Merge "Add inc/rootwrap"
This commit is contained in:
commit
9e63b59a8e
@ -15,6 +15,7 @@ FUNC_DIR=$(cd $(dirname "${BASH_SOURCE:-$0}") && pwd)
|
|||||||
source ${FUNC_DIR}/functions-common
|
source ${FUNC_DIR}/functions-common
|
||||||
source ${FUNC_DIR}/inc/ini-config
|
source ${FUNC_DIR}/inc/ini-config
|
||||||
source ${FUNC_DIR}/inc/python
|
source ${FUNC_DIR}/inc/python
|
||||||
|
source ${FUNC_DIR}/inc/rootwrap
|
||||||
|
|
||||||
# Save trace setting
|
# Save trace setting
|
||||||
XTRACE=$(set +o | grep xtrace)
|
XTRACE=$(set +o | grep xtrace)
|
||||||
|
77
inc/rootwrap
Normal file
77
inc/rootwrap
Normal file
@ -0,0 +1,77 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# **inc/rootwrap** - Rootwrap functions
|
||||||
|
#
|
||||||
|
# Handle rootwrap's foibles
|
||||||
|
|
||||||
|
# Uses: ``STACK_USER``
|
||||||
|
# Defines: ``SUDO_SECURE_PATH_FILE``
|
||||||
|
|
||||||
|
# Save trace setting
|
||||||
|
INC_ROOT_TRACE=$(set +o | grep xtrace)
|
||||||
|
set +o xtrace
|
||||||
|
|
||||||
|
# Accumulate all additions to sudo's ``secure_path`` in one file read last
|
||||||
|
# so they all work in a venv configuration
|
||||||
|
SUDO_SECURE_PATH_FILE=${SUDO_SECURE_PATH_FILE:-/etc/sudoers.d/zz-secure-path}
|
||||||
|
|
||||||
|
# Add a directory to the common sudo ``secure_path``
|
||||||
|
# add_sudo_secure_path dir
|
||||||
|
function add_sudo_secure_path {
|
||||||
|
local dir=$1
|
||||||
|
local line
|
||||||
|
|
||||||
|
# This is pretty simplistic for now - assume only the first line is used
|
||||||
|
if [[ -r SUDO_SECURE_PATH_FILE ]]; then
|
||||||
|
line=$(head -1 $SUDO_SECURE_PATH_FILE)
|
||||||
|
else
|
||||||
|
line="Defaults:$STACK_USER secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Only add ``dir`` if it is not already present
|
||||||
|
if [[ $line =~ $dir ]]; then
|
||||||
|
echo "${line}:$dir" | sudo tee $SUDO_SECURE_PATH_FILE
|
||||||
|
sudo chmod 400 $SUDO_SECURE_PATH_FILE
|
||||||
|
sudo chown root:root $SUDO_SECURE_PATH_FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Configure rootwrap
|
||||||
|
# Make a load of assumptions otherwise we'll have 6 arguments
|
||||||
|
# configure_rootwrap project bin conf-src-dir
|
||||||
|
function configure_rootwrap {
|
||||||
|
local project=$1 # xx
|
||||||
|
local rootwrap_bin=$2 # /opt/stack/xx.venv/bin/xx-rootwrap
|
||||||
|
local rootwrap_conf_src_dir=$3 # /opt/stack/xx/etc/xx
|
||||||
|
|
||||||
|
# Start fresh with rootwrap filters
|
||||||
|
sudo rm -rf /etc/${project}/rootwrap.d
|
||||||
|
sudo install -d -o root -g root -m 755 /etc/${project}/rootwrap.d
|
||||||
|
sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.d/*.filters /etc/${project}/rootwrap.d
|
||||||
|
|
||||||
|
# Set up rootwrap.conf, pointing to /etc/*/rootwrap.d
|
||||||
|
sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.conf /etc/${project}/rootwrap.conf
|
||||||
|
sudo sed -e "s:^filters_path=.*$:filters_path=/etc/${project}/rootwrap.d:" -i /etc/${project}/rootwrap.conf
|
||||||
|
|
||||||
|
# Specify rootwrap.conf as first parameter to rootwrap
|
||||||
|
rootwrap_sudo_cmd="$rootwrap_bin /etc/${project}/rootwrap.conf *"
|
||||||
|
|
||||||
|
# Set up the rootwrap sudoers
|
||||||
|
local tempfile=$(mktemp)
