<div dir="ltr"><div class="gmail_default" style="font-family:'times new roman',serif">James,</div><div class="gmail_default" style="font-family:'times new roman',serif"><br></div><div class="gmail_default" style="font-family:'times new roman',serif">
The problem was that the sudoers file did not include the directive #include /etc/sudoers.d so that the contents of /etc/sudoers.d/neutron and /etc/sudoers.d/nova were not included.</div><div class="gmail_default" style="font-family:'times new roman',serif">
<br></div><div class="gmail_default" style="font-family:'times new roman',serif">The /etc/sudoers.d/neutron file contains:</div><div class="gmail_default"><div class="gmail_default"><font face="courier new, monospace">Defaults:neutron !requiretty</font></div>
<div class="gmail_default"><font face="courier new, monospace"><br></font></div><div class="gmail_default"><font face="courier new, monospace">neutron ALL = (root) NOPASSWD: SETENV: /usr/bin/neutron-rootwrap</font></div>
<div style="font-family:'times new roman',serif"><br></div><div style="font-family:'times new roman',serif">The /etc/sudoers.d/nova file contains:</div><div style="font-family:'times new roman',serif">
<br></div><div><div><font face="courier new, monospace">Defaults:nova !requiretty</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *</font></div>
<div style="font-family:'times new roman',serif"><br></div></div></div><div class="gmail_default" style="font-family:'times new roman',serif"><br></div><div class="gmail_default" style="font-family:'times new roman',serif">
Thank you for your kind assistance.</div><div class="gmail_default" style="font-family:'times new roman',serif"><br></div><div class="gmail_default" style="font-family:'times new roman',serif"><br></div><div class="gmail_default" style="font-family:'times new roman',serif">
Jeff</div><div class="gmail_default" style="font-family:'times new roman',serif"><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 30, 2014 at 2:52 PM, James Penick <span dir="ltr"><<a href="mailto:james_r_penick@yahoo.com" target="_blank">james_r_penick@yahoo.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="color:#000;background-color:#fff;font-family:lucida console,sans-serif;font-size:8pt"><div>Can you paste the line you have for this headless user in /etc/sudoers?</div>
<div><br></div><div style="color:rgb(0,0,0);font-size:11.111111640930176px;font-family:'lucida console',sans-serif;font-style:normal;background-color:transparent">make sure you have something like:</div><div style="color:rgb(0,0,0);font-size:11.111111640930176px;font-family:'lucida console',sans-serif;font-style:normal;background-color:transparent">
<br></div><div style="background-color:transparent">$user<span style="white-space:pre-wrap"> </span>ALL NOPASSWD: /usr/bin/<span style="font-family:monospace;font-size:13.333333969116211px">nova-rootwrap</span><br></div><div>
</div><div><br></div><div>where $user is the name of the headless user you've created to execute this process.</div><div><br></div><div>-James</div><div><br></div><div><br></div><div><span style="font-size:8pt"> </span><br>
</div><div>:)=</div><div><div class="h5"> <div><br><br></div><div style="display:block"> <div style="font-family:lucida console,sans-serif;font-size:8pt"> <div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:12pt">
<div dir="ltr"> <font face="Arial"> On Wednesday, July 30, 2014 12:16 PM, Abel Lopez <<a href="mailto:alopgeek@gmail.com" target="_blank">alopgeek@gmail.com</a>> wrote:<br> </font> </div> <br><br> <div><div><div>Couple of things I’d check, first make sure /etc/sudoers has the “#includedir /etc/sudoers.d” <div>
It must have the #, that’s not a comment, that’s what the directive looks like.</div><div><br clear="none"></div><div>Secondly, parse the file with visudo to make sure it’s syntactically correct, both the /etc/sudoers and any file that may be in /etc/sudoers.d/</div>
<div>Your nova user’s shell is fine, mine is /bin/false, </div><div><br clear="none"><div><div><div>On Jul 30, 2014, at 12:04 PM, Jeff Silverman <<a rel="nofollow" shape="rect" href="mailto:jeff@sweetlabs.com" target="_blank">jeff@sweetlabs.com</a>>
