[openstack-dev] Adding 'rm' to compute filter

Karajgi, Rohit Rohit.Karajgi at nttdata.com
Fri Jun 21 13:23:42 UTC 2013


Hi,

Referring to the Jenkins failure logs on https://review.openstack.org/#/c/32549/3,
Log at http://logs.openstack.org/32549/3/check/gate-nova-python27/25158/console.html

The command that the test tried to execute using nova's rootwrap was:
COMMAND=/home/jenkins/workspace/gate-nova-python27/.tox/py27/bin/nova-rootwrap /etc/nova/rootwrap.conf rm /tmp/tmp.WVIZziaxuv/tmp_2n7x0/tmpbuRC0e/instance-fake.log

I am not sure if the CI infrastructure will allow this as it is attempting to perform 'rm' operation as a root user which is unsafe. But the test above fails.

Also, some thoughts hit me by relooking at the patch:

log_file_path = '%s/%s.log' % (CONF.libvirt_log_path, instance_name)

Assuming this libvirt_log_path = /var/log/libvirt ,  and as  /var/log is owned by 'root' user, then in the utils.execute, run_as_root=True is acceptable.

If the libvirt_log_path is configured something else, say /opt/data/logs/xyz, which does not require root access to perform 'rm', then we don't need 'run_as_root' as True.

As mentioned above, in compute filter adding '/bin/rm'  with root privilege in the code is unsafe if some wrong tests are added to Jenkins, they might end up doing 'rm' on 
another directory as a root user.

Thoughts on how this issue be addressed in CI, or code?


Best Regards,
Rohit Karajgi | Technical Analyst | NTT Data Global Technology Services Private Ltd | w. +91.20.6604.1500 x 627 |  m. +91 992.242.9639 | rohit.karajgi at nttdata.com

______________________________________________________________________
Disclaimer:This email and any attachments are sent in strictest confidence for the sole use of the addressee and may contain legally privileged, confidential, and proprietary data.  If you are not the intended recipient, please advise the sender by replying promptly to this email and then delete and destroy this email and any attachments without any further use, copying or forwarding



More information about the OpenStack-dev mailing list