Browse code
Install Cinder into its own venv
rootwrap is horribly called indirectly via PATH. The choice, other than fixing
such nonsense, is to force the path in sudo.
Change-Id: Idac07455359b347e1c617736a515c2261b56d871
Dean Troyer authored on 2015/02/18 22:09:04Showing 1 changed files
| ... | ... |
@@ -39,8 +39,16 @@ fi |
| 39 | 39 |
|
| 40 | 40 |
# set up default directories |
| 41 | 41 |
GITDIR["python-cinderclient"]=$DEST/python-cinderclient |
| 42 |
- |
|
| 43 | 42 |
CINDER_DIR=$DEST/cinder |
| 43 |
+ |
|
| 44 |
+# Cinder virtual environment |
|
| 45 |
+if [[ ${USE_VENV} = True ]]; then
|
|
| 46 |
+ PROJECT_VENV["cinder"]=${CINDER_DIR}.venv
|
|
| 47 |
+ CINDER_BIN_DIR=${PROJECT_VENV["cinder"]}/bin
|
|
| 48 |
+else |
|
| 49 |
+ CINDER_BIN_DIR=$(get_python_exec_prefix) |
|
| 50 |
+fi |
|
| 51 |
+ |
|
| 44 | 52 |
CINDER_STATE_PATH=${CINDER_STATE_PATH:=$DATA_DIR/cinder}
|
| 45 | 53 |
CINDER_AUTH_CACHE_DIR=${CINDER_AUTH_CACHE_DIR:-/var/cache/cinder}
|
| 46 | 54 |
|
| ... | ... |
@@ -57,13 +65,6 @@ CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
|
| 57 | 57 |
CINDER_SERVICE_PORT_INT=${CINDER_SERVICE_PORT_INT:-18776}
|
| 58 | 58 |
CINDER_SERVICE_PROTOCOL=${CINDER_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
| 59 | 59 |
|
| 60 |
-# Support entry points installation of console scripts |
|
| 61 |
-if [[ -d $CINDER_DIR/bin ]]; then |
|
| 62 |
- CINDER_BIN_DIR=$CINDER_DIR/bin |
|
| 63 |
-else |
|
| 64 |
- CINDER_BIN_DIR=$(get_python_exec_prefix) |
|
| 65 |
-fi |
|
| 66 |
- |
|
| 67 | 60 |
|
| 68 | 61 |
# Default backends |
| 69 | 62 |
# The backend format is type:name where type is one of the supported backend |
| ... | ... |
@@ -164,12 +165,11 @@ function cleanup_cinder {
|
| 164 | 164 |
fi |
| 165 | 165 |
} |
| 166 | 166 |
|
| 167 |
+# Deploy new rootwrap filters files and configure sudo |
|
| 167 | 168 |
# configure_cinder_rootwrap() - configure Cinder's rootwrap |
| 168 | 169 |
function configure_cinder_rootwrap {
|
| 169 |
- # Set the paths of certain binaries |
|
| 170 |
- local cinder_rootwrap=$(get_rootwrap_location cinder) |
|
| 170 |
+ local cinder_rootwrap=$CINDER_BIN_DIR/cinder-rootwrap |
|
| 171 | 171 |
|
| 172 |
- # Deploy new rootwrap filters files (owned by root). |
|
| 173 | 172 |
# Wipe any existing rootwrap.d files first |
| 174 | 173 |
if [[ -d $CINDER_CONF_DIR/rootwrap.d ]]; then |
| 175 | 174 |
sudo rm -rf $CINDER_CONF_DIR/rootwrap.d |
| ... | ... |
@@ -188,10 +188,17 @@ function configure_cinder_rootwrap {
|
| 188 | 188 |
|
| 189 | 189 |
# Set up the rootwrap sudoers for cinder |
| 190 | 190 |
local tempfile=`mktemp` |
| 191 |
- echo "$STACK_USER ALL=(root) NOPASSWD: $ROOTWRAP_CSUDOER_CMD" >$tempfile |
|
| 191 |
+ echo "Defaults:$STACK_USER secure_path=$CINDER_BIN_DIR:/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/sbin:/usr/local/bin" >$tempfile |
|
| 192 |
+ echo "$STACK_USER ALL=(root) NOPASSWD: $ROOTWRAP_CSUDOER_CMD" >>$tempfile |
|
| 192 | 193 |
chmod 0440 $tempfile |
| 193 | 194 |
sudo chown root:root $tempfile |
| 194 | 195 |
sudo mv $tempfile /etc/sudoers.d/cinder-rootwrap |
| 196 |
+ |
|
| 197 |
+ # So rootwrap and PATH are broken beyond belief. WTF relies on a SECURE operation |
|
| 198 |
+ # to blindly follow PATH??? We learned that was a bad idea in the 80's! |
|
| 199 |
+ # So to fix this in a venv, we must exploit the very hole we want to close by dropping |
|
| 200 |
+ # a copy of the venv rootwrap binary into /usr/local/bin. |
|
| 201 |
+ #sudo cp -p $cinder_rootwrap /usr/local/bin |
|
| 195 | 202 |
} |
| 196 | 203 |
|
| 197 | 204 |
# configure_cinder() - Set config files, create data dirs, etc |