'[vdsm] Running commands that requires root permissions in before_vm_start hook'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vdsm-devel
Subject:    [vdsm] Running commands that requires root permissions in before_vm_start hook
From:       ItzikB () mellanox ! com (Itzik Brown)
Date:       2012-05-22 6:34:35
Message-ID: 4488206DC085244C886DBC9E7038B68925186573 () mtrdag02 ! mtl ! com
[Download RAW message or body]

Dan,
You are right - it's my mistake :-)

Anyway, the documentation for running the scripts which needs root permissions can be \
found here: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/html/Administration_Guide/ch16s02.html


Itzik

-----Original Message-----
From: Dan Kenigsberg [mailto:danken at redhat.com] 
Sent: יום  ג 22 מאי 2012 01:28
To: Andrew Cathrow
Cc: Itzik Brown; vdsm-devel at lists.fedorahosted.org
Subject: Re: [vdsm] Running commands that requires root permissions in \
before_vm_start hook

On Mon, May 21, 2012 at 09:24:53AM -0400, Andrew Cathrow wrote:
> 
> 
> ----- Original Message -----
> > From: "Itzik Brown" <ItzikB at mellanox.com>
> > To: vdsm-devel at lists.fedorahosted.org
> > Sent: Monday, May 21, 2012 9:07:10 AM
> > Subject: [vdsm] Running commands that requires root permissions in 
> > before_vm_start hook
> > 
> > Hi,
> > 
> > I'm trying to run the following script in before_vm_start hook:
> > 
> > #!/usr/bin/python
> > import subprocess
> > 
> > args = ['brctl', 'addbr', 'net10']
> > print("Running command: " + " ".join(args)) p = 
> > subprocess.Popen(args, stdout=subprocess.PIPE)
> > 
> > I get the following error:
> > add bridge failed: Operation not permitted
> > 
> > From Red Hat Enterprise Virtualization 3.0 Documentation"
> > "Before VDSM is started on the hypervisor host. before_vdsm_start 
> > hooks are executed as the user root, and do not inherit the 
> > environment of the VDSM process."
> > 
> > As I understand it there should be no problem if user root executes 
> > this script.
> > When giving the vdsm user the right sudo permissions and adding sudo 
> > to the command - it works.
> > 
> > Is the documentation wrong or am I missing something?
> 
> I think it's a docs issue - IIRC everything should run as VDSM and sudo for \
> privileged commands, with your RPM for the hook including additions for sudoers if \
> required for new commands.

Actually, Itzik is missing something. Two letters to be exact. ;-) before_vdsm_start \
runs as root, but before_vm_start runs as vdsm, as all normal hooks.

You can take a look at example hooks (e.g. hostusb) and how they configure sudo to \
run commands as root. \
http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/hostusb

Dan.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic