803629 – sys-cluster/ceph-16.2.4-r2: does not install required sudoers file

Bug 803629 - sys-cluster/ceph-16.2.4-r2: does not install required sudoers file

Summary: sys-cluster/ceph-16.2.4-r2: does not install required sudoers file

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal minor (vote)
Assignee:	Patrick McLean

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-07-24 04:27 UTC by Peter Pavlisko
Modified:	2021-09-17 01:20 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Pavlisko 2021-07-24 04:27:25 UTC

I upgraded my test cluster from sys-cluster/ceph-14.2.21-r2 to sys-cluster/ceph-16.2.4-r2 yesterday. Today, I received three e-mails from every OSD node in this cluster:

Subject: 
*** SECURITY information for backup1 ***
From: 
ceph@backup1.komensky.sk
Date: 
24. 7. 2021, 2:01
To: 
root@backup1.komensky.sk

backup1 : Jul 24 00:01:26 : ceph : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -x --json=o /dev/sda

Subject: 
*** SECURITY information for backup1 ***
From: 
ceph@backup1.komensky.sk
Date: 
24. 7. 2021, 2:01
To: 
root@backup1.komensky.sk

backup1 : Jul 24 00:01:29 : ceph : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/nvme st8000vn004-2m2101 smart-log-add --json /dev/sda

Subject: 
*** SECURITY information for backup1 ***
From: 
ceph@backup1.komensky.sk
Date: 
24. 7. 2021, 2:01
To: 
root@backup1.komensky.sk

backup1 : Jul 24 00:01:53 : ceph : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl -x --json=o /dev/sdb

After some digging in ceph documentation, it seems that there should be a sudoers file installed in /etc/sudoers.d/ceph for ceph user (since ceph version 15):

https://docs.ceph.com/en/octopus/rados/deployment/preflight-checklist/#create-a-user

Reproducible: Always

Steps to Reproduce:
1. install latest stable ceph
2. let it run
3. wait for security alert from sudo
Actual Results:  
ceph attempts to sudo and it is denied, then an alert is sent to administrator

Expected Results:  
ceph should be able to run at least smartctl and nvme commands

Comment 1 Peter Pavlisko 2021-07-26 09:49:30 UTC

this seems to be the relevant file:

https://github.com/ceph/ceph/blob/master/sudoers.d/ceph-osd-smartctl

Comment 2 Larry the Git Cow gentoo-dev

2021-09-17 01:20:52 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7da3a597a4b8d0f09e3e68bde8135ad4f8bee14b

commit 7da3a597a4b8d0f09e3e68bde8135ad4f8bee14b
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2021-09-17 00:06:53 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2021-09-17 01:20:44 +0000

    sys-cluster/ceph-16.2.6: Version bump
    
    Closes: https://bugs.gentoo.org/797622
    Closes: https://bugs.gentoo.org/797622
    Closes: https://bugs.gentoo.org/803947
    Closes: https://bugs.gentoo.org/803629
    Closes: https://bugs.gentoo.org/797598
    Closes: https://bugs.gentoo.org/795807
    Package-Manager: Portage-3.0.23, Repoman-3.0.3
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 sys-cluster/ceph/Manifest           |   1 +
 sys-cluster/ceph/ceph-16.2.6.ebuild | 459 ++++++++++++++++++++++++++++++++++++
 2 files changed, 460 insertions(+)