Iptables on Ubuntu 20.04 requires sudo + password

Community Support
1

This applies to people using ONE 5.12(.1) on Ubuntu 20.04 server, and using KVM + fw as a network driver.

After deploying a VM to a network, I got the following error:
Fri Jul 17 12:34:51 2020 [Z0][VMM][I]: Command execution fail: cat << EOT | /var/tmp/one/vnm/fw/clean
Fri Jul 17 12:34:51 2020 [Z0][VMM][I]: sudo: a password is required
Fri Jul 17 12:34:51 2020 [Z0][VMM][E]: clean: Command Error: sudo -n ip6tables -S
Fri Jul 17 12:34:51 2020 [Z0][VMM][E]: clean: [“/var/tmp/one/vnm/command.rb:62:in `block in run!'”, “/var/tmp/one/vnm/command.rb:59:in `each’”, “/var/tmp/one/vnm/command.rb:59:in `run!'”, “/var/tmp/one/vnm/security_groups_iptables.rb:259:in `info’”, “/var/tmp/one/vnm/security_groups_iptables.rb:513:in `nic_deactivate’”, “/var/tmp/one/vnm/sg_driver.rb:130:in `block in deactivate’”, “/var/tmp/one/vnm/sg_driver.rb:127:in `each’”, “/var/tmp/one/vnm/sg_driver.rb:127:in `deactivate’”, “/var/tmp/one/vnm/fw/clean:35:in `'”]
Fri Jul 17 12:34:51 2020 [Z0][VMM][I]: ExitCode: 1
Fri Jul 17 12:34:51 2020 [Z0][VMM][I]: Failed to execute network driver operation: clean.
Fri Jul 17 12:34:51 2020 [Z0][VMM][I]: Failed to execute network driver operation: post.
Fri Jul 17 12:34:51 2020 [Z0][VMM][E]: Error deploying virtual machine: fw: -

As the oneadmin user, I checked if the command “sudo -n ip6tables -S” requires a sudo password, which it apparently does on my system:

oneadmin$ sudo -n ip6tables -S
[sudo] password for oneadmin:

So I checked which ip6tables is used and what path it has:

oneadmin$ which ip6tables
/usr/sbin/ip6tables

Apparently, this path is not included in the ONE_NET line in /etc/sudoers.d/opennebula, mine stated:

Cmnd_Alias ONE_NET = /sbin/ebtables, /sbin/iptables, /sbin/ip6tables, /sbin/ipset, /sbin/ip link *, /sbin/ip tuntap *

Which I changed to:

Cmnd_Alias ONE_NET = /sbin/ebtables, /usr/sbin/iptables, /sbin/iptables, /sbin/ip6tables, /usr/sbin/ip6tables, /sbin/ipset, /sbin/ip link *, /sbin/ip tuntap *

After this change, I was able to deploy a VM with KVM + network without an issue!

Hopefully this helps someone out facing a similar situation :slight_smile:

1 Like