From 477b4f9a555b1c76202086c86c31d5f56ee1d79d Mon Sep 17 00:00:00 2001 From: Yumeng Bao Date: Tue, 24 Sep 2019 00:30:25 -0700 Subject: [PATCH] remove rootwrap in cyborg On one hand, as discussed in this patch[0], rootwap was intented to be replaced by privsep, especially for new project. On the other hand, we need remove rootwrap to fix the following cyborg-tempest job failure in patch [0]: cannot stat '/opt/stack/cyborg/etc/cyborg/rootwrap.d/*.filters': No such file or directory [0]:https://review.opendev.org/#/c/673957/ Change-Id: I1aaf38da3a68c656616c7d701b8f815e17ed0152 --- devstack/lib/cyborg | 14 ------------- etc/cyborg/rootwrap.conf | 23 ---------------------- etc/cyborg/rootwrap.d/acceleration.filters | 2 -- setup.cfg | 2 -- 4 files changed, 41 deletions(-) delete mode 100644 etc/cyborg/rootwrap.conf delete mode 100644 etc/cyborg/rootwrap.d/acceleration.filters diff --git a/devstack/lib/cyborg b/devstack/lib/cyborg index 18f66551..b7019aec 100644 --- a/devstack/lib/cyborg +++ b/devstack/lib/cyborg @@ -41,7 +41,6 @@ CYBORG_AUTH_CACHE_DIR=${CYBORG_AUTH_CACHE_DIR:-/var/cache/cyborg} CYBORG_CONF_DIR=${CYBORG_CONF_DIR:-/etc/cyborg} CYBORG_CONF_FILE=$CYBORG_CONF_DIR/cyborg.conf CYBORG_API_PASTE_INI=$CYBORG_CONF_DIR/api-paste.ini -CYBORG_ROOTWRAP_CONF=$CYBORG_CONF_DIR/rootwrap.conf CYBORG_POLICY_JSON=$CYBORG_CONF_DIR/policy.json CYBORG_SERVICE_HOST=${CYBORG_SERVICE_HOST:-$SERVICE_HOST} CYBORG_SERVICE_PORT=${CYBORG_SERVICE_PORT:-6666} @@ -150,7 +149,6 @@ function configure_cyborg { iniset $CYBORG_CONF_FILE DEFAULT state_path $CYBORG_STATE_PATH iniset $CYBORG_CONF_FILE DEFAULT use_syslog $SYSLOG iniset $CYBORG_CONF_FILE DEFAULT host $LOCAL_HOSTNAME - configure_rootwrap cyborg # Configure Cyborg conductor, if it was enabled. if is_service_enabled cyborg-cond; then @@ -241,19 +239,7 @@ function configure_cyborg_conductor { configure_cyborg_placement configure_cyborg_glance - sudo cp $CYBORG_DIR/etc/cyborg/rootwrap.conf $CYBORG_ROOTWRAP_CONF - sudo cp -r $CYBORG_DIR/etc/cyborg/rootwrap.d $CYBORG_CONF_DIR sudo cp -p $CYBORG_DIR/etc/cyborg/api-paste.ini $CYBORG_API_PASTE_INI - local cyborg_rootwrap - cyborg_rootwrap=$(get_rootwrap_location cyborg) - local rootwrap_isudoer_cmd="$cyborg_rootwrap $CYBORG_CONF_DIR/rootwrap.conf *" - - # Set up the rootwrap sudoers for cyborg - local tempfile - tempfile=`mktemp` - echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_isudoer_cmd" >$tempfile - sudo chown root:root $tempfile - sudo mv $tempfile /etc/sudoers.d/cyborg-rootwrap # set up drivers / hardware types iniset $CYBORG_CONF_FILE agent enabled_drivers $CYBORG_ENABLED_DRIVERS diff --git a/etc/cyborg/rootwrap.conf b/etc/cyborg/rootwrap.conf deleted file mode 100644 index 5452fa70..00000000 --- a/etc/cyborg/rootwrap.conf +++ /dev/null @@ -1,23 +0,0 @@ -# Configuration for cyborg-rootwrap -# This file should be owned by (and only writable by) the root user - -[DEFAULT] -# List of directories to search executables in, in case filters do not -# explicitly specify a full path (separated by ',') -# If not specified, defaults to system PATH environment variable. -# These directories MUST all be only writable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin - -# Enable logging to syslog -# Default value is False -use_syslog=False - -# Which syslog facility to use. -# Valid values include auth, authpriv, syslog, user0, user1... -# Default value is 'syslog' -syslog_log_facility=syslog - -# Which messages to log. -# INFO means log all usage -# ERROR means only log unsuccessful attempts -syslog_log_level=ERROR diff --git a/etc/cyborg/rootwrap.d/acceleration.filters b/etc/cyborg/rootwrap.d/acceleration.filters deleted file mode 100644 index fe0a6a6a..00000000 --- a/etc/cyborg/rootwrap.d/acceleration.filters +++ /dev/null @@ -1,2 +0,0 @@ -# cyborg-rootwrap command filters for acceleration nodes -# This file should be owned by (and only-writeable by) the root user \ No newline at end of file diff --git a/setup.cfg b/setup.cfg index 3cb27ed0..83e24176 100644 --- a/setup.cfg +++ b/setup.cfg @@ -24,10 +24,8 @@ packages = cyborg data_files = etc/cyborg = - etc/cyborg/rootwrap.conf etc/cyborg/policy.json etc/cyborg/api-paste.ini - etc/cyborg/rootwrap.d = etc/cyborg/rootwrap.d/* [entry_points] oslo.policy.policies =