Browse code
Merge "lib/neutron: configure root_helper for agents"
Jenkins authored on 2017/09/22 08:31:53Showing 1 changed files
| ... | ... |
@@ -72,7 +72,8 @@ NEUTRON_SERVICE_PROTOCOL=${NEUTRON_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
| 72 | 72 |
NEUTRON_AUTH_STRATEGY=${NEUTRON_AUTH_STRATEGY:-keystone}
|
| 73 | 73 |
NEUTRON_ROOTWRAP=$(get_rootwrap_location neutron) |
| 74 | 74 |
NEUTRON_ROOTWRAP_CONF_FILE=$NEUTRON_CONF_DIR/rootwrap.conf |
| 75 |
-NEUTRON_ROOTWRAP_DAEMON_CMD="sudo $NEUTRON_ROOTWRAP-daemon $NEUTRON_ROOTWRAP_CONF_FILE" |
|
| 75 |
+NEUTRON_ROOTWRAP_CMD="$NEUTRON_ROOTWRAP $NEUTRON_ROOTWRAP_CONF_FILE" |
|
| 76 |
+NEUTRON_ROOTWRAP_DAEMON_CMD="$NEUTRON_ROOTWRAP-daemon $NEUTRON_ROOTWRAP_CONF_FILE" |
|
| 76 | 77 |
|
| 77 | 78 |
# This is needed because _neutron_ovs_base_configure_l3_agent will set |
| 78 | 79 |
# external_network_bridge |
| ... | ... |
@@ -125,6 +126,13 @@ function cleanup_neutron_new {
|
| 125 | 125 |
done |
| 126 | 126 |
} |
| 127 | 127 |
|
| 128 |
+# configure_root_helper_options() - Configure agent rootwrap helper options |
|
| 129 |
+function configure_root_helper_options {
|
|
| 130 |
+ local conffile=$1 |
|
| 131 |
+ iniset $conffile agent root_helper "sudo $NEUTRON_ROOTWRAP_CMD" |
|
| 132 |
+ iniset $conffile agent root_helper_daemon "sudo $NEUTRON_ROOTWRAP_DAEMON_CMD" |
|
| 133 |
+} |
|
| 134 |
+ |
|
| 128 | 135 |
# configure_neutron() - Set config files, create data dirs, etc |
| 129 | 136 |
function configure_neutron_new {
|
| 130 | 137 |
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR |
| ... | ... |
@@ -185,6 +193,7 @@ function configure_neutron_new {
|
| 185 | 185 |
if is_service_enabled neutron-agent; then |
| 186 | 186 |
iniset $NEUTRON_CORE_PLUGIN_CONF agent tunnel_types vxlan |
| 187 | 187 |
iniset $NEUTRON_CORE_PLUGIN_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL |
| 188 |
+ configure_root_helper_options $NEUTRON_CORE_PLUGIN_CONF |
|
| 188 | 189 |
|
| 189 | 190 |
# Configure the neutron agent |
| 190 | 191 |
if [[ $NEUTRON_AGENT == "linuxbridge" ]]; then |
| ... | ... |
@@ -208,7 +217,7 @@ function configure_neutron_new {
|
| 208 | 208 |
# make it so we have working DNS from guests |
| 209 | 209 |
iniset $NEUTRON_DHCP_CONF DEFAULT dnsmasq_local_resolv True |
| 210 | 210 |
|
| 211 |
- iniset $NEUTRON_DHCP_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD" |
|
| 211 |
+ configure_root_helper_options $NEUTRON_DHCP_CONF |
|
| 212 | 212 |
iniset $NEUTRON_DHCP_CONF DEFAULT interface_driver $NEUTRON_AGENT |
| 213 | 213 |
neutron_plugin_configure_dhcp_agent $NEUTRON_DHCP_CONF |
| 214 | 214 |
fi |
| ... | ... |
@@ -217,7 +226,7 @@ function configure_neutron_new {
|
| 217 | 217 |
cp $NEUTRON_DIR/etc/l3_agent.ini.sample $NEUTRON_L3_CONF |
| 218 | 218 |
iniset $NEUTRON_L3_CONF DEFAULT interface_driver $NEUTRON_AGENT |
| 219 | 219 |
neutron_service_plugin_class_add router |
| 220 |
- iniset $NEUTRON_L3_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD" |
|
| 220 |
+ configure_root_helper_options $NEUTRON_L3_CONF |
|
| 221 | 221 |
iniset $NEUTRON_L3_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL |
| 222 | 222 |
neutron_plugin_configure_l3_agent $NEUTRON_L3_CONF |
| 223 | 223 |
fi |
| ... | ... |
@@ -229,7 +238,8 @@ function configure_neutron_new {
|
| 229 | 229 |
iniset $NEUTRON_META_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL |
| 230 | 230 |
iniset $NEUTRON_META_CONF DEFAULT nova_metadata_ip $SERVICE_HOST |
| 231 | 231 |
iniset $NEUTRON_META_CONF DEFAULT metadata_workers $API_WORKERS |
| 232 |
- iniset $NEUTRON_META_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD" |
|
| 232 |
+ # TODO(ihrachys) do we really need to set rootwrap for metadata agent? |
|
| 233 |
+ configure_root_helper_options $NEUTRON_META_CONF |
|
| 233 | 234 |
|
| 234 | 235 |
# TODO(dtroyer): remove the v2.0 hard code below |
| 235 | 236 |
iniset $NEUTRON_META_CONF DEFAULT auth_url $KEYSTONE_SERVICE_URI |
| ... | ... |
@@ -254,12 +264,6 @@ function configure_neutron_new {
|
| 254 | 254 |
|
| 255 | 255 |
# configure_neutron_rootwrap() - configure Neutron's rootwrap |
| 256 | 256 |
function configure_neutron_rootwrap {
|
| 257 |
- # Set the paths of certain binaries |
|
| 258 |
- neutron_rootwrap=$(get_rootwrap_location neutron) |
|
| 259 |
- |
|
| 260 |
- # Specify ``rootwrap.conf`` as first parameter to neutron-rootwrap |
|
| 261 |
- local rootwrap_sudoer_cmd="${neutron_rootwrap} $NEUTRON_CONF_DIR/rootwrap.conf"
|
|
| 262 |
- |
|
| 263 | 257 |
# Deploy new rootwrap filters files (owned by root). |
| 264 | 258 |
# Wipe any existing rootwrap.d files first |
| 265 | 259 |
if [[ -d $NEUTRON_CONF_DIR/rootwrap.d ]]; then |
| ... | ... |
@@ -276,7 +280,8 @@ function configure_neutron_rootwrap {
|
| 276 | 276 |
|
| 277 | 277 |
# Set up the rootwrap sudoers for Neutron |
| 278 | 278 |
tempfile=`mktemp` |
| 279 |
- echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudoer_cmd *" >$tempfile |
|
| 279 |
+ echo "$STACK_USER ALL=(root) NOPASSWD: $NEUTRON_ROOTWRAP_CMD *" >$tempfile |
|
| 280 |
+ echo "$STACK_USER ALL=(root) NOPASSWD: $NEUTRON_ROOTWRAP_DAEMON_CMD" >>$tempfile |
|
| 280 | 281 |
chmod 0440 $tempfile |
| 281 | 282 |
sudo chown root:root $tempfile |
| 282 | 283 |
sudo mv $tempfile /etc/sudoers.d/neutron-rootwrap |