Configure nova-rootwrap
* Nova runs as the same user as the rest of devstack and due to the sudo configuration for devstack itself it may be possible that root subprocess execution that doesn't go through utils.execute() will not be caught by the expected sudo failure. Fixes bug 944373 Change-Id: I0554b3850a59d065059f8ad349c8ff8fb7cfa132
This commit is contained in:
Dean Troyer
parent
165121f7b6
commit
e0d677c71e
@ -1,50 +0,0 @@
|
||||
Cmnd_Alias NOVADEVCMDS = /bin/chmod /var/lib/nova/tmp/*/root/.ssh, \
|
||||
/bin/chown /var/lib/nova/tmp/*/root/.ssh, \
|
||||
/bin/chown, \
|
||||
/bin/chmod, \
|
||||
/bin/dd, \
|
||||
/sbin/ifconfig, \
|
||||
/sbin/ip, \
|
||||
/sbin/route, \
|
||||
/sbin/iptables, \
|
||||
/sbin/iptables-save, \
|
||||
/sbin/iptables-restore, \
|
||||
/sbin/ip6tables-save, \
|
||||
/sbin/ip6tables-restore, \
|
||||
/sbin/kpartx, \
|
||||
/sbin/losetup, \
|
||||
/sbin/lvcreate, \
|
||||
/sbin/lvdisplay, \
|
||||
/sbin/lvremove, \
|
||||
/bin/mkdir, \
|
||||
/bin/mount, \
|
||||
/sbin/pvcreate, \
|
||||
/usr/bin/tee, \
|
||||
/sbin/tune2fs, \
|
||||
/bin/umount, \
|
||||
/sbin/vgcreate, \
|
||||
/usr/bin/virsh, \
|
||||
/usr/bin/qemu-nbd, \
|
||||
/usr/sbin/brctl, \
|
||||
/sbin/brctl, \
|
||||
/usr/sbin/radvd, \
|
||||
/usr/sbin/vblade-persist, \
|
||||
/sbin/pvcreate, \
|
||||
/sbin/aoe-discover, \
|
||||
/sbin/vgcreate, \
|
||||
/bin/aoe-stat, \
|
||||
/bin/kill, \
|
||||
/sbin/vconfig, \
|
||||
/usr/sbin/ietadm, \
|
||||
/sbin/vgs, \
|
||||
/sbin/iscsiadm, \
|
||||
/usr/bin/socat, \
|
||||
/sbin/parted, \
|
||||
/usr/sbin/dnsmasq, \
|
||||
/usr/sbin/tgtadm, \
|
||||
/usr/bin/ovs-vsctl, \
|
||||
/usr/bin/ovs-ofctl, \
|
||||
/usr/sbin/arping
|
||||
|
||||
%USER% ALL = (root) NOPASSWD: SETENV: NOVADEVCMDS
|
||||
|
||||
26
stack.sh
26
stack.sh
@ -135,17 +135,30 @@ if [[ $EUID -eq 0 ]]; then
|
||||
fi
|
||||
exit 1
|
||||
else
|
||||
# Our user needs passwordless priviledges for certain commands which nova
|
||||
# uses internally.
|
||||
# Natty uec images sudoers does not have a '#includedir'. add one.
|
||||
# We're not root, make sure sudo is available
|
||||
dpkg -l sudo
|
||||
die_if_error "Sudo is required. Re-run stack.sh as root ONE TIME ONLY to set up sudo."
|
||||
|
||||
# UEC images /etc/sudoers does not have a '#includedir'. add one.
|
||||
sudo grep -q "^#includedir.*/etc/sudoers.d" /etc/sudoers ||
|
||||
echo "#includedir /etc/sudoers.d" | sudo tee -a /etc/sudoers
|
||||
|
||||
# Set up devstack sudoers
|
||||
TEMPFILE=`mktemp`
|
||||
cat $FILES/sudo/nova > $TEMPFILE
|
||||
sed -e "s,%USER%,$USER,g" -i $TEMPFILE
|
||||
echo "`whoami` ALL=(root) NOPASSWD:ALL" >$TEMPFILE
|
||||
chmod 0440 $TEMPFILE
|
||||
sudo chown root:root $TEMPFILE
|
||||
sudo mv $TEMPFILE /etc/sudoers.d/stack_sh_nova
|
||||
sudo mv $TEMPFILE /etc/sudoers.d/50_stack_sh
|
||||
|
||||
# Set up the rootwrap sudoers
|
||||
TEMPFILE=`mktemp`
|
||||
echo "$USER ALL=(root) NOPASSWD: /usr/local/bin/nova-rootwrap" >$TEMPFILE
|
||||
chmod 0440 $TEMPFILE
|
||||
sudo chown root:root $TEMPFILE
|
||||
sudo mv $TEMPFILE /etc/sudoers.d/nova-rootwrap
|
||||
|
||||
# Remove old file
|
||||
sudo rm -f /etc/sudoers.d/stack_sh_nova
|
||||
fi
|
||||
|
||||
# Set True to configure stack.sh to run cleanly without Internet access.
|
||||
@ -1192,6 +1205,7 @@ add_nova_opt "[DEFAULT]"
|
||||
add_nova_opt "verbose=True"
|
||||
add_nova_opt "auth_strategy=keystone"
|
||||
add_nova_opt "allow_resize_to_same_host=True"
|
||||
add_nova_opt "root_helper=sudo /usr/local/bin/nova-rootwrap"
|
||||
add_nova_opt "compute_scheduler_driver=$SCHEDULER"
|
||||
add_nova_opt "dhcpbridge_flagfile=$NOVA_CONF_DIR/$NOVA_CONF"
|
||||
add_nova_opt "fixed_range=$FIXED_RANGE"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user