Skip to content

Commit 32d6bc6

Browse files
author
Dean Troyer
committed
Add inc/rootwrap
Rootwrap shouldn't be a unique snowflake. Plus the binaries tend to be called assuming PATH will find them. Not so with venvs so we need to work around that brokenness. Configure Cinder and Nova to use configure_rootwrap(). Change-Id: I8ee1f66014875caf20a2d14ff6ef3672673ba85a
1 parent 43479db commit 32d6bc6

File tree

4 files changed

+80
-74
lines changed

4 files changed

+80
-74
lines changed

functions

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ FUNC_DIR=$(cd $(dirname "${BASH_SOURCE:-$0}") && pwd)
1515
source ${FUNC_DIR}/functions-common
1616
source ${FUNC_DIR}/inc/ini-config
1717
source ${FUNC_DIR}/inc/python
18+
source ${FUNC_DIR}/inc/rootwrap
1819

1920
# Save trace setting
2021
XTRACE=$(set +o | grep xtrace)

inc/rootwrap

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
#!/bin/bash
2+
#
3+
# **inc/rootwrap** - Rootwrap functions
4+
#
5+
# Handle rootwrap's foibles
6+
7+
# Uses: ``STACK_USER``
8+
# Defines: ``SUDO_SECURE_PATH_FILE``
9+
10+
# Save trace setting
11+
INC_ROOT_TRACE=$(set +o | grep xtrace)
12+
set +o xtrace
13+
14+
# Accumulate all additions to sudo's ``secure_path`` in one file read last
15+
# so they all work in a venv configuration
16+
SUDO_SECURE_PATH_FILE=${SUDO_SECURE_PATH_FILE:-/etc/sudoers.d/zz-secure-path}
17+
18+
# Add a directory to the common sudo ``secure_path``
19+
# add_sudo_secure_path dir
20+
function add_sudo_secure_path {
21+
local dir=$1
22+
local line
23+
24+
# This is pretty simplistic for now - assume only the first line is used
25+
if [[ -r SUDO_SECURE_PATH_FILE ]]; then
26+
line=$(head -1 $SUDO_SECURE_PATH_FILE)
27+
else
28+
line="Defaults:$STACK_USER secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin"
29+
fi
30+
31+
# Only add ``dir`` if it is not already present
32+
if [[ $line =~ $dir ]]; then
33+
echo "${line}:$dir" | sudo tee $SUDO_SECURE_PATH_FILE
34+
sudo chmod 400 $SUDO_SECURE_PATH_FILE
35+
sudo chown root:root $SUDO_SECURE_PATH_FILE
36+
fi
37+
}
38+
39+
# Configure rootwrap
40+
# Make a load of assumptions otherwise we'll have 6 arguments
41+
# configure_rootwrap project bin conf-src-dir
42+
function configure_rootwrap {
43+
local project=$1 # xx
44+
local rootwrap_bin=$2 # /opt/stack/xx.venv/bin/xx-rootwrap
45+
local rootwrap_conf_src_dir=$3 # /opt/stack/xx/etc/xx
46+
47+
# Start fresh with rootwrap filters
48+
sudo rm -rf /etc/${project}/rootwrap.d
49+
sudo install -d -o root -g root -m 755 /etc/${project}/rootwrap.d
50+
sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.d/*.filters /etc/${project}/rootwrap.d
51+
52+
# Set up rootwrap.conf, pointing to /etc/*/rootwrap.d
53+
sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.conf /etc/${project}/rootwrap.conf
54+
sudo sed -e "s:^filters_path=.*$:filters_path=/etc/${project}/rootwrap.d:" -i /etc/${project}/rootwrap.conf
55+
56+
# Specify rootwrap.conf as first parameter to rootwrap
57+
rootwrap_sudo_cmd="$rootwrap_bin /etc/${project}/rootwrap.conf *"
58+
59+
# Set up the rootwrap sudoers
60+
local tempfile=$(mktemp)
61+
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudo_cmd" >$tempfile
62+
chmod 0440 $tempfile
63+
sudo chown root:root $tempfile
64+
sudo mv $tempfile /etc/sudoers.d/${project}-rootwrap
65+
66+
# Add bin dir to sudo's secure_path because rootwrap is being called
67+
# without a path because BROKEN.
68+
add_sudo_secure_path $(dirname $rootwrap_bin)
69+
}
70+
71+
72+
# Restore xtrace
73+
$INC_ROOT_TRACE
74+
75+
# Local variables:
76+
# mode: shell-script
77+
# End:

lib/cinder

Lines changed: 1 addition & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -171,42 +171,6 @@ function cleanup_cinder {
171171
fi
172172
}
173173

