From e0d677c71e30f2caefc1d1c117d3633a064de930 Mon Sep 17 00:00:00 2001 From: Dean Troyer Date: Wed, 7 Mar 2012 14:11:33 -0600 Subject: [PATCH] Configure nova-rootwrap * Nova runs as the same user as the rest of devstack and due to the sudo configuration for devstack itself it may be possible that root subprocess execution that doesn't go through utils.execute() will not be caught by the expected sudo failure. Fixes bug 944373 Change-Id: I0554b3850a59d065059f8ad349c8ff8fb7cfa132 --- files/sudo/nova | 50 ------------------------------------------------- stack.sh | 26 +++++++++++++++++++------ 2 files changed, 20 insertions(+), 56 deletions(-) delete mode 100644 files/sudo/nova diff --git a/files/sudo/nova b/files/sudo/nova deleted file mode 100644 index 60dca2ba21..0000000000 --- a/files/sudo/nova +++ /dev/null @@ -1,50 +0,0 @@ -Cmnd_Alias NOVADEVCMDS = /bin/chmod /var/lib/nova/tmp/*/root/.ssh, \ - /bin/chown /var/lib/nova/tmp/*/root/.ssh, \ - /bin/chown, \ - /bin/chmod, \ - /bin/dd, \ - /sbin/ifconfig, \ - /sbin/ip, \ - /sbin/route, \ - /sbin/iptables, \ - /sbin/iptables-save, \ - /sbin/iptables-restore, \ - /sbin/ip6tables-save, \ - /sbin/ip6tables-restore, \ - /sbin/kpartx, \ - /sbin/losetup, \ - /sbin/lvcreate, \ - /sbin/lvdisplay, \ - /sbin/lvremove, \ - /bin/mkdir, \ - /bin/mount, \ - /sbin/pvcreate, \ - /usr/bin/tee, \ - /sbin/tune2fs, \ - /bin/umount, \ - /sbin/vgcreate, \ - /usr/bin/virsh, \ - /usr/bin/qemu-nbd, \ - /usr/sbin/brctl, \ - /sbin/brctl, \ - /usr/sbin/radvd, \ - /usr/sbin/vblade-persist, \ - /sbin/pvcreate, \ - /sbin/aoe-discover, \ - /sbin/vgcreate, \ - /bin/aoe-stat, \ - /bin/kill, \ - /sbin/vconfig, \ - /usr/sbin/ietadm, \ - /sbin/vgs, \ - /sbin/iscsiadm, \ - /usr/bin/socat, \ - /sbin/parted, \ - /usr/sbin/dnsmasq, \ - /usr/sbin/tgtadm, \ - /usr/bin/ovs-vsctl, \ - /usr/bin/ovs-ofctl, \ - /usr/sbin/arping - -%USER% ALL = (root) NOPASSWD: SETENV: NOVADEVCMDS - diff --git a/stack.sh b/stack.sh index eead8a199f..680e2f5cd9 100755 --- a/stack.sh +++ b/stack.sh @@ -135,17 +135,30 @@ if [[ $EUID -eq 0 ]]; then fi exit 1 else - # Our user needs passwordless priviledges for certain commands which nova - # uses internally. - # Natty uec images sudoers does not have a '#includedir'. add one. + # We're not root, make sure sudo is available + dpkg -l sudo + die_if_error "Sudo is required. Re-run stack.sh as root ONE TIME ONLY to set up sudo." + + # UEC images /etc/sudoers does not have a '#includedir'. add one. sudo grep -q "^#includedir.*/etc/sudoers.d" /etc/sudoers || echo "#includedir /etc/sudoers.d" | sudo tee -a /etc/sudoers + + # Set up devstack sudoers TEMPFILE=`mktemp` - cat $FILES/sudo/nova > $TEMPFILE - sed -e "s,%USER%,$USER,g" -i $TEMPFILE + echo "`whoami` ALL=(root) NOPASSWD:ALL" >$TEMPFILE chmod 0440 $TEMPFILE sudo chown root:root $TEMPFILE - sudo mv $TEMPFILE /etc/sudoers.d/stack_sh_nova + sudo mv $TEMPFILE /etc/sudoers.d/50_stack_sh + + # Set up the rootwrap sudoers + TEMPFILE=`mktemp` + echo "$USER ALL=(root) NOPASSWD: /usr/local/bin/nova-rootwrap" >$TEMPFILE + chmod 0440 $TEMPFILE + sudo chown root:root $TEMPFILE + sudo mv $TEMPFILE /etc/sudoers.d/nova-rootwrap + + # Remove old file + sudo rm -f /etc/sudoers.d/stack_sh_nova fi # Set True to configure stack.sh to run cleanly without Internet access. @@ -1192,6 +1205,7 @@ add_nova_opt "[DEFAULT]" add_nova_opt "verbose=True" add_nova_opt "auth_strategy=keystone" add_nova_opt "allow_resize_to_same_host=True" +add_nova_opt "root_helper=sudo /usr/local/bin/nova-rootwrap" add_nova_opt "compute_scheduler_driver=$SCHEDULER" add_nova_opt "dhcpbridge_flagfile=$NOVA_CONF_DIR/$NOVA_CONF" add_nova_opt "fixed_range=$FIXED_RANGE"