - review whether this file is still neededResolvedNathan CutlerActions
Actions
Copy link
 #1

Updated by Nathan Cutler over 3 years ago

  • Status changed from New to Fix Under Review
  • Assignee set to Nathan Cutler
  • Pull request ID set to 36972
Actions
Copy link
 #2

Updated by Kefu Chai over 3 years ago

  • Status changed from Fix Under Review to Resolved
Actions
Copy link
 #3

Updated by Nathan Cutler over 3 years ago

  • Status changed from Resolved to Pending Backport
  • Backport set to octopus
Actions
Copy link
 #4

Updated by Nathan Cutler over 3 years ago

  • Project changed from Orchestrator to Ceph
Actions
Copy link
 #5

Updated by Nathan Cutler over 3 years ago

  • Copied to Backport #47644: octopus: cephadm RPM package installs /etc/sudoers.d/cephadm - review whether this file is still needed added
Actions
Copy link
 #6

Updated by Nathan Cutler over 3 years ago

  • Status changed from Pending Backport to Resolved

While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".

Actions
Copy link

Also available in: Atom PDF