Fix glance-api privsep errors

This fixes usage of cinder as glance backend.

Glance API source containers were missing both sudoers and
rootwrap config. rootwrap config gets included in Kolla
because otherwise it is clunky to get it from glance_store
where it lives. The positive side is that it has not
changed since July 2016.

Debian/Ubuntu binary have weird double-glance path to
rootwrap which gets fixed now by symbolic link.

Closes-bug: #1869072

Change-Id: Ia53657a415249882b93acca86b5e2a3bfa167820

docker/glance/glance-base/Dockerfile.j2

@@ -43,6 +43,11 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 {{ macros.install_packages(glance_base_packages | customizable("packages")) }}
 
+{% if base_package_type == 'deb' %}
+# fix up Ubuntu and Debian packaging of config (glance_store's rootwrap)
+RUN ln -s /etc/glance/glance/* /etc/glance/
+{% endif %}
+
 {% elif install_type == 'source' %}
     {% if base_package_type == 'rpm' %}
         {% if distro_python_version.startswith('3') %}
@@ -72,17 +77,24 @@ ADD glance-base-archive /glance-base-source
     'glance_store[cinder,vmware,swift]'
 ] %}
 
+# add missing rootwrap config present in glance_store repo
+COPY etc/glance /etc/glance
+
 RUN ln -s glance-base-source/* glance \
     && {{ macros.install_pip(glance_base_pip_packages | customizable("pip_packages")) }} \
     && mkdir -p /etc/glance \
     && cp -r /glance/etc/* /etc/glance/ \
-    && chown -R glance: /etc/glance
+    && chown -R glance: /etc/glance \
+    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/glance/rootwrap.conf
 
 {% endif %}
 
+COPY glance_sudoers /etc/sudoers.d/kolla_glance_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN touch /usr/local/bin/kolla_glance_extend_start \
+RUN chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/kolla_glance_sudoers \
+    && touch /usr/local/bin/kolla_glance_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_glance_extend_start
 
 {% block glance_base_footer %}{% endblock %}

docker/glance/glance-base/etc/glance/rootwrap.conf

@@ -0,0 +1,27 @@
+# Configuration for glance-rootwrap
+# This file should be owned by (and only-writable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, local0, local1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR

docker/glance/glance-base/etc/glance/rootwrap.d/glance_cinder_store.filters

@@ -0,0 +1,12 @@
+# glance-rootwrap command filters for glance cinder store
+# This file should be owned by (and only-writable by) the root user
+
+[Filters]
+# cinder store driver
+disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).*
+
+# os-brick library commands
+# os_brick.privileged.run_as_root oslo.privsep context
+# This line ties the superuser privs with the config files, context name,
+# and (implicitly) the actual python code invoked.
+privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*

docker/glance/glance-base/glance_sudoers

@@ -0,0 +1 @@
+glance ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/glance-rootwrap /etc/glance/rootwrap.conf *