|
||||||
|
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudo_cmd" >$tempfile
|
||||||
|
chmod 0440 $tempfile
|
||||||
|
sudo chown root:root $tempfile
|
||||||
|
sudo mv $tempfile /etc/sudoers.d/${project}-rootwrap
|
||||||
|
|
||||||
|
# Add bin dir to sudo's secure_path because rootwrap is being called
|
||||||
|
# without a path because BROKEN.
|
||||||
|
add_sudo_secure_path $(dirname $rootwrap_bin)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Restore xtrace
|
||||||
|
$INC_ROOT_TRACE
|
||||||
|
|
||||||
|
# Local variables:
|
||||||
|
# mode: shell-script
|
||||||
|
# End:
|
38
lib/cinder
38
lib/cinder
@ -171,42 +171,6 @@ function cleanup_cinder {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Deploy new rootwrap filters files and configure sudo
|
|
||||||
# configure_cinder_rootwrap() - configure Cinder's rootwrap
|
|
||||||
function configure_cinder_rootwrap {
|
|
||||||
local cinder_rootwrap=$CINDER_BIN_DIR/cinder-rootwrap
|
|
||||||
|
|
||||||
# Wipe any existing rootwrap.d files first
|
|
||||||
if [[ -d $CINDER_CONF_DIR/rootwrap.d ]]; then
|
|
||||||
sudo rm -rf $CINDER_CONF_DIR/rootwrap.d
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Deploy filters to /etc/cinder/rootwrap.d
|
|
||||||
sudo install -d -o root -g root -m 755 $CINDER_CONF_DIR/rootwrap.d
|
|
||||||
sudo install -o root -g root -m 644 $CINDER_DIR/etc/cinder/rootwrap.d/*.filters $CINDER_CONF_DIR/rootwrap.d
|
|
||||||
|
|
||||||
# Set up rootwrap.conf, pointing to /etc/cinder/rootwrap.d
|
|
||||||
sudo install -o root -g root -m 644 $CINDER_DIR/etc/cinder/rootwrap.conf $CINDER_CONF_DIR
|
|
||||||
sudo sed -e "s:^filters_path=.*$:filters_path=$CINDER_CONF_DIR/rootwrap.d:" -i $CINDER_CONF_DIR/rootwrap.conf
|
|
||||||
|
|
||||||
# Specify rootwrap.conf as first parameter to rootwrap
|
|
||||||
ROOTWRAP_CSUDOER_CMD="$cinder_rootwrap $CINDER_CONF_DIR/rootwrap.conf *"
|
|
||||||
|
|
||||||
# Set up the rootwrap sudoers for cinder
|
|
||||||
local tempfile=`mktemp`
|
|
||||||
echo "Defaults:$STACK_USER secure_path=$CINDER_BIN_DIR:/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/sbin:/usr/local/bin" >$tempfile
