← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #88519

[Bug 1965183] Re: ovn migration executes scripts from /tmp directory

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/c/openstack/neutron/+/834071
Committed: https://opendev.org/openstack/neutron/commit/0529ccdf71dcd093a80180097eeaa5d7cb5e15fb
Submitter: "Zuul (22348)"
Branch:    master

commit 0529ccdf71dcd093a80180097eeaa5d7cb5e15fb
Author: Jakub Libosvar <libosvar@xxxxxxxxxx>
Date:   Wed Mar 16 16:40:21 2022 -0400

    ovn migration: Don't use executables in /tmp/
    
    It's a common practice to have /tmp/ mounted separately with noexec
    option. This effectively means no scripts can be executed from the
    filesystem mounted to /tmp.
    
    This patch explicitly calls sh binary to execute scripts from /tmp and
    removes the executable flag from the scripts.
    
    Closes-Bug: #1965183
    
    Change-Id: I2f9cd67979a8a75848fcdd7a8c3bb56dd3590473
    Signed-off-by: Jakub Libosvar <libosvar@xxxxxxxxxx>


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1965183

Title:
  ovn migration executes scripts from /tmp directory

Status in neutron:
  Fix Released

Bug description:
  Description of problem:
  The /tmp are often mounted with noexec option for security reasons. The migration roles rely that scripts in /tmp/ can be executed.

  Version-Release number of selected component (if applicable):
  16.1

  How reproducible:
  Always

  Steps to Reproduce:
  1. Have /tmp mounted with noexec option
  2. Run migration from ovs to ovn
  3.

  Actual results:
  fatal: [tpa-vim-b-computecl-0]: FAILED! => {
      "changed": true,
      "cmd": "/tmp/clone-br-int.sh",
      "delta": "0:00:00.001773",
      "end": "2022-03-16 18:51:30.332449",
      "invocation": {
          "module_args": {
              "_raw_params": "/tmp/clone-br-int.sh",
              "_uses_shell": true,
              "argv": null,
              "chdir": null,
              "creates": null,
              "executable": null,
              "removes": null,
              "stdin": null,
              "stdin_add_newline": true,
              "strip_empty_ends": true,
              "warn": true
          }
      },
      "msg": "non-zero return code",
      "rc": 126,
      "start": "2022-03-16 18:51:30.330676",
      "stderr": "/bin/sh: /tmp/clone-br-int.sh: Permission denied",
      "stderr_lines": [
          "/bin/sh: /tmp/clone-br-int.sh: Permission denied"
      ],
      "stdout": "",
      "stdout_lines": []
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1965183/+subscriptions

References

  Thread PreviousDate PreviousThread Next