Ubuntu
eucalyptus package

Disallowed command //usr/share/eucalyptus/populate_arp.pl

Bug #461829 reported by Torsten Spindler
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
eucalyptus (Ubuntu)
Fix Released
Low
Unassigned
Lucid
Fix Released
Low
Unassigned

Bug Description

When running in SYSTEM networking mode on Karmic, Eucalyptus 1.6~bzr931-0ubuntu7, I get the following error in httpd-nc_error.log:

ERROR: Disallowed command //usr/share/eucalyptus/populate_arp.pl

Revision history for this message
Soren Hansen (soren) wrote :

This seems accurate. util/wrappers.conf does not mention populate_arp.pl at all. I don't completely understand the effects of this, though.

Changed in eucalyptus (Ubuntu):
status: New → Triaged
Thierry Carrez (ttx)
Changed in eucalyptus (Ubuntu):
importance: Undecided → Low
Dustin Kirkland  (kirkland)
Changed in eucalyptus (Ubuntu):
assignee: nobody → Dustin Kirkland (kirkland)
milestone: none → lucid-alpha-3
Thierry Carrez (ttx)
Changed in eucalyptus (Ubuntu Lucid):
milestone: lucid-alpha-3 → none
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Kees,

Could you please:
  bzr branch lp:~ubuntu-core-dev/eucalyptus/ubuntu

And give a quick review of ./tools/populate_arp.pl, which is ~25 lines of perl before we add this to the euca_rootwrap whitelist?

Looks to me like it needs elevated privileges to read ('/var/log/messages', '/var/log/firewall', '/var/log/syslog', '/var/log/kern.log'), which are all -rw-r----- syslog adm.

Other than opening these files, it just sends pings to all IPs it knows about, which will update the arp tables. (I don't entirely understand why this is necessary, perhaps Dan can answer...)

Changed in eucalyptus (Ubuntu Lucid):
status: Triaged → Incomplete
assignee: Dustin Kirkland (kirkland) → Daniel Nurmi (nurmi)
assignee: Daniel Nurmi (nurmi) → Kees Cook (kees)
status: Incomplete → Triaged
Revision history for this message
prateek (prateek4tech) wrote :

when this error occurs on a node "Disallowed command //usr/share/eucalyptus/populate_arp.pl", the 'ip' addresses assigned to all the instances running on that node is not displayed upon running 'euca-describe-instances' when the eucalyptus is configured to run in "system" networking mode

Dustin Kirkland  (kirkland)
Changed in eucalyptus (Ubuntu Lucid):
assignee: Kees Cook (kees) → Dustin Kirkland (kirkland)
status: Triaged → In Progress
Revision history for this message
Kees Cook (kees) wrote :

+1, sorry I missed this bug for so long.

Changed in eucalyptus (Ubuntu Lucid):
assignee: Dustin Kirkland (kirkland) → nobody
Dustin Kirkland  (kirkland)
Changed in eucalyptus (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eucalyptus - 1.6.2-0ubuntu22

---------------
eucalyptus (1.6.2-0ubuntu22) lucid; urgency=low

  * utils/wrappers.conf: add populate_arp.pl to the whitelist; this
    utility ensures that the arp tables are up to date, LP: #461829
  * tools/euca_conf.in: make node registration/deregistration more
    robust, LP: #522204
  * tools/euca_conf.in: exit non-zero if any of the node registrations
    fail, LP: #531195
 -- Dustin Kirkland <email address hidden> Tue, 23 Mar 2010 19:32:58 -0700

Changed in eucalyptus (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.