|
|
||||||
echo "$STACK_USER ALL=(root) NOPASSWD: $ROOTWRAP_CSUDOER_CMD" >>$tempfile
|
|
||||||
chmod 0440 $tempfile
|
|
||||||
sudo chown root:root $tempfile
|
|
||||||
sudo mv $tempfile /etc/sudoers.d/cinder-rootwrap
|
|
||||||
|
|
||||||
# So rootwrap and PATH are broken beyond belief. WTF relies on a SECURE operation
|
|
||||||
# to blindly follow PATH??? We learned that was a bad idea in the 80's!
|
|
||||||
# So to fix this in a venv, we must exploit the very hole we want to close by dropping
|
|
||||||
# a copy of the venv rootwrap binary into /usr/local/bin.
|
|
||||||
#sudo cp -p $cinder_rootwrap /usr/local/bin
|
|
||||||
}
|
|
||||||
|
|
||||||
# configure_cinder() - Set config files, create data dirs, etc
|
# configure_cinder() - Set config files, create data dirs, etc
|
||||||
function configure_cinder {
|
function configure_cinder {
|
||||||
sudo install -d -o $STACK_USER -m 755 $CINDER_CONF_DIR
|
sudo install -d -o $STACK_USER -m 755 $CINDER_CONF_DIR
|
||||||
@ -215,7 +179,7 @@ function configure_cinder {
|
|||||||
|
|
||||||
rm -f $CINDER_CONF
|
rm -f $CINDER_CONF
|
||||||
|
|
||||||
configure_cinder_rootwrap
|
configure_rootwrap cinder $CINDER_BIN_DIR/cinder-rootwrap $CINDER_DIR/etc/cinder
|
||||||
|
|
||||||
cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI
|
cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI
|
||||||
|
|
||||||
|
38
lib/nova
38
lib/nova
@ -223,42 +223,6 @@ function cleanup_nova {
|
|||||||
#fi
|
#fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Deploy new rootwrap filters files and configure sudo
|
|
||||||
# configure_nova_rootwrap() - configure Nova's rootwrap
|
|
||||||
function configure_nova_rootwrap {
|
|
||||||
nova_rootwrap=$NOVA_BIN_DIR/nova-rootwrap
|
|
||||||
|
|
||||||
# Wipe any existing rootwrap.d files first
|
|
||||||
if [[ -d $NOVA_CONF_DIR/rootwrap.d ]]; then
|
|
||||||
sudo rm -rf $NOVA_CONF_DIR/rootwrap.d
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Deploy filters to /etc/nova/rootwrap.d
|
|
||||||
sudo install -d -o root -g root -m 755 $NOVA_CONF_DIR/rootwrap.d
|
|
||||||
sudo install -o root -g root -m 644 $NOVA_DIR/etc/nova/rootwrap.d/*.filters $NOVA_CONF_DIR/rootwrap.d
|
|
||||||
|
|
||||||
# Set up rootwrap.conf, pointing to /etc/nova/rootwrap.d
|
|
||||||
sudo install -o root -g root -m 644 $NOVA_DIR/etc/nova/rootwrap.conf $NOVA_CONF_DIR
|
|
||||||
sudo sed -e "s:^filters_path=.*$:filters_path=$NOVA_CONF_DIR/rootwrap.d:" -i $NOVA_CONF_DIR/rootwrap.conf
|
|
||||||
|
|
||||||
# Specify rootwrap.conf as first parameter to nova-rootwrap
|
|
||||||
local rootwrap_sudoer_cmd="$nova_rootwrap $NOVA_CONF_DIR/rootwrap.conf *"
|
|
||||||
|
|
||||||
# Set up the rootwrap sudoers for nova
|
|
||||||
local tempfile=`mktemp`
|
|
||||||
echo "Defaults:$STACK_USER secure_path=$NOVA_BIN_DIR:/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/sbin:/usr/local/bin" >$tempfile
|
|
||||||
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudoer_cmd" >>$tempfile
|
|
||||||
chmod 0440 $tempfile
|
|
||||||
sudo chown root:root $tempfile
|
|
||||||
sudo mv $tempfile /etc/sudoers.d/nova-rootwrap
|
|
||||||
|
|
||||||
# So rootwrap and PATH are broken beyond belief. WTF relies on a SECURE operation
|
|
||||||
# to blindly follow PATH??? We learned that was a bad idea in the 80's!
|
|
||||||
# So to fix this in a venv, we must exploit the very hole we want to close by dropping
|
|
||||||
# a copy of the venv rootwrap binary into /usr/local/bin.
|
|
||||||
#sudo cp -p $nova_rootwrap /usr/local/bin
|
|
||||||
}
|
|
||||||
|
|
||||||
# configure_nova() - Set config files, create data dirs, etc
|
# configure_nova() - Set config files, create data dirs, etc
|
||||||
function configure_nova {
|
function configure_nova {
|
||||||
# Put config files in ``/etc/nova`` for everyone to find
|
# Put config files in ``/etc/nova`` for everyone to find
|
||||||
@ -266,7 +230,7 @@ function configure_nova {
|
|||||||
|
|
||||||
install_default_policy nova
|
install_default_policy nova
|
||||||
|
|
||||||
configure_nova_rootwrap
|
configure_rootwrap nova $NOVA_BIN_DIR/nova-rootwrap $NOVA_DIR/etc/nova
|
||||||
|
|
||||||
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
|
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
|
||||||
# Get the sample configuration file in place
|
# Get the sample configuration file in place
|
||||||
|
Loading…
Reference in New Issue
Block a user