174-
# Deploy new rootwrap filters files and configure sudo
175-
# configure_cinder_rootwrap() - configure Cinder's rootwrap
176-
function configure_cinder_rootwrap {
177-
local cinder_rootwrap=$CINDER_BIN_DIR/cinder-rootwrap
178-
179-
# Wipe any existing rootwrap.d files first
180-
if [[ -d $CINDER_CONF_DIR/rootwrap.d ]]; then
181-
sudo rm -rf $CINDER_CONF_DIR/rootwrap.d
182-
fi
183-
184-
# Deploy filters to /etc/cinder/rootwrap.d
185-
sudo install -d -o root -g root -m 755 $CINDER_CONF_DIR/rootwrap.d
186-
sudo install -o root -g root -m 644 $CINDER_DIR/etc/cinder/rootwrap.d/*.filters $CINDER_CONF_DIR/rootwrap.d
187-
188-
# Set up rootwrap.conf, pointing to /etc/cinder/rootwrap.d
189-
sudo install -o root -g root -m 644 $CINDER_DIR/etc/cinder/rootwrap.conf $CINDER_CONF_DIR
190-
sudo sed -e "s:^filters_path=.*$:filters_path=$CINDER_CONF_DIR/rootwrap.d:" -i $CINDER_CONF_DIR/rootwrap.conf
191-
192-
# Specify rootwrap.conf as first parameter to rootwrap
193-
ROOTWRAP_CSUDOER_CMD="$cinder_rootwrap $CINDER_CONF_DIR/rootwrap.conf *"
194-
195-
# Set up the rootwrap sudoers for cinder
196-
local tempfile=`mktemp`
197-
echo "Defaults:$STACK_USER secure_path=$CINDER_BIN_DIR:/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/sbin:/usr/local/bin" >$tempfile
198-
echo "$STACK_USER ALL=(root) NOPASSWD: $ROOTWRAP_CSUDOER_CMD" >>$tempfile
199-
chmod 0440 $tempfile
200-
sudo chown root:root $tempfile
201-
sudo mv $tempfile /etc/sudoers.d/cinder-rootwrap
202-
203-
# So rootwrap and PATH are broken beyond belief. WTF relies on a SECURE operation
204-
# to blindly follow PATH??? We learned that was a bad idea in the 80's!
205-
# So to fix this in a venv, we must exploit the very hole we want to close by dropping
206-
# a copy of the venv rootwrap binary into /usr/local/bin.
207-
#sudo cp -p $cinder_rootwrap /usr/local/bin
208-
}
209-
210174
# configure_cinder() - Set config files, create data dirs, etc
211175
function configure_cinder {
212176
sudo install -d -o $STACK_USER -m 755 $CINDER_CONF_DIR
@@ -215,7 +179,7 @@ function configure_cinder {
215179

216180
rm -f $CINDER_CONF
217181

218-
configure_cinder_rootwrap
182+
configure_rootwrap cinder $CINDER_BIN_DIR/cinder-rootwrap $CINDER_DIR/etc/cinder
219183

220184
cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI
221185

lib/nova

Lines changed: 1 addition & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -223,50 +223,14 @@ function cleanup_nova {
223223
#fi
224224
}
225225

226-
# Deploy new rootwrap filters files and configure sudo
227-
# configure_nova_rootwrap() - configure Nova's rootwrap
228-
function configure_nova_rootwrap {
229-
nova_rootwrap=$NOVA_BIN_DIR/nova-rootwrap
230-
231-
# Wipe any existing rootwrap.d files first
232-
if [[ -d $NOVA_CONF_DIR/rootwrap.d ]]; then
233-
sudo rm -rf $NOVA_CONF_DIR/rootwrap.d
234-
fi
235-
236-
# Deploy filters to /etc/nova/rootwrap.d
237-
sudo install -d -o root -g root -m 755 $NOVA_CONF_DIR/rootwrap.d
238-
sudo install -o root -g root -m 644 $NOVA_DIR/etc/nova/rootwrap.d/*.filters $NOVA_CONF_DIR/rootwrap.d
239-
240-
# Set up rootwrap.conf, pointing to /etc/nova/rootwrap.d
241-
sudo install -o root -g root -m 644 $NOVA_DIR/etc/nova/rootwrap.conf $NOVA_CONF_DIR
242-
sudo sed -e "s:^filters_path=.*$:filters_path=$NOVA_CONF_DIR/rootwrap.d:" -i $NOVA_CONF_DIR/rootwrap.conf
243-
244-
# Specify rootwrap.conf as first parameter to nova-rootwrap
245-
local rootwrap_sudoer_cmd="$nova_rootwrap $NOVA_CONF_DIR/rootwrap.conf *"
246-
247-
# Set up the rootwrap sudoers for nova
248-
local tempfile=`mktemp`
249-
echo "Defaults:$STACK_USER secure_path=$NOVA_BIN_DIR:/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/sbin:/usr/local/bin" >$tempfile
250-
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudoer_cmd" >>$tempfile
251-
chmod 0440 $tempfile
252-
sudo chown root:root $tempfile
253-
sudo mv $tempfile /etc/sudoers.d/nova-rootwrap
254-
255-
# So rootwrap and PATH are broken beyond belief. WTF relies on a SECURE operation
256-
# to blindly follow PATH??? We learned that was a bad idea in the 80's!
257-
# So to fix this in a venv, we must exploit the very hole we want to close by dropping
258-
# a copy of the venv rootwrap binary into /usr/local/bin.
259-
#sudo cp -p $nova_rootwrap /usr/local/bin
260-
}
261-
262226
# configure_nova() - Set config files, create data dirs, etc
263227
function configure_nova {
264228
# Put config files in ``/etc/nova`` for everyone to find
265229
sudo install -d -o $STACK_USER $NOVA_CONF_DIR
266230

267231
install_default_policy nova
268232

269-
configure_nova_rootwrap
233+
configure_rootwrap nova $NOVA_BIN_DIR/nova-rootwrap $NOVA_DIR/etc/nova
270234

271235
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
272236
# Get the sample configuration file in place

0 commit comments

Comments
 (0)