Right, it is not ideal, though it was like that for a long time (since at least CS 2.x). I see that the sudo config was changed recently to be more locked down, but it did not include keytool due to CLOUDSTACK-1389. I checked a 4.3 setup which was upgraded from 4.2 and it still has the old unrestricted config so I guess CS never updates it, and anyone who installed a version with a sudo config missing keytool will probably hit this same problem eventually (whenever keytool is run).
Best regards, Kirk On 10/24/2014 03:06 PM, Ian Duffy wrote: >> cloud ALL =NOPASSWD : ALL > > This is dangerous advice. It grants the cloud user full sudo access without > the requirement of a password. > > The following gives more limited access and should allow cloudstack to > function accordingly: > > cloud ALL =NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, > /bin/umount, /usr/bin/keytool > > On 24 October 2014 18:44, Andrija Panic <andrija.pa...@gmail.com> wrote: > >> Just did quick management server ACS 4.4.1 installation on free server: >> cloud ALL =NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, >> /bin/umount, /usr/bin/keytool >> >> that is what it looks like in ACS 4.4.1 >> clean install of ACS 4.4.1 works... >> >> On 24 October 2014 19:35, Andrija Panic <andrija.pa...@gmail.com> wrote: >> >>> like this: >>> >>> Defaults:cloud !requiretty >>> cloud ALL =NOPASSWD : ALL >>> >>> and let us know if the upgtade still fails - it does fail for me with no >>> understandable error... >>> thx >>> >>> On 24 October 2014 19:28, Matthew Midgett < >>> clouds...@trick-solutions.com.invalid> wrote: >>> >>>> This is what is in my sudoers file >>>> >>>> cloud ALL =NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, >>>> /bin/umount >>>> >>>> Should I change it? >>>> >>>> -----Original Message----- >>>> From: Kirk Kosinski [mailto:kirkkosin...@gmail.com] >>>> Sent: Friday, October 24, 2014 5:23 AM >>>> To: users@cloudstack.apache.org >>>> Subject: Re: Broken update from 4.4 to 4.4.1 >>>> >>>> Hi, the error below indicates a problem with the sudo config. Make sure >>>> /etc/sudoers has a line like: >>>> >>>> cloud ALL =NOPASSWD : ALL >>>> >>>> Best regards, >>>> Kirk >>>> >>>> On 10/23/2014 01:05 PM, Matthew Midgett wrote: >>>>> 2014-10-23 15:21:52,943 INFO [c.c.s.ConfigurationServerImpl] >>>>> (main:null) Processing updateSSLKeyStore >>>>> 2014-10-23 15:21:52,948 INFO [c.c.s.ConfigurationServerImpl] >>>>> (main:null) SSL keystore located at >>>>> /etc/cloudstack/management/cloud.keystore >>>>> 2014-10-23 15:21:52,951 DEBUG [c.c.u.s.Script] (main:null) Executing: >>>> sudo keytool -genkey -keystore /etc/cloudstack/management/cloud.keystore >>>> -storepass vmops.com -keypass vmops.com -keyalg RSA -validity 3650 >>>> -dname cn="Cloudstack User",ou="chlt.charlottecolo.com",o=" >>>> chlt.charlottecolo.com",c="Unknown" >>>>> 2014-10-23 15:21:52,988 DEBUG [c.c.u.s.Script] (main:null) Exit value >>>>> is 1 >>>>> 2014-10-23 15:21:52,989 DEBUG [c.c.u.s.Script] (main:null) sudo: no >>>>> tty present and no askpass program specified >>>>> 2014-10-23 15:21:52,991 WARN [c.c.s.ConfigurationServerImpl] >>>> (main:null) Would use fail-safe keystore to continue. >>>>> java.io.IOException: Fail to generate certificate!: sudo: no tty >>>> present and no askpass program specified >>>>> at >>>> >> com.cloud.server.ConfigurationServerImpl.generateDefaultKeystore(ConfigurationServerImpl.java:595) >>>>> at >>>> >> com.cloud.server.ConfigurationServerImpl.updateSSLKeystore(ConfigurationServerImpl.java:623) >>>>> at >>>> >> com.cloud.server.ConfigurationServerImpl.persistDefaultValues(ConfigurationServerImpl.java:299) >>>>> at >>>> >> com.cloud.server.ConfigurationServerImpl.configure(ConfigurationServerImpl.java:164) >>>>> at >>>> >> org.apache.cloudstack.spring.lifecycle.CloudStackExtendedLifeCycle$3.with(CloudStackExtendedLifeCycle.java:114) >>>>> at >>>> >> org.apache.cloudstack.spring.lifecycle.CloudStackExtendedLifeCycle.with(CloudStackExtendedLifeCycle.java:153) >>>>> at >>>> >> org.apache.cloudstack.spring.lifecycle.CloudStackExtendedLifeCycle.configure(CloudStackExtendedLifeCycle.java:110) >>>>> at >>>> >> org.apache.cloudstack.spring.lifecycle.CloudStackExtendedLifeCycle.start(CloudStackExtendedLifeCycle.java:56) >>>>> at >>>> >> org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:167) >>>>> at >>>> >> org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:51) >>>>> at >>>> >> org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:339) >>>>> at >>>> >> org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:143) >>>>> at >>>> >> org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:108) >>>>> at >>>> >> org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:945) >>>>> at >>>> >> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:482) >>>>> at >>>> >> org.apache.cloudstack.spring.module.model.impl.DefaultModuleDefinitionSet.loadContext(DefaultModuleDefinitionSet.java:145) >>>>> at >>>> >> org.apache.cloudstack.spring.module.model.impl.DefaultModuleDefinitionSet$2.with(DefaultModuleDefinitionSet.java:122) >>>>> at >>>> >> org.apache.cloudstack.spring.module.model.impl.DefaultModuleDefinitionSet.withModule(DefaultModuleDefinitionSet.java:245) >>>>> at >>>> >> org.apache.cloudstack.spring.module.model.impl.DefaultModuleDefinitionSet.withModule(DefaultModuleDefinitionSet.java:250) >>>>> at >>>> >> org.apache.cloudstack.spring.module.model.impl.DefaultModuleDefinitionSet.withModule(DefaultModuleDefinitionSet.java:250) >>>>> at >>>> >> org.apache.cloudstack.spring.module.model.impl.DefaultModuleDefinitionSet.withModule(DefaultModuleDefinitionSet.java:233) >>>>> at >>>> >> org.apache.cloudstack.spring.module.model.impl.DefaultModuleDefinitionSet.loadContexts(DefaultModuleDefinitionSet.java:117) >>>>> at >>>> >> org.apache.cloudstack.spring.module.model.impl.DefaultModuleDefinitionSet.load(DefaultModuleDefinitionSet.java:79) >>>>> at >>>> >> org.apache.cloudstack.spring.module.factory.ModuleBasedContextFactory.loadModules(ModuleBasedContextFactory.java:37) >>>>> at >>>> >> org.apache.cloudstack.spring.module.factory.CloudStackSpringContext.init(CloudStackSpringContext.java:70) >>>>> at >>>> >> org.apache.cloudstack.spring.module.factory.CloudStackSpringContext.<init>(CloudStackSpringContext.java:57) >>>>> at >>>> >> org.apache.cloudstack.spring.module.factory.CloudStackSpringContext.<init>(CloudStackSpringContext.java:61) >>>>> at >>>> >> org.apache.cloudstack.spring.module.web.CloudStackContextLoaderListener.contextInitialized(CloudStackContextLoaderListener.java:52) >>>>> at >>>> >> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4210) >>>>> at >>>> >> org.apache.catalina.core.StandardContext.start(StandardContext.java:4709) >>>>> at >>>> >> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) >>>>> at >>>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) >>>>> at >>>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) >>>>> at >>>> >> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) >>>>> at >>>> >> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) >>>>> at >>>> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) >>>>> at >>>> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) >>>>> at >>>> >> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) >>>>> at >>>> >> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) >>>>> at >>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) >>>>> at >>>> org.apache.catalina.core.StandardHost.start(StandardHost.java:722) >>>>> at >>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) >>>>> at >>>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) >>>>> at >>>> org.apache.catalina.core.StandardService.start(StandardService.java:516) >>>>> at >>>> org.apache.catalina.core.StandardServer.start(StandardServer.java:710) >>>>> at org.apache.catalina.startup.Catalina.start(Catalina.java:593) >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>> at >>>> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>> at >>>> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>> at >> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) >>>>> at >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) >>>> >>>> >>> >>> >>> -- >>> >>> Andrija Panić >>> -------------------------------------- >>> http://admintweets.com >>> -------------------------------------- >>> >> >> >> >> -- >> >> Andrija Panić >> -------------------------------------- >> http://admintweets.com >> -------------------------------------- >> >
