From ef971bff5135b88e3451eb451418327e672f6d8b Mon Sep 17 00:00:00 2001
From: Artur Zarzycki <azarzycki@mirantis.com>
Date: Wed, 13 Jan 2016 17:28:53 +0100
Subject: [PATCH] Fix permissions to /var/lib/nova/

Due to changes with the drop-root work, we lost the ability to write
to /var/lib/nova/*. This fixes those permissions and ensures cross
container talk works properly between nova_libvirt and nova_compute

Additionally, this fixes another issue introduced which saw that
nova-compute could not run sudo commands as it did not have a proper
sudoers entry

Testing from previous deploys means you need a fresh environment. You
have to remove all of the named volumes that kolla created in docker.
Check these with `docker volume ls`

Signed-off-by: Hui Kang <kangh@us.ibm.com>
Signed-off-by: Artur Zarzycki <azarzycki@mirantis.com>
Co-Authored-By: Sam Yaple <sam@yaple.net>
Co-Authored-By: Hui Kang <kangh@us.ibm.com>
Closes-Bug: #1533350
Change-Id: I7f864c448a2414e0b5d89f48337be411b891df35
---
 ansible/roles/nova/tasks/bootstrap.yml        | 29 +++++++++++++++++++
 ansible/roles/nova/tasks/deploy.yml           |  3 +-
 ansible/roles/nova/tasks/start.yml            |  5 ++--
 docker/nova/nova-base/Dockerfile.j2           |  4 +++
 docker/nova/nova-base/nova_sudoers            |  1 +
 docker/nova/nova-compute/Dockerfile.j2        |  6 ++++
 docker/nova/nova-compute/extend_start.sh      |  9 ++++++
 docker/nova/nova-compute/nova_compute_sudoers |  1 +
 8 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100644 docker/nova/nova-base/nova_sudoers
 create mode 100644 docker/nova/nova-compute/extend_start.sh
 create mode 100644 docker/nova/nova-compute/nova_compute_sudoers

diff --git a/ansible/roles/nova/tasks/bootstrap.yml b/ansible/roles/nova/tasks/bootstrap.yml
index 16e2500c59..fcdd2a7078 100644
--- a/ansible/roles/nova/tasks/bootstrap.yml
+++ b/ansible/roles/nova/tasks/bootstrap.yml
@@ -50,3 +50,32 @@
   run_once: True
   delegate_to: "{{ groups['nova-api'][0] }}"
   when: database_created
+
+- name: Creating nova-compute volume
+  kolla_docker:
+    action: "create_volume"
+    common_options: "{{ docker_common_options }}"
+    name: "nova_compute"
+  register: nova_compute_volume
+  when:
+    - inventory_hostname in groups['compute']
+    - not enable_nova_fake | bool
+
+- name: Starting Nova compute bootstrap container
+  kolla_docker:
+    action: "start_container"
+    common_options: "{{ docker_common_options }}"
+    detach: False
+    environment:
+      KOLLA_BOOTSTRAP:
+      KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
+    image: "{{ nova_compute_image_full }}"
+    name: "bootstrap_nova_compute"
+    restart_policy: "never"
+    volumes:
+      - "{{ node_config_directory }}/nova-compute/:{{ container_config_directory }}/:ro"
+      - "nova_compute:/var/lib/nova/"
+  when:
+    - inventory_hostname in groups['compute']
+    - not enable_nova_fake | bool
+    - nova_compute_volume.changed
diff --git a/ansible/roles/nova/tasks/deploy.yml b/ansible/roles/nova/tasks/deploy.yml
index f72e6e2193..13a5dba8fe 100644
--- a/ansible/roles/nova/tasks/deploy.yml
+++ b/ansible/roles/nova/tasks/deploy.yml
@@ -27,7 +27,8 @@
     - inventory_hostname in groups['compute']
 
 - include: bootstrap.yml
-  when: inventory_hostname in groups['nova-api']
+  when: inventory_hostname in groups['nova-api'] or
+        inventory_hostname in groups['compute']
 
