Browse code
Merge "Configure nova-rootwrap"
Jenkins authored on 2012/03/13 07:44:12Showing 2 changed files
| 1 | 1 |
deleted file mode 100644 |
| ... | ... |
@@ -1,50 +0,0 @@ |
| 1 |
-Cmnd_Alias NOVADEVCMDS = /bin/chmod /var/lib/nova/tmp/*/root/.ssh, \ |
|
| 2 |
- /bin/chown /var/lib/nova/tmp/*/root/.ssh, \ |
|
| 3 |
- /bin/chown, \ |
|
| 4 |
- /bin/chmod, \ |
|
| 5 |
- /bin/dd, \ |
|
| 6 |
- /sbin/ifconfig, \ |
|
| 7 |
- /sbin/ip, \ |
|
| 8 |
- /sbin/route, \ |
|
| 9 |
- /sbin/iptables, \ |
|
| 10 |
- /sbin/iptables-save, \ |
|
| 11 |
- /sbin/iptables-restore, \ |
|
| 12 |
- /sbin/ip6tables-save, \ |
|
| 13 |
- /sbin/ip6tables-restore, \ |
|
| 14 |
- /sbin/kpartx, \ |
|
| 15 |
- /sbin/losetup, \ |
|
| 16 |
- /sbin/lvcreate, \ |
|
| 17 |
- /sbin/lvdisplay, \ |
|
| 18 |
- /sbin/lvremove, \ |
|
| 19 |
- /bin/mkdir, \ |
|
| 20 |
- /bin/mount, \ |
|
| 21 |
- /sbin/pvcreate, \ |
|
| 22 |
- /usr/bin/tee, \ |
|
| 23 |
- /sbin/tune2fs, \ |
|
| 24 |
- /bin/umount, \ |
|
| 25 |
- /sbin/vgcreate, \ |
|
| 26 |
- /usr/bin/virsh, \ |
|
| 27 |
- /usr/bin/qemu-nbd, \ |
|
| 28 |
- /usr/sbin/brctl, \ |
|
| 29 |
- /sbin/brctl, \ |
|
| 30 |
- /usr/sbin/radvd, \ |
|
| 31 |
- /usr/sbin/vblade-persist, \ |
|
| 32 |
- /sbin/pvcreate, \ |
|
| 33 |
- /sbin/aoe-discover, \ |
|
| 34 |
- /sbin/vgcreate, \ |
|
| 35 |
- /bin/aoe-stat, \ |
|
| 36 |
- /bin/kill, \ |
|
| 37 |
- /sbin/vconfig, \ |
|
| 38 |
- /usr/sbin/ietadm, \ |
|
| 39 |
- /sbin/vgs, \ |
|
| 40 |
- /sbin/iscsiadm, \ |
|
| 41 |
- /usr/bin/socat, \ |
|
| 42 |
- /sbin/parted, \ |
|
| 43 |
- /usr/sbin/dnsmasq, \ |
|
| 44 |
- /usr/sbin/tgtadm, \ |
|
| 45 |
- /usr/bin/ovs-vsctl, \ |
|
| 46 |
- /usr/bin/ovs-ofctl, \ |
|
| 47 |
- /usr/sbin/arping |
|
| 48 |
- |
|
| 49 |
-%USER% ALL = (root) NOPASSWD: SETENV: NOVADEVCMDS |
|
| 50 |
- |
| ... | ... |
@@ -136,17 +136,30 @@ if [[ $EUID -eq 0 ]]; then |
| 136 | 136 |
fi |
| 137 | 137 |
exit 1 |
| 138 | 138 |
else |
| 139 |
- # Our user needs passwordless priviledges for certain commands which nova |
|
| 140 |
- # uses internally. |
|
| 141 |
- # Natty uec images sudoers does not have a '#includedir'. add one. |
|
| 139 |
+ # We're not root, make sure sudo is available |
|
| 140 |
+ dpkg -l sudo |
|
| 141 |
+ die_if_error "Sudo is required. Re-run stack.sh as root ONE TIME ONLY to set up sudo." |
|
| 142 |
+ |
|
| 143 |
+ # UEC images /etc/sudoers does not have a '#includedir'. add one. |
|
| 142 | 144 |
sudo grep -q "^#includedir.*/etc/sudoers.d" /etc/sudoers || |
| 143 | 145 |
echo "#includedir /etc/sudoers.d" | sudo tee -a /etc/sudoers |
| 146 |
+ |
|
| 147 |
+ # Set up devstack sudoers |
|
| 144 | 148 |
TEMPFILE=`mktemp` |
| 145 |
- cat $FILES/sudo/nova > $TEMPFILE |
|
| 146 |
- sed -e "s,%USER%,$USER,g" -i $TEMPFILE |
|
| 149 |
+ echo "`whoami` ALL=(root) NOPASSWD:ALL" >$TEMPFILE |
|
| 147 | 150 |
chmod 0440 $TEMPFILE |
| 148 | 151 |
sudo chown root:root $TEMPFILE |
| 149 |
- sudo mv $TEMPFILE /etc/sudoers.d/stack_sh_nova |
|
| 152 |
+ sudo mv $TEMPFILE /etc/sudoers.d/50_stack_sh |
|
| 153 |
+ |
|
| 154 |
+ # Set up the rootwrap sudoers |
|
| 155 |
+ TEMPFILE=`mktemp` |
|
| 156 |
+ echo "$USER ALL=(root) NOPASSWD: /usr/local/bin/nova-rootwrap" >$TEMPFILE |
|
| 157 |
+ chmod 0440 $TEMPFILE |
|
| 158 |
+ sudo chown root:root $TEMPFILE |
|
| 159 |
+ sudo mv $TEMPFILE /etc/sudoers.d/nova-rootwrap |
|
| 160 |
+ |
|
| 161 |
+ # Remove old file |
|
| 162 |
+ sudo rm -f /etc/sudoers.d/stack_sh_nova |
|
| 150 | 163 |
fi |
| 151 | 164 |
|
| 152 | 165 |
# Set True to configure stack.sh to run cleanly without Internet access. |
| ... | ... |
@@ -1222,6 +1235,7 @@ add_nova_opt "[DEFAULT]" |
| 1222 | 1222 |
add_nova_opt "verbose=True" |
| 1223 | 1223 |
add_nova_opt "auth_strategy=keystone" |
| 1224 | 1224 |
add_nova_opt "allow_resize_to_same_host=True" |
| 1225 |
+add_nova_opt "root_helper=sudo /usr/local/bin/nova-rootwrap" |
|
| 1225 | 1226 |
add_nova_opt "compute_scheduler_driver=$SCHEDULER" |
| 1226 | 1227 |
add_nova_opt "dhcpbridge_flagfile=$NOVA_CONF_DIR/$NOVA_CONF" |
| 1227 | 1228 |
add_nova_opt "fixed_range=$FIXED_RANGE" |