Browse code
Add Cinder to ROOTWRAP_SUDOERS
* Perform operations in lib/cinder
* Use specific cidner-rootwrap file
* Add root_helper to cinder.conf
Change-Id: Ibcae8bae2d06c9cbb4c41c39791e8dbdc8bbb0ac
John Griffith authored on 2012/07/21 04:18:17Showing 2 changed files
| ... | ... |
@@ -52,6 +52,42 @@ function configure_cinder() {
|
| 52 | 52 |
|
| 53 | 53 |
cp -p $CINDER_DIR/etc/cinder/policy.json $CINDER_CONF_DIR |
| 54 | 54 |
|
| 55 |
+ # Set the paths of certain binaries |
|
| 56 |
+ if [[ "$os_PACKAGE" = "deb" ]]; then |
|
| 57 |
+ CINDER_ROOTWRAP=/usr/local/bin/cinder-rootwrap |
|
| 58 |
+ else |
|
| 59 |
+ CINDER_ROOTWRAP=/usr/bin/cinder-rootwrap |
|
| 60 |
+ fi |
|
| 61 |
+ |
|
| 62 |
+ # If Cinder ships the new rootwrap filters files, deploy them |
|
| 63 |
+ # (owned by root) and add a parameter to $CINDER_ROOTWRAP |
|
| 64 |
+ ROOTWRAP_CINDER_SUDOER_CMD="$CINDER_ROOTWRAP" |
|
| 65 |
+ if [[ -d $CINDER_DIR/etc/cinder/rootwrap.d ]]; then |
|
| 66 |
+ # Wipe any existing rootwrap.d files first |
|
| 67 |
+ if [[ -d $CINDER_CONF_DIR/rootwrap.d ]]; then |
|
| 68 |
+ sudo rm -rf $CINDER_CONF_DIR/rootwrap.d |
|
| 69 |
+ fi |
|
| 70 |
+ # Deploy filters to /etc/cinder/rootwrap.d |
|
| 71 |
+ sudo mkdir -m 755 $CINDER_CONF_DIR/rootwrap.d |
|
| 72 |
+ sudo cp $CINDER_DIR/etc/cinder/rootwrap.d/*.filters $CINDER_CONF_DIR/rootwrap.d |
|
| 73 |
+ sudo chown -R root:root $CINDER_CONF_DIR/rootwrap.d |
|
| 74 |
+ sudo chmod 644 $CINDER_CONF_DIR/rootwrap.d/* |
|
| 75 |
+ # Set up rootwrap.conf, pointing to /etc/cinder/rootwrap.d |
|
| 76 |
+ sudo cp $CINDER_DIR/etc/cinder/rootwrap.conf $CINDER_CONF_DIR/ |
|
| 77 |
+ sudo sed -e "s:^filters_path=.*$:filters_path=$CINDER_CONF_DIR/rootwrap.d:" -i $CINDER_CONF_DIR/rootwrap.conf |
|
| 78 |
+ sudo chown root:root $CINDER_CONF_DIR/rootwrap.conf |
|
| 79 |
+ sudo chmod 0644 $CINDER_CONF_DIR/rootwrap.conf |
|
| 80 |
+ # Specify rootwrap.conf as first parameter to cinder-rootwrap |
|
| 81 |
+ CINDER_ROOTWRAP="$CINDER_ROOTWRAP $CINDER_CONF_DIR/rootwrap.conf" |
|
| 82 |
+ ROOTWRAP_CINDER_SUDOER_CMD="$CINDER_ROOTWRAP *" |
|
| 83 |
+ fi |
|
| 84 |
+ |
|
| 85 |
+ TEMPFILE=`mktemp` |
|
| 86 |
+ echo "$USER ALL=(root) NOPASSWD: $ROOTWRAP_CINDER_SUDOER_CMD" >$TEMPFILE |
|
| 87 |
+ chmod 0440 $TEMPFILE |
|
| 88 |
+ sudo chown root:root $TEMPFILE |
|
| 89 |
+ sudo mv $TEMPFILE /etc/sudoers.d/cinder-rootwrap |
|
| 90 |
+ |
|
| 55 | 91 |
CINDER_API_PASTE_INI=$CINDER_CONF_DIR/api-paste.ini |
| 56 | 92 |
cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI |
| 57 | 93 |
iniset $CINDER_API_PASTE_INI filter:authtoken auth_host $KEYSTONE_AUTH_HOST |
| ... | ... |
@@ -71,6 +107,8 @@ function configure_cinder() {
|
| 71 | 71 |
iniset $CINDER_CONF DEFAULT rabbit_host $RABBIT_HOST |
| 72 | 72 |
iniset $CINDER_CONF DEFAULT rabbit_password $RABBIT_PASSWORD |
| 73 | 73 |
iniset $CINDER_CONF DEFAULT api_paste_config $CINDER_API_PASTE_INI |
| 74 |
+ iniset $CINDER_CONF DEFAULT root_helper "sudo ${CINDER_ROOTWRAP}"
|
|
| 75 |
+ |
|
| 74 | 76 |
} |
| 75 | 77 |
|
| 76 | 78 |
# init_cinder() - Initialize database and volume group |
| ... | ... |
@@ -1225,7 +1225,7 @@ if [[ -d $NOVA_DIR/etc/nova/rootwrap.d ]]; then |
| 1225 | 1225 |
ROOTWRAP_SUDOER_CMD="$NOVA_ROOTWRAP *" |
| 1226 | 1226 |
fi |
| 1227 | 1227 |
|
| 1228 |
-# Set up the rootwrap sudoers |
|
| 1228 |
+# Set up the rootwrap sudoers for nova |
|
| 1229 | 1229 |
TEMPFILE=`mktemp` |
| 1230 | 1230 |
echo "$USER ALL=(root) NOPASSWD: $ROOTWRAP_SUDOER_CMD" >$TEMPFILE |
| 1231 | 1231 |
chmod 0440 $TEMPFILE |
| ... | ... |
@@ -1495,7 +1495,7 @@ if is_service_enabled swift; then |
| 1495 | 1495 |
if is_service_enabled swift3;then |
| 1496 | 1496 |
swift_auth_server="s3token " |
| 1497 | 1497 |
fi |
| 1498 |
- |
|
| 1498 |
+ |
|
| 1499 | 1499 |
# By default Swift will be installed with the tempauth middleware |
| 1500 | 1500 |
# which has some default username and password if you have |
| 1501 | 1501 |
# configured keystone it will checkout the directory. |