From 2a4390d13e5f46e81d898a29987385a0fe29569e Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@hp.com>
Date: Fri, 22 Jun 2012 16:42:08 -0700
Subject: [PATCH] Run devstack as stack instead of jenkins.

So that sudo permissions may be revoked after they aren't needed.
Fixes bug #1016567.

Change-Id: Ib8b287e8252397a168fbe23672b2822509511d59
---
 devstack-vm-gate-wrap.sh | 27 ++++++++++++++++++++-------
 devstack-vm-gate.sh      | 21 +++++++++++++--------
 2 files changed, 33 insertions(+), 15 deletions(-)

diff --git a/devstack-vm-gate-wrap.sh b/devstack-vm-gate-wrap.sh
index 685661f4..a86d0e9f 100755
--- a/devstack-vm-gate-wrap.sh
+++ b/devstack-vm-gate-wrap.sh
@@ -38,6 +38,8 @@ if [ -z "$SKIP_DEVSTACK_GATE_PROJECT" ]; then
     PROJECTS="openstack-ci/devstack-gate $PROJECTS"
 fi
 
+export DEST=/opt/stack
+
 # Most of the work of this script is done in functions so that we may
 # easily redirect their stdout / stderr to log files.
 
@@ -55,7 +57,9 @@ function setup_workspace {
 	sudo bash -c 'echo "127.0.1.1 $HOSTNAME" >>/etc/hosts'
     fi
 
-    cd $WORKSPACE
+    sudo mkdir -p $DEST
+    sudo chown -R jenkins:jenkins $DEST
+    cd $DEST
 
     ORIGINAL_GERRIT_PROJECT=$GERRIT_PROJECT
     ORIGINAL_GERRIT_BRANCH=$GERRIT_BRANCH
@@ -84,7 +88,7 @@ function setup_workspace {
 	export GERRIT_PROJECT
 	/usr/local/jenkins/slave_scripts/gerrit-git-prep.sh review.openstack.org
 
-	cd $WORKSPACE
+	cd $DEST
     done
 
     GERRIT_PROJECT=$ORIGINAL_GERRIT_PROJECT
@@ -92,7 +96,7 @@ function setup_workspace {
 
     # Set GATE_SCRIPT_DIR to point to devstack-gate in the workspace so that
     # we are testing the proposed change from this point forward.
-    GATE_SCRIPT_DIR=$WORKSPACE/devstack-gate
+    GATE_SCRIPT_DIR=$DEST/devstack-gate
 
     # Disable detailed logging as we return to the main script
     set +o xtrace
@@ -117,7 +121,7 @@ function setup_host {
     # The vm template update job should cache some images in ~/files.
     # Move them to where devstack expects:
     if ls ~/cache/files/*; then
-	mv ~/cache/files/* $WORKSPACE/devstack/files
+	mv ~/cache/files/* $DEST/devstack/files
     fi
 
     # Move the PIP cache into position:
@@ -133,6 +137,15 @@ function setup_host {
     sudo chmod a+r /var/log/syslog
     sudo start rsyslog
 
+    # Create a stack user for devstack to run as, so that we can
+    # revoke sudo permissions from that user when appropriate.
+    sudo useradd -U -s /bin/bash -d $DEST -m stack
+    TEMPFILE=`mktemp`
+    echo "stack ALL=(root) NOPASSWD:ALL" >$TEMPFILE
+    chmod 0440 $TEMPFILE
+    sudo chown root:root $TEMPFILE
+    sudo mv $TEMPFILE /etc/sudoers.d/50_stack_sh
+
     # Disable detailed logging as we return to the main script
     set +o xtrace
 }
@@ -145,13 +158,13 @@ function cleanup_host {
     # No matter what, archive logs
 
     sudo cp /var/log/syslog $WORKSPACE/logs/syslog.txt
-    cp $WORKSPACE/screen-logs/* $WORKSPACE/logs/
+    sudo cp $DEST/screen-logs/* $WORKSPACE/logs/
 
     # Make the devstack localrc available with the logs
-    cp $WORKSPACE/devstack/localrc $WORKSPACE/logs/localrc.txt
+    sudo cp $DEST/devstack/localrc $WORKSPACE/logs/localrc.txt
 
     # Make sure jenkins can read all the logs
-    sudo chown -R jenkins.jenkins $WORKSPACE/logs/
+    sudo chown -R jenkins:jenkins $WORKSPACE/logs/
     sudo chmod a+r $WORKSPACE/logs/
 
     rename 's/\.log$/.txt/' $WORKSPACE/logs/*
diff --git a/devstack-vm-gate.sh b/devstack-vm-gate.sh
index 377b2208..66b8b971 100755
--- a/devstack-vm-gate.sh
+++ b/devstack-vm-gate.sh
@@ -21,8 +21,6 @@
 
 set -o errexit
 
-# Important to set DEST so that devstack uses our prepared sources.
-export DEST=$WORKSPACE
 cd $DEST/devstack
 
 ENABLED_SERVICES=g-api,g-reg,key,n-api,n-crt,n-obj,n-cpu,n-net,n-vol,n-sch,horizon,mysql,rabbit
@@ -46,7 +44,7 @@ ENABLED_SERVICES=$ENABLED_SERVICES
 SKIP_EXERCISES=boot_from_volume,client-env,swift
 SERVICE_HOST=127.0.0.1
 SYSLOG=True
-SCREEN_LOGDIR=$WORKSPACE/screen-logs
+SCREEN_LOGDIR=$DEST/screen-logs
 FIXED_RANGE=10.1.0.0/24
 FIXED_NETWORK_SIZE=256
 EOF
@@ -61,15 +59,22 @@ if [ "$DEVSTACK_GATE_TEMPEST" -eq "1" ]; then
     echo "VOLUME_BACKING_FILE_SIZE=4G" >> localrc
 fi
 
+# Make the workspace owned by the stack user
+sudo chown -R stack:stack $DEST
+
 echo "Running devstack"
-./stack.sh
+sudo -H -u stack ./stack.sh
+
+echo "Removing sudo privileges for devstack user"
+sudo rm /etc/sudoers.d/50_stack_sh
+
 if [ "$DEVSTACK_GATE_TEMPEST" -eq "1" ]; then
     echo "Configuring tempest"
-    ./tools/configure_tempest.sh
-    cd $WORKSPACE/tempest
+    sudo -H -u stack ./tools/configure_tempest.sh
+    cd $DEST/tempest
     echo "Running tempest"
-    nosetests --with-xunit -sv $DEVSTACK_GATE_TEMPEST_TESTS
+    sudo -H -u stack nosetests --with-xunit -sv $DEVSTACK_GATE_TEMPEST_TESTS
 else
     echo "Running devstack exercises"
-    ./exercise.sh
+    sudo -H -u stack ./exercise.sh
 fi