 - include: start.yml
   when: inventory_hostname in groups['compute'] or
diff --git a/ansible/roles/nova/tasks/start.yml b/ansible/roles/nova/tasks/start.yml
index e97455c8e4..4df7f4d840 100644
--- a/ansible/roles/nova/tasks/start.yml
+++ b/ansible/roles/nova/tasks/start.yml
@@ -10,9 +10,8 @@
     volumes:
       - "{{ node_config_directory }}/nova-libvirt/:{{ container_config_directory }}/:ro"
       - "/lib/modules:/lib/modules:ro"
-      - "/run:/run"
       - "/sys/fs/cgroup:/sys/fs/cgroup"
-      - "nova_compute:/var/lib/nova/instances"
+      - "nova_compute:/var/lib/nova/"
       - "nova_libvirt:/var/lib/libvirt"
   when: inventory_hostname in groups['compute']
 
@@ -100,7 +99,7 @@
       - "/lib/modules:/lib/modules:ro"
       - "/run:/run"
       - "/var/lib/kolla/dev/log:/dev/log"
-      - "nova_compute:/var/lib/nova/instances"
+      - "nova_compute:/var/lib/nova/"
       - "nova_libvirt:/var/lib/libvirt"
   when:
     - inventory_hostname in groups['compute']
diff --git a/docker/nova/nova-base/Dockerfile.j2 b/docker/nova/nova-base/Dockerfile.j2
index 898dd37368..0f9aedd945 100644
--- a/docker/nova/nova-base/Dockerfile.j2
+++ b/docker/nova/nova-base/Dockerfile.j2
@@ -52,6 +52,10 @@ RUN ln -s nova-base-source/* nova \
     && cp -r /nova/etc/nova/* /etc/nova/ \
     && chown -R nova: /etc/nova /var/log/nova /home/nova /var/lib/nova
 
+COPY nova_sudoers /etc/sudoers.d/nova_sudoers
+RUN chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/nova_sudoers
+
 {% endif %}
 
 RUN usermod -a -G kolla nova
diff --git a/docker/nova/nova-base/nova_sudoers b/docker/nova/nova-base/nova_sudoers
new file mode 100644
index 0000000000..6d73da6d35
--- /dev/null
+++ b/docker/nova/nova-base/nova_sudoers
@@ -0,0 +1 @@
+nova ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *
diff --git a/docker/nova/nova-compute/Dockerfile.j2 b/docker/nova/nova-compute/Dockerfile.j2
index 029a435c74..aad9c8ba86 100644
--- a/docker/nova/nova-compute/Dockerfile.j2
+++ b/docker/nova/nova-compute/Dockerfile.j2
@@ -50,6 +50,12 @@ RUN /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements
 
 {% endif %}
 
+COPY nova_compute_sudoers /etc/sudoers.d/nova_compute_sudoers
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/nova_compute_sudoers
+
 {{ include_footer }}
 
 USER nova
diff --git a/docker/nova/nova-compute/extend_start.sh b/docker/nova/nova-compute/extend_start.sh
new file mode 100644
index 0000000000..084e76a192
--- /dev/null
+++ b/docker/nova/nova-compute/extend_start.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
+# of the KOLLA_BOOTSTRAP variable being set, including empty.
+if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
+    sudo chown nova: /var/lib/nova/
+    mkdir /var/lib/nova/instances
+    exit 0
+fi
diff --git a/docker/nova/nova-compute/nova_compute_sudoers b/docker/nova/nova-compute/nova_compute_sudoers
new file mode 100644
index 0000000000..a7fb7b864e
--- /dev/null
+++ b/docker/nova/nova-compute/nova_compute_sudoers
@@ -0,0 +1 @@
+%kolla ALL=(root) NOPASSWD: /usr/bin/chown nova\: /var/lib/nova/, /bin/chown nova\: /var/lib/nova/