setup quantum-rootrwapper

Add quantum-rootwrapper for /etc/sudoers.d This is needed to run quantum in CI env Change-Id: Ib59351c106f0a45bb45476edf032c97744873923
2012-12-06 11:55:29 -08:00 · 2012-12-06 11:55:29 -08:00 · eb1aa3d5ed
commit eb1aa3d5ed
parent b9520212f5
2 changed files with 36 additions and 7 deletions
--- a/lib/quantum
+++ b/lib/quantum
@ -15,10 +15,44 @@ if is_service_enabled quantum; then
    if [[ "$Q_USE_ROOTWRAP" == "False" ]]; then
        Q_RR_COMMAND="sudo"
    else
-        Q_RR_COMMAND="sudo $QUANTUM_DIR/bin/quantum-rootwrap $Q_RR_CONF_FILE"
+        QUANTUM_ROOTWRAP=$(get_rootwrap_location quantum)
+        Q_RR_COMMAND="sudo $QUANTUM_ROOTWRAP $Q_RR_CONF_FILE"
    fi
 fi

+# configure_quantum_rootwrap() - configure Quantum's rootwrap
+function configure_quantum_rootwrap() {
+    if [[ "$Q_USE_ROOTWRAP" == "False" ]]; then
+        return
+    fi
+    # Deploy new rootwrap filters files (owned by root).
+    # Wipe any existing rootwrap.d files first
+    Q_CONF_ROOTWRAP_D=/etc/quantum/rootwrap.d
+    if [[ -d $Q_CONF_ROOTWRAP_D ]]; then
+        sudo rm -rf $Q_CONF_ROOTWRAP_D
+    fi
+    # Deploy filters to /etc/quantum/rootwrap.d
+    mkdir -p -m 755 $Q_CONF_ROOTWRAP_D
+    cp -pr $QUANTUM_DIR/etc/quantum/rootwrap.d/* $Q_CONF_ROOTWRAP_D/
+    sudo chown -R root:root $Q_CONF_ROOTWRAP_D
+    sudo chmod 644 $Q_CONF_ROOTWRAP_D/*
+    # Set up rootwrap.conf, pointing to /etc/quantum/rootwrap.d
+    sudo cp -p $QUANTUM_DIR/etc/rootwrap.conf $Q_RR_CONF_FILE
+    sudo sed -e "s:^filters_path=.*$:filters_path=$Q_CONF_ROOTWRAP_D:" -i $Q_RR_CONF_FILE
+    sudo chown root:root $Q_RR_CONF_FILE
+    sudo chmod 0644 $Q_RR_CONF_FILE
+    # Specify rootwrap.conf as first parameter to quantum-rootwrap
+    ROOTWRAP_SUDOER_CMD="$QUANTUM_ROOTWRAP $Q_RR_CONF_FILE *"
+
+    # Set up the rootwrap sudoers for quantum
+    TEMPFILE=`mktemp`
+    echo "$USER ALL=(root) NOPASSWD: $ROOTWRAP_SUDOER_CMD" >$TEMPFILE
+    chmod 0440 $TEMPFILE
+    sudo chown root:root $TEMPFILE
+    sudo mv $TEMPFILE /etc/sudoers.d/quantum-rootwrap
+}
+
+
 # Configures keystone integration for quantum service and agents
 function quantum_setup_keystone() {
    local conf_file=$1
--- a/stack.sh
+++ b/stack.sh
@ -1149,12 +1149,7 @@ if is_service_enabled quantum; then
    unset dburl

    cp $QUANTUM_DIR/etc/quantum.conf $Q_CONF_FILE
-    cp -p $QUANTUM_DIR/etc/rootwrap.conf $Q_RR_CONF_FILE
-
-    # Copy over the config and filter bits
-    Q_CONF_ROOTWRAP_D=/etc/quantum/rootwrap.d
-    mkdir -p $Q_CONF_ROOTWRAP_D
-    cp -pr $QUANTUM_DIR/etc/quantum/rootwrap.d/* $Q_CONF_ROOTWRAP_D/
+    configure_quantum_rootwrap
 fi

 # Quantum service (for controller node)