Merge "Configure nova-rootwrap"

files/sudo/nova

@@ -1,50 +0,0 @@
-Cmnd_Alias NOVADEVCMDS = /bin/chmod /var/lib/nova/tmp/*/root/.ssh, \
-                      /bin/chown /var/lib/nova/tmp/*/root/.ssh, \
-                      /bin/chown,                               \
-                      /bin/chmod,                               \
-                      /bin/dd,                                  \
-                      /sbin/ifconfig,                           \
-                      /sbin/ip,                                 \
-                      /sbin/route,                              \
-                      /sbin/iptables,                           \
-                      /sbin/iptables-save,                      \
-                      /sbin/iptables-restore,                   \
-                      /sbin/ip6tables-save,                     \
-                      /sbin/ip6tables-restore,                  \
-                      /sbin/kpartx,                             \
-                      /sbin/losetup,                            \
-                      /sbin/lvcreate,                           \
-                      /sbin/lvdisplay,                          \
-                      /sbin/lvremove,                           \
-                      /bin/mkdir,                               \
-                      /bin/mount,                               \
-                      /sbin/pvcreate,                           \
-                      /usr/bin/tee,                             \
-                      /sbin/tune2fs,                            \
-                      /bin/umount,                              \
-                      /sbin/vgcreate,                           \
-                      /usr/bin/virsh,                           \
-                      /usr/bin/qemu-nbd,                        \
-                      /usr/sbin/brctl,                          \
-                      /sbin/brctl,                              \
-                      /usr/sbin/radvd,                          \
-                      /usr/sbin/vblade-persist,                 \
-                      /sbin/pvcreate,                           \
-                      /sbin/aoe-discover,                       \
-                      /sbin/vgcreate,                           \
-                      /bin/aoe-stat,                            \
-                      /bin/kill,                                \
-                      /sbin/vconfig,                            \
-                      /usr/sbin/ietadm,                         \
-                      /sbin/vgs,                                \
-                      /sbin/iscsiadm,                           \
-                      /usr/bin/socat,                           \
-                      /sbin/parted,                             \
-                      /usr/sbin/dnsmasq,                        \
-                      /usr/sbin/tgtadm,                         \
-                      /usr/bin/ovs-vsctl,                       \
-                      /usr/bin/ovs-ofctl,                       \
-                      /usr/sbin/arping
-
-%USER% ALL = (root) NOPASSWD: SETENV: NOVADEVCMDS
-

stack.sh

@@ -136,17 +136,30 @@ if [[ $EUID -eq 0 ]]; then
     fi
     exit 1
 else
-    # Our user needs passwordless priviledges for certain commands which nova
+    # We're not root, make sure sudo is available
-    # uses internally.
+    dpkg -l sudo
-    # Natty uec images sudoers does not have a '#includedir'. add one.
+    die_if_error "Sudo is required.  Re-run stack.sh as root ONE TIME ONLY to set up sudo."
+
+    # UEC images /etc/sudoers does not have a '#includedir'. add one.
     sudo grep -q "^#includedir.*/etc/sudoers.d" /etc/sudoers ||
         echo "#includedir /etc/sudoers.d" | sudo tee -a /etc/sudoers
+
+    # Set up devstack sudoers
     TEMPFILE=`mktemp`
-    cat $FILES/sudo/nova > $TEMPFILE
+    echo "`whoami` ALL=(root) NOPASSWD:ALL" >$TEMPFILE
-    sed -e "s,%USER%,$USER,g" -i $TEMPFILE
     chmod 0440 $TEMPFILE
     sudo chown root:root $TEMPFILE
-    sudo mv $TEMPFILE /etc/sudoers.d/stack_sh_nova
+    sudo mv $TEMPFILE /etc/sudoers.d/50_stack_sh
+
+    # Set up the rootwrap sudoers
+    TEMPFILE=`mktemp`
+    echo "$USER ALL=(root) NOPASSWD: /usr/local/bin/nova-rootwrap" >$TEMPFILE
+    chmod 0440 $TEMPFILE
+    sudo chown root:root $TEMPFILE
+    sudo mv $TEMPFILE /etc/sudoers.d/nova-rootwrap
+
+    # Remove old file
+    sudo rm -f /etc/sudoers.d/stack_sh_nova
 fi
 
 # Set True to configure stack.sh to run cleanly without Internet access.
@@ -1222,6 +1235,7 @@ add_nova_opt "[DEFAULT]"
 add_nova_opt "verbose=True"
 add_nova_opt "auth_strategy=keystone"
 add_nova_opt "allow_resize_to_same_host=True"
+add_nova_opt "root_helper=sudo /usr/local/bin/nova-rootwrap"
 add_nova_opt "compute_scheduler_driver=$SCHEDULER"
 add_nova_opt "dhcpbridge_flagfile=$NOVA_CONF_DIR/$NOVA_CONF"
 add_nova_opt "fixed_range=$FIXED_RANGE"