Add Cinder to ROOTWRAP_SUDOERS

* Perform operations in lib/cinder * Use specific cidner-rootwrap file * Add root_helper to cinder.conf Change-Id: Ibcae8bae2d06c9cbb4c41c39791e8dbdc8bbb0ac
2012-07-20 13:18:17 -06:00 · 2012-07-20 13:18:17 -06:00 · 4e823ff4ad
commit 4e823ff4ad
parent 51f5f88f10
2 changed files with 40 additions and 2 deletions
--- a/lib/cinder
+++ b/lib/cinder
@ -52,6 +52,42 @@ function configure_cinder() {

    cp -p $CINDER_DIR/etc/cinder/policy.json $CINDER_CONF_DIR

+    # Set the paths of certain binaries
+    if [[ "$os_PACKAGE" = "deb" ]]; then
+        CINDER_ROOTWRAP=/usr/local/bin/cinder-rootwrap
+    else
+        CINDER_ROOTWRAP=/usr/bin/cinder-rootwrap
+    fi
+
+    # If Cinder ships the new rootwrap filters files, deploy them
+    # (owned by root) and add a parameter to $CINDER_ROOTWRAP
+    ROOTWRAP_CINDER_SUDOER_CMD="$CINDER_ROOTWRAP"
+    if [[ -d $CINDER_DIR/etc/cinder/rootwrap.d ]]; then
+        # Wipe any existing rootwrap.d files first
+        if [[ -d $CINDER_CONF_DIR/rootwrap.d ]]; then
+            sudo rm -rf $CINDER_CONF_DIR/rootwrap.d
+        fi
+        # Deploy filters to /etc/cinder/rootwrap.d
+        sudo mkdir -m 755 $CINDER_CONF_DIR/rootwrap.d
+        sudo cp $CINDER_DIR/etc/cinder/rootwrap.d/*.filters $CINDER_CONF_DIR/rootwrap.d
+        sudo chown -R root:root $CINDER_CONF_DIR/rootwrap.d
+        sudo chmod 644 $CINDER_CONF_DIR/rootwrap.d/*
+        # Set up rootwrap.conf, pointing to /etc/cinder/rootwrap.d
+        sudo cp $CINDER_DIR/etc/cinder/rootwrap.conf $CINDER_CONF_DIR/
+        sudo sed -e "s:^filters_path=.*$:filters_path=$CINDER_CONF_DIR/rootwrap.d:" -i $CINDER_CONF_DIR/rootwrap.conf
+        sudo chown root:root $CINDER_CONF_DIR/rootwrap.conf
+        sudo chmod 0644 $CINDER_CONF_DIR/rootwrap.conf
+        # Specify rootwrap.conf as first parameter to cinder-rootwrap
+        CINDER_ROOTWRAP="$CINDER_ROOTWRAP $CINDER_CONF_DIR/rootwrap.conf"
+        ROOTWRAP_CINDER_SUDOER_CMD="$CINDER_ROOTWRAP *"
+    fi
+
+    TEMPFILE=`mktemp`
+    echo "$USER ALL=(root) NOPASSWD: $ROOTWRAP_CINDER_SUDOER_CMD" >$TEMPFILE
+    chmod 0440 $TEMPFILE
+    sudo chown root:root $TEMPFILE
+    sudo mv $TEMPFILE /etc/sudoers.d/cinder-rootwrap
+
    CINDER_API_PASTE_INI=$CINDER_CONF_DIR/api-paste.ini
    cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI
    iniset $CINDER_API_PASTE_INI filter:authtoken auth_host $KEYSTONE_AUTH_HOST
@ -71,6 +107,8 @@ function configure_cinder() {
    iniset $CINDER_CONF DEFAULT rabbit_host $RABBIT_HOST
    iniset $CINDER_CONF DEFAULT rabbit_password $RABBIT_PASSWORD
    iniset $CINDER_CONF DEFAULT api_paste_config $CINDER_API_PASTE_INI
+    iniset $CINDER_CONF DEFAULT root_helper "sudo ${CINDER_ROOTWRAP}"
+
 }

 # init_cinder() - Initialize database and volume group
--- a/stack.sh
+++ b/stack.sh
@ -1225,7 +1225,7 @@ if [[ -d $NOVA_DIR/etc/nova/rootwrap.d ]]; then
    ROOTWRAP_SUDOER_CMD="$NOVA_ROOTWRAP *"
 fi

-# Set up the rootwrap sudoers
+# Set up the rootwrap sudoers for nova
 TEMPFILE=`mktemp`
 echo "$USER ALL=(root) NOPASSWD: $ROOTWRAP_SUDOER_CMD" >$TEMPFILE
 chmod 0440 $TEMPFILE
@ -1495,7 +1495,7 @@ if is_service_enabled swift; then
    if is_service_enabled swift3;then
        swift_auth_server="s3token "
    fi
-        
+
    # By default Swift will be installed with the tempauth middleware
    # which has some default username and password if you have
    # configured keystone it will checkout the directory.