Browse code
Configure nova-rootwrap
* Nova runs as the same user as the rest of devstack and due to the
sudo configuration for devstack itself it may be possible that
root subprocess execution that doesn't go through utils.execute() will
not be caught by the expected sudo failure.
Fixes bug 944373
Change-Id: I0554b3850a59d065059f8ad349c8ff8fb7cfa132
Dean Troyer authored on 2012/03/08 05:11:33Showing 2 changed files
| 1 | 1 |
deleted file mode 100644 |
| ... | ... |
@@ -1,50 +0,0 @@ |
| 1 |
-Cmnd_Alias NOVADEVCMDS = /bin/chmod /var/lib/nova/tmp/*/root/.ssh, \ |
|
| 2 |
- /bin/chown /var/lib/nova/tmp/*/root/.ssh, \ |
|
| 3 |
- /bin/chown, \ |
|
| 4 |
- /bin/chmod, \ |
|
| 5 |
- /bin/dd, \ |
|
| 6 |
- /sbin/ifconfig, \ |
|
| 7 |
- /sbin/ip, \ |
|
| 8 |
- /sbin/route, \ |
|
| 9 |
- /sbin/iptables, \ |
|
| 10 |
- /sbin/iptables-save, \ |
|
| 11 |
- /sbin/iptables-restore, \ |
|
| 12 |
- /sbin/ip6tables-save, \ |
|
| 13 |
- /sbin/ip6tables-restore, \ |
|
| 14 |
- /sbin/kpartx, \ |
|
| 15 |
- /sbin/losetup, \ |
|
| 16 |
- /sbin/lvcreate, \ |
|
| 17 |
- /sbin/lvdisplay, \ |
|
| 18 |
- /sbin/lvremove, \ |
|
| 19 |
- /bin/mkdir, \ |
|
| 20 |
- /bin/mount, \ |
|
| 21 |
- /sbin/pvcreate, \ |
|
| 22 |
- /usr/bin/tee, \ |
|
| 23 |
- /sbin/tune2fs, \ |
|
| 24 |
- /bin/umount, \ |
|
| 25 |
- /sbin/vgcreate, \ |
|
| 26 |
- /usr/bin/virsh, \ |
|
| 27 |
- /usr/bin/qemu-nbd, \ |
|
| 28 |
- /usr/sbin/brctl, \ |
|
| 29 |
- /sbin/brctl, \ |
|
| 30 |
- /usr/sbin/radvd, \ |
|
| 31 |
- /usr/sbin/vblade-persist, \ |
|
| 32 |
- /sbin/pvcreate, \ |
|
| 33 |
- /sbin/aoe-discover, \ |
|
| 34 |
- /sbin/vgcreate, \ |
|
| 35 |
- /bin/aoe-stat, \ |
|
| 36 |
- /bin/kill, \ |
|
| 37 |
- /sbin/vconfig, \ |
|
| 38 |
- /usr/sbin/ietadm, \ |
|
| 39 |
- /sbin/vgs, \ |
|
| 40 |
- /sbin/iscsiadm, \ |
|
| 41 |
- /usr/bin/socat, \ |
|
| 42 |
- /sbin/parted, \ |
|
| 43 |
- /usr/sbin/dnsmasq, \ |
|
| 44 |
- /usr/sbin/tgtadm, \ |
|
| 45 |
- /usr/bin/ovs-vsctl, \ |
|
| 46 |
- /usr/bin/ovs-ofctl, \ |
|
| 47 |
- /usr/sbin/arping |
|
| 48 |
- |
|
| 49 |
-%USER% ALL = (root) NOPASSWD: SETENV: NOVADEVCMDS |
|
| 50 |
- |
| ... | ... |
@@ -135,17 +135,30 @@ if [[ $EUID -eq 0 ]]; then |
| 135 | 135 |
fi |
| 136 | 136 |
exit 1 |
| 137 | 137 |
else |
| 138 |
- # Our user needs passwordless priviledges for certain commands which nova |
|
| 139 |
- # uses internally. |
|
| 140 |
- # Natty uec images sudoers does not have a '#includedir'. add one. |
|
| 138 |
+ # We're not root, make sure sudo is available |
|
| 139 |
+ dpkg -l sudo |
|
| 140 |
+ die_if_error "Sudo is required. Re-run stack.sh as root ONE TIME ONLY to set up sudo." |
|
| 141 |
+ |
|
| 142 |
+ # UEC images /etc/sudoers does not have a '#includedir'. add one. |
|
| 141 | 143 |
sudo grep -q "^#includedir.*/etc/sudoers.d" /etc/sudoers || |
| 142 | 144 |
echo "#includedir /etc/sudoers.d" | sudo tee -a /etc/sudoers |
| 145 |
+ |
|
| 146 |
+ # Set up devstack sudoers |
|
| 143 | 147 |
TEMPFILE=`mktemp` |
| 144 |
- cat $FILES/sudo/nova > $TEMPFILE |
|
| 145 |
- sed -e "s,%USER%,$USER,g" -i $TEMPFILE |
|
| 148 |
+ echo "`whoami` ALL=(root) NOPASSWD:ALL" >$TEMPFILE |
|
| 146 | 149 |
chmod 0440 $TEMPFILE |
| 147 | 150 |
sudo chown root:root $TEMPFILE |
| 148 |
- sudo mv $TEMPFILE /etc/sudoers.d/stack_sh_nova |
|
| 151 |
+ sudo mv $TEMPFILE /etc/sudoers.d/50_stack_sh |
|
| 152 |
+ |
|
| 153 |
+ # Set up the rootwrap sudoers |
|
| 154 |
+ TEMPFILE=`mktemp` |
|
| 155 |
+ echo "$USER ALL=(root) NOPASSWD: /usr/local/bin/nova-rootwrap" >$TEMPFILE |
|
| 156 |
+ chmod 0440 $TEMPFILE |
|
| 157 |
+ sudo chown root:root $TEMPFILE |
|
| 158 |
+ sudo mv $TEMPFILE /etc/sudoers.d/nova-rootwrap |
|
| 159 |
+ |
|
| 160 |
+ # Remove old file |
|
| 161 |
+ sudo rm -f /etc/sudoers.d/stack_sh_nova |
|
| 149 | 162 |
fi |
| 150 | 163 |
|
| 151 | 164 |
# Set True to configure stack.sh to run cleanly without Internet access. |
| ... | ... |
@@ -1192,6 +1205,7 @@ add_nova_opt "[DEFAULT]" |
| 1192 | 1192 |
add_nova_opt "verbose=True" |
| 1193 | 1193 |
add_nova_opt "auth_strategy=keystone" |
| 1194 | 1194 |
add_nova_opt "allow_resize_to_same_host=True" |
| 1195 |
+add_nova_opt "root_helper=sudo /usr/local/bin/nova-rootwrap" |
|
| 1195 | 1196 |
add_nova_opt "compute_scheduler_driver=$SCHEDULER" |
| 1196 | 1197 |
add_nova_opt "dhcpbridge_flagfile=$NOVA_CONF_DIR/$NOVA_CONF" |
| 1197 | 1198 |
add_nova_opt "fixed_range=$FIXED_RANGE" |