remove rootwrap in cyborg
On one hand, as discussed in this patch[0], rootwap was intented to be replaced by privsep, especially for new project. On the other hand, we need remove rootwrap to fix the following cyborg-tempest job failure in patch [0]: cannot stat '/opt/stack/cyborg/etc/cyborg/rootwrap.d/*.filters': No such file or directory [0]:https://review.opendev.org/#/c/673957/ Change-Id: I1aaf38da3a68c656616c7d701b8f815e17ed0152
This commit is contained in:
parent
04bbd98e86
commit
477b4f9a55
@ -41,7 +41,6 @@ CYBORG_AUTH_CACHE_DIR=${CYBORG_AUTH_CACHE_DIR:-/var/cache/cyborg}
|
|||||||
CYBORG_CONF_DIR=${CYBORG_CONF_DIR:-/etc/cyborg}
|
CYBORG_CONF_DIR=${CYBORG_CONF_DIR:-/etc/cyborg}
|
||||||
CYBORG_CONF_FILE=$CYBORG_CONF_DIR/cyborg.conf
|
CYBORG_CONF_FILE=$CYBORG_CONF_DIR/cyborg.conf
|
||||||
CYBORG_API_PASTE_INI=$CYBORG_CONF_DIR/api-paste.ini
|
CYBORG_API_PASTE_INI=$CYBORG_CONF_DIR/api-paste.ini
|
||||||
CYBORG_ROOTWRAP_CONF=$CYBORG_CONF_DIR/rootwrap.conf
|
|
||||||
CYBORG_POLICY_JSON=$CYBORG_CONF_DIR/policy.json
|
CYBORG_POLICY_JSON=$CYBORG_CONF_DIR/policy.json
|
||||||
CYBORG_SERVICE_HOST=${CYBORG_SERVICE_HOST:-$SERVICE_HOST}
|
CYBORG_SERVICE_HOST=${CYBORG_SERVICE_HOST:-$SERVICE_HOST}
|
||||||
CYBORG_SERVICE_PORT=${CYBORG_SERVICE_PORT:-6666}
|
CYBORG_SERVICE_PORT=${CYBORG_SERVICE_PORT:-6666}
|
||||||
@ -150,7 +149,6 @@ function configure_cyborg {
|
|||||||
iniset $CYBORG_CONF_FILE DEFAULT state_path $CYBORG_STATE_PATH
|
iniset $CYBORG_CONF_FILE DEFAULT state_path $CYBORG_STATE_PATH
|
||||||
iniset $CYBORG_CONF_FILE DEFAULT use_syslog $SYSLOG
|
iniset $CYBORG_CONF_FILE DEFAULT use_syslog $SYSLOG
|
||||||
iniset $CYBORG_CONF_FILE DEFAULT host $LOCAL_HOSTNAME
|
iniset $CYBORG_CONF_FILE DEFAULT host $LOCAL_HOSTNAME
|
||||||
configure_rootwrap cyborg
|
|
||||||
|
|
||||||
# Configure Cyborg conductor, if it was enabled.
|
# Configure Cyborg conductor, if it was enabled.
|
||||||
if is_service_enabled cyborg-cond; then
|
if is_service_enabled cyborg-cond; then
|
||||||
@ -241,19 +239,7 @@ function configure_cyborg_conductor {
|
|||||||
configure_cyborg_placement
|
configure_cyborg_placement
|
||||||
configure_cyborg_glance
|
configure_cyborg_glance
|
||||||
|
|
||||||
sudo cp $CYBORG_DIR/etc/cyborg/rootwrap.conf $CYBORG_ROOTWRAP_CONF
|
|
||||||
sudo cp -r $CYBORG_DIR/etc/cyborg/rootwrap.d $CYBORG_CONF_DIR
|
|
||||||
sudo cp -p $CYBORG_DIR/etc/cyborg/api-paste.ini $CYBORG_API_PASTE_INI
|
sudo cp -p $CYBORG_DIR/etc/cyborg/api-paste.ini $CYBORG_API_PASTE_INI
|
||||||
local cyborg_rootwrap
|
|
||||||
cyborg_rootwrap=$(get_rootwrap_location cyborg)
|
|
||||||
local rootwrap_isudoer_cmd="$cyborg_rootwrap $CYBORG_CONF_DIR/rootwrap.conf *"
|
|
||||||
|
|
||||||
# Set up the rootwrap sudoers for cyborg
|
|
||||||
local tempfile
|
|
||||||
tempfile=`mktemp`
|
|
||||||
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_isudoer_cmd" >$tempfile
|
|
||||||
sudo chown root:root $tempfile
|
|
||||||
sudo mv $tempfile /etc/sudoers.d/cyborg-rootwrap
|
|
||||||
|
|
||||||
# set up drivers / hardware types
|
# set up drivers / hardware types
|
||||||
iniset $CYBORG_CONF_FILE agent enabled_drivers $CYBORG_ENABLED_DRIVERS
|
iniset $CYBORG_CONF_FILE agent enabled_drivers $CYBORG_ENABLED_DRIVERS
|
||||||
|
@ -1,23 +0,0 @@
|
|||||||
# Configuration for cyborg-rootwrap
|
|
||||||
# This file should be owned by (and only writable by) the root user
|
|
||||||
|
|
||||||
[DEFAULT]
|
|
||||||
# List of directories to search executables in, in case filters do not
|
|
||||||
# explicitly specify a full path (separated by ',')
|
|
||||||
# If not specified, defaults to system PATH environment variable.
|
|
||||||
# These directories MUST all be only writable by root !
|
|
||||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
|
|
||||||
|
|
||||||
# Enable logging to syslog
|
|
||||||
# Default value is False
|
|
||||||
use_syslog=False
|
|
||||||
|
|
||||||
# Which syslog facility to use.
|
|
||||||
# Valid values include auth, authpriv, syslog, user0, user1...
|
|
||||||
# Default value is 'syslog'
|
|
||||||
syslog_log_facility=syslog
|
|
||||||
|
|
||||||
# Which messages to log.
|
|
||||||
# INFO means log all usage
|
|
||||||
# ERROR means only log unsuccessful attempts
|
|
||||||
syslog_log_level=ERROR
|
|
@ -1,2 +0,0 @@
|
|||||||
# cyborg-rootwrap command filters for acceleration nodes
|
|
||||||
# This file should be owned by (and only-writeable by) the root user
|
|
@ -24,10 +24,8 @@ packages =
|
|||||||
cyborg
|
cyborg
|
||||||
data_files =
|
data_files =
|
||||||
etc/cyborg =
|
etc/cyborg =
|
||||||
etc/cyborg/rootwrap.conf
|
|
||||||
etc/cyborg/policy.json
|
etc/cyborg/policy.json
|
||||||
etc/cyborg/api-paste.ini
|
etc/cyborg/api-paste.ini
|
||||||
etc/cyborg/rootwrap.d = etc/cyborg/rootwrap.d/*
|
|
||||||
|
|
||||||
[entry_points]
|
[entry_points]
|
||||||
oslo.policy.policies =
|
oslo.policy.policies =
|
||||||
|
Loading…
Reference in New Issue
Block a user