yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1965183] [NEW] ovn migration executes scripts from /tmp directory

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jakub Libosvar <1965183@xxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Mar 2022 20:35:24 -0000
Reply-to: Bug 1965183 <1965183@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Description of problem:
The /tmp are often mounted with noexec option for security reasons. The migration roles rely that scripts in /tmp/ can be executed.

Version-Release number of selected component (if applicable):
16.1

How reproducible:
Always

Steps to Reproduce:
1. Have /tmp mounted with noexec option
2. Run migration from ovs to ovn
3.

Actual results:
fatal: [tpa-vim-b-computecl-0]: FAILED! => {
    "changed": true,
    "cmd": "/tmp/clone-br-int.sh",
    "delta": "0:00:00.001773",
    "end": "2022-03-16 18:51:30.332449",
    "invocation": {
        "module_args": {
            "_raw_params": "/tmp/clone-br-int.sh",
            "_uses_shell": true,
            "argv": null,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "stdin": null,
            "stdin_add_newline": true,
            "strip_empty_ends": true,
            "warn": true
        }
    },
    "msg": "non-zero return code",
    "rc": 126,
    "start": "2022-03-16 18:51:30.330676",
    "stderr": "/bin/sh: /tmp/clone-br-int.sh: Permission denied",
    "stderr_lines": [
        "/bin/sh: /tmp/clone-br-int.sh: Permission denied"
    ],
    "stdout": "",
    "stdout_lines": []
}

** Affects: neutron
     Importance: Undecided
     Assignee: Jakub Libosvar (libosvar)
         Status: New


** Tags: ovn

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1965183

Title:
  ovn migration executes scripts from /tmp directory

Status in neutron:
  New

Bug description:
  Description of problem:
  The /tmp are often mounted with noexec option for security reasons. The migration roles rely that scripts in /tmp/ can be executed.

  Version-Release number of selected component (if applicable):
  16.1

  How reproducible:
  Always

  Steps to Reproduce:
  1. Have /tmp mounted with noexec option
  2. Run migration from ovs to ovn
  3.

  Actual results:
  fatal: [tpa-vim-b-computecl-0]: FAILED! => {
      "changed": true,
      "cmd": "/tmp/clone-br-int.sh",
      "delta": "0:00:00.001773",
      "end": "2022-03-16 18:51:30.332449",
      "invocation": {
          "module_args": {
              "_raw_params": "/tmp/clone-br-int.sh",
              "_uses_shell": true,
              "argv": null,
              "chdir": null,
              "creates": null,
              "executable": null,
              "removes": null,
              "stdin": null,
              "stdin_add_newline": true,
              "strip_empty_ends": true,
              "warn": true
          }
      },
      "msg": "non-zero return code",
      "rc": 126,
      "start": "2022-03-16 18:51:30.330676",
      "stderr": "/bin/sh: /tmp/clone-br-int.sh: Permission denied",
      "stderr_lines": [
          "/bin/sh: /tmp/clone-br-int.sh: Permission denied"
      ],
      "stdout": "",
      "stdout_lines": []
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1965183/+subscriptions

Follow ups

[Bug 1965183] Re: ovn migration executes scripts from /tmp directory
From: OpenStack Infra, 2022-03-22