wrote:</div><br clear="none"><blockquote type="cite"><div dir="ltr"><div style="font-family:'times new roman',serif">I had several openstack daemons running properly after going through the set up process. I decided to reboot the machine (because it's going to reboot sooner or later and I wanted to find out what would go wrong before we pressed the system into production). Several of the daemons don't start properly. In all cases, there is an error message in the log files of the form:</div>
<div style="font-family:'times new roman',serif"><br clear="none"></div><div style="font-family:'times new roman',serif"><pre>2014-07-30 10:56:57.349 878 CRITICAL nova [-] ProcessExecutionError: Unexpected error while running command.<br clear="none">
Command: sudo nova-nn /etc/nova/rootwrap.conf iptables-save -c<br clear="none">Exit code: 1<br clear="none">Stdout: ''<br clear="none">Stderr: 'sudo: no tty present and no askpass program specified\n'<br clear="none">
</pre></div><div style="font-family:'times new roman',serif">
<br clear="none"></div><div style="font-family:'times new roman',serif">I have googled the error message and I find several items of advice, all of which I have taken and none of which have resolved my issue:</div>
<div style="font-family:'times new roman',serif"><br clear="none"></div><div><ul><li><font face="times new roman, serif">Remove the defaults requiretty from the /etc/sudoers file. I have done both </font><tt><font color="#00cccc">#Defaults requiretty</font></tt> and <tt><font color="#ff6600">Defaults</font> <font color="#00cccc">!requiretty</font></tt> <font face="times new roman, serif">and tried again. No joy.</font></li>
<li><font face="times new roman, serif">I added the following line to nova.conf:</font><br clear="none"><font face="courier new, monospace">root_helper=sudo nova-rootwrap</font><br clear="none"><font face="times new roman, serif">no joy, there, either.</font></li>
<li><font face="times new roman, serif">Interestingly enough, if I give the
command
<kbd>sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c</kbd>
<br clear="none">
from the command line as user root, then it works.</font></li><li><font face="times new roman, serif">I notice that user nova is in</font><font face="courier new, monospace"> /etc/passwd</font><font face="times new roman, serif"> with shell</font><font face="courier new, monospace"> /bin/nologin</font><font face="times new roman, serif">. I assume that that's there for a reason, so I am reluctant to change it.</font></li>
<li><font face="times new roman, serif">If I give the command</font><br clear="none"><font face="courier new, monospace">sudo nova-nn whoami</font><br clear="none"><font face="times new roman, serif">I get:</font><br clear="none">
<font face="courier new, monospace">sudo:
nova-nn: command not found</font></li><li style="font-family:'times new roman',serif"><br clear="none"></li></ul></div><div style="font-family:'times new roman',serif"><br clear="none"></div><div style="font-family:'times new roman',serif">
I am open to additional suggestions. I am running on Centos 6.5</div><div style="font-family:'times new roman',serif"><br clear="none"></div><div><br clear="none"></div>-- <br clear="none"><div dir="ltr"><b>Jeff Silverman</b><div>
Systems Engineer</div><div><a href="tel:%28253%29%20459-2318" value="+12534592318" target="_blank">(253) 459-2318</a> (c)</div><div><img src="https://dl.dropboxusercontent.com/u/16943296/SweetLabs-Signatures/New_2014/signature-logo.png"><br clear="none">
</div></div>
</div>
_______________________________________________<br clear="none">OpenStack-operators mailing list<br clear="none"><a rel="nofollow" shape="rect" href="mailto:OpenStack-operators@lists.openstack.org" target="_blank">OpenStack-operators@lists.openstack.org</a><br clear="none">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br clear="none"></blockquote></div></div><br clear="none">
</div></div></div><br><div>_______________________________________________<br clear="none">OpenStack-operators mailing list<br clear="none"><a shape="rect" href="mailto:OpenStack-operators@lists.openstack.org" target="_blank">OpenStack-operators@lists.openstack.org</a><br clear="none">
<a shape="rect" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br clear="none"></div><br><br></div>
</div> </div> </div> </div></div></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><b>Jeff Silverman</b><div>Systems Engineer</div><div>(253) 459-2318 (c)</div><div><img src="https://dl.dropboxusercontent.com/u/16943296/SweetLabs-Signatures/New_2014/signature-logo.png"><br>
</div></div>
</div>