lib/neutron: configure root_helper for agents
Before the patch, we were only configuring root_helper_daemon to point to oslo.rootwrap, but not root_helper. (The former is used for long running commands only, while the latter is used for short lived commands.) This made neutron agents to directly call to sudo when a privileged process was to be executed. This failed because /etc/sudoers was not configured to allow anything except the rootwrap call itself. This patch simplifies rootwrap handling in the code; it also sets root_helper to point to rootwrap; as well as configure daemon in sudoers. While at it, we also set l2 agent to use rootwrap too. Hopefully, it will be enough for agents to actually configure backend as needed. Change-Id: Ib05a6e0e024f534d7f616d41d70fb67ecf6daeaf
This commit is contained in:
Ihar Hrachyshka
parent
8fe48af162
commit
e65ab4a1c5
27
lib/neutron
27
lib/neutron
@ -72,7 +72,8 @@ NEUTRON_SERVICE_PROTOCOL=${NEUTRON_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
||||
NEUTRON_AUTH_STRATEGY=${NEUTRON_AUTH_STRATEGY:-keystone}
|
||||
NEUTRON_ROOTWRAP=$(get_rootwrap_location neutron)
|
||||
NEUTRON_ROOTWRAP_CONF_FILE=$NEUTRON_CONF_DIR/rootwrap.conf
|
||||
NEUTRON_ROOTWRAP_DAEMON_CMD="sudo $NEUTRON_ROOTWRAP-daemon $NEUTRON_ROOTWRAP_CONF_FILE"
|
||||
NEUTRON_ROOTWRAP_CMD="$NEUTRON_ROOTWRAP $NEUTRON_ROOTWRAP_CONF_FILE"
|
||||
NEUTRON_ROOTWRAP_DAEMON_CMD="$NEUTRON_ROOTWRAP-daemon $NEUTRON_ROOTWRAP_CONF_FILE"
|
||||
|
||||
# Additional neutron api config files
|
||||
declare -a _NEUTRON_SERVER_EXTRA_CONF_FILES_ABS
|
||||
@ -115,6 +116,13 @@ function cleanup_neutron_new {
|
||||
done
|
||||
}
|
||||
|
||||
# configure_root_helper_options() - Configure agent rootwrap helper options
|
||||
function configure_root_helper_options {
|
||||
local conffile=$1
|
||||
iniset $conffile agent root_helper "sudo $NEUTRON_ROOTWRAP_CMD"
|
||||
iniset $conffile agent root_helper_daemon "sudo $NEUTRON_ROOTWRAP_DAEMON_CMD"
|
||||
}
|
||||
|
||||
# configure_neutron() - Set config files, create data dirs, etc
|
||||
function configure_neutron_new {
|
||||
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR
|
||||
@ -171,6 +179,7 @@ function configure_neutron_new {
|
||||
if is_service_enabled neutron-agent; then
|
||||
iniset $NEUTRON_CORE_PLUGIN_CONF agent tunnel_types vxlan
|
||||
iniset $NEUTRON_CORE_PLUGIN_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
|
||||
configure_root_helper_options $NEUTRON_CORE_PLUGIN_CONF
|
||||
|
||||
# Configure the neutron agent
|
||||
if [[ $NEUTRON_AGENT == "linuxbridge" ]]; then
|
||||
@ -194,7 +203,7 @@ function configure_neutron_new {
|
||||
# make it so we have working DNS from guests
|
||||
iniset $NEUTRON_DHCP_CONF DEFAULT dnsmasq_local_resolv True
|
||||
|
||||
iniset $NEUTRON_DHCP_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD"
|
||||
configure_root_helper_options $NEUTRON_DHCP_CONF
|
||||
iniset $NEUTRON_DHCP_CONF DEFAULT interface_driver $NEUTRON_AGENT
|
||||
neutron_plugin_configure_dhcp_agent $NEUTRON_DHCP_CONF
|
||||
fi
|
||||
@ -203,7 +212,7 @@ function configure_neutron_new {
|
||||
cp $NEUTRON_DIR/etc/l3_agent.ini.sample $NEUTRON_L3_CONF
|
||||
iniset $NEUTRON_L3_CONF DEFAULT interface_driver $NEUTRON_AGENT
|
||||
neutron_service_plugin_class_add router
|
||||
iniset $NEUTRON_L3_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD"
|
||||
configure_root_helper_options $NEUTRON_L3_CONF
|
||||
iniset $NEUTRON_L3_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
|
||||
neutron_plugin_configure_l3_agent $NEUTRON_L3_CONF
|
||||
fi
|
||||
@ -215,7 +224,8 @@ function configure_neutron_new {
|
||||
iniset $NEUTRON_META_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
|
||||
iniset $NEUTRON_META_CONF DEFAULT nova_metadata_ip $SERVICE_HOST
|
||||
iniset $NEUTRON_META_CONF DEFAULT metadata_workers $API_WORKERS
|
||||
iniset $NEUTRON_META_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD"
|
||||
# TODO(ihrachys) do we really need to set rootwrap for metadata agent?
|
||||
configure_root_helper_options $NEUTRON_META_CONF
|
||||
|
||||
# TODO(dtroyer): remove the v2.0 hard code below
|
||||
iniset $NEUTRON_META_CONF DEFAULT auth_url $KEYSTONE_SERVICE_URI/v2.0
|
||||
@ -252,12 +262,6 @@ function configure_neutron_new {
|
||||
|
||||
# configure_neutron_rootwrap() - configure Neutron's rootwrap
|
||||
function configure_neutron_rootwrap {
|
||||
# Set the paths of certain binaries
|
||||
neutron_rootwrap=$(get_rootwrap_location neutron)
|
||||
|
||||
# Specify ``rootwrap.conf`` as first parameter to neutron-rootwrap
|
||||
local rootwrap_sudoer_cmd="${neutron_rootwrap} $NEUTRON_CONF_DIR/rootwrap.conf"
|
||||
|
||||
# Deploy new rootwrap filters files (owned by root).
|
||||
# Wipe any existing rootwrap.d files first
|
||||
if [[ -d $NEUTRON_CONF_DIR/rootwrap.d ]]; then
|
||||
@ -274,7 +278,8 @@ function configure_neutron_rootwrap {
|
||||
|
||||
# Set up the rootwrap sudoers for Neutron
|
||||
tempfile=`mktemp`
|
||||
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudoer_cmd *" >$tempfile
|
||||
echo "$STACK_USER ALL=(root) NOPASSWD: $NEUTRON_ROOTWRAP_CMD *" >$tempfile
|
||||
echo "$STACK_USER ALL=(root) NOPASSWD: $NEUTRON_ROOTWRAP_DAEMON_CMD" >>$tempfile
|
||||
chmod 0440 $tempfile
|
||||
sudo chown root:root $tempfile
|
||||
sudo mv $tempfile /etc/sudoers.d/neutron-rootwrap
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user