From 4e823ff4ad8fb22602c6d70c02b5910e0ad467ef Mon Sep 17 00:00:00 2001 From: John Griffith Date: Fri, 20 Jul 2012 13:18:17 -0600 Subject: [PATCH] Add Cinder to ROOTWRAP_SUDOERS * Perform operations in lib/cinder * Use specific cidner-rootwrap file * Add root_helper to cinder.conf Change-Id: Ibcae8bae2d06c9cbb4c41c39791e8dbdc8bbb0ac --- lib/cinder | 38 ++++++++++++++++++++++++++++++++++++++ stack.sh | 4 ++-- 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/lib/cinder b/lib/cinder index 119cc91397..0e42600b1a 100644 --- a/lib/cinder +++ b/lib/cinder @@ -52,6 +52,42 @@ function configure_cinder() { cp -p $CINDER_DIR/etc/cinder/policy.json $CINDER_CONF_DIR + # Set the paths of certain binaries + if [[ "$os_PACKAGE" = "deb" ]]; then + CINDER_ROOTWRAP=/usr/local/bin/cinder-rootwrap + else + CINDER_ROOTWRAP=/usr/bin/cinder-rootwrap + fi + + # If Cinder ships the new rootwrap filters files, deploy them + # (owned by root) and add a parameter to $CINDER_ROOTWRAP + ROOTWRAP_CINDER_SUDOER_CMD="$CINDER_ROOTWRAP" + if [[ -d $CINDER_DIR/etc/cinder/rootwrap.d ]]; then + # Wipe any existing rootwrap.d files first + if [[ -d $CINDER_CONF_DIR/rootwrap.d ]]; then + sudo rm -rf $CINDER_CONF_DIR/rootwrap.d + fi + # Deploy filters to /etc/cinder/rootwrap.d + sudo mkdir -m 755 $CINDER_CONF_DIR/rootwrap.d + sudo cp $CINDER_DIR/etc/cinder/rootwrap.d/*.filters $CINDER_CONF_DIR/rootwrap.d + sudo chown -R root:root $CINDER_CONF_DIR/rootwrap.d + sudo chmod 644 $CINDER_CONF_DIR/rootwrap.d/* + # Set up rootwrap.conf, pointing to /etc/cinder/rootwrap.d + sudo cp $CINDER_DIR/etc/cinder/rootwrap.conf $CINDER_CONF_DIR/ + sudo sed -e "s:^filters_path=.*$:filters_path=$CINDER_CONF_DIR/rootwrap.d:" -i $CINDER_CONF_DIR/rootwrap.conf + sudo chown root:root $CINDER_CONF_DIR/rootwrap.conf + sudo chmod 0644 $CINDER_CONF_DIR/rootwrap.conf + # Specify rootwrap.conf as first parameter to cinder-rootwrap + CINDER_ROOTWRAP="$CINDER_ROOTWRAP $CINDER_CONF_DIR/rootwrap.conf" + ROOTWRAP_CINDER_SUDOER_CMD="$CINDER_ROOTWRAP *" + fi + + TEMPFILE=`mktemp` + echo "$USER ALL=(root) NOPASSWD: $ROOTWRAP_CINDER_SUDOER_CMD" >$TEMPFILE + chmod 0440 $TEMPFILE + sudo chown root:root $TEMPFILE + sudo mv $TEMPFILE /etc/sudoers.d/cinder-rootwrap + CINDER_API_PASTE_INI=$CINDER_CONF_DIR/api-paste.ini cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI iniset $CINDER_API_PASTE_INI filter:authtoken auth_host $KEYSTONE_AUTH_HOST @@ -71,6 +107,8 @@ function configure_cinder() { iniset $CINDER_CONF DEFAULT rabbit_host $RABBIT_HOST iniset $CINDER_CONF DEFAULT rabbit_password $RABBIT_PASSWORD iniset $CINDER_CONF DEFAULT api_paste_config $CINDER_API_PASTE_INI + iniset $CINDER_CONF DEFAULT root_helper "sudo ${CINDER_ROOTWRAP}" + } # init_cinder() - Initialize database and volume group diff --git a/stack.sh b/stack.sh index 5d4ce9f0c2..d0e2262f15 100755 --- a/stack.sh +++ b/stack.sh @@ -1225,7 +1225,7 @@ if [[ -d $NOVA_DIR/etc/nova/rootwrap.d ]]; then ROOTWRAP_SUDOER_CMD="$NOVA_ROOTWRAP *" fi -# Set up the rootwrap sudoers +# Set up the rootwrap sudoers for nova TEMPFILE=`mktemp` echo "$USER ALL=(root) NOPASSWD: $ROOTWRAP_SUDOER_CMD" >$TEMPFILE chmod 0440 $TEMPFILE @@ -1495,7 +1495,7 @@ if is_service_enabled swift; then if is_service_enabled swift3;then swift_auth_server="s3token " fi - + # By default Swift will be installed with the tempauth middleware # which has some default username and password if you have # configured keystone it will checkout the directory.