diff --git a/lib/neutron b/lib/neutron
index 44d41f8cf5..e72c9fe6ea 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -72,7 +72,8 @@ NEUTRON_SERVICE_PROTOCOL=${NEUTRON_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
NEUTRON_AUTH_STRATEGY=${NEUTRON_AUTH_STRATEGY:-keystone}
NEUTRON_ROOTWRAP=$(get_rootwrap_location neutron)
NEUTRON_ROOTWRAP_CONF_FILE=$NEUTRON_CONF_DIR/rootwrap.conf
-NEUTRON_ROOTWRAP_DAEMON_CMD="sudo $NEUTRON_ROOTWRAP-daemon $NEUTRON_ROOTWRAP_CONF_FILE"
+NEUTRON_ROOTWRAP_CMD="$NEUTRON_ROOTWRAP $NEUTRON_ROOTWRAP_CONF_FILE"
+NEUTRON_ROOTWRAP_DAEMON_CMD="$NEUTRON_ROOTWRAP-daemon $NEUTRON_ROOTWRAP_CONF_FILE"
# Additional neutron api config files
declare -a _NEUTRON_SERVER_EXTRA_CONF_FILES_ABS
@@ -115,6 +116,13 @@ function cleanup_neutron_new {
done
}
+# configure_root_helper_options() - Configure agent rootwrap helper options
+function configure_root_helper_options {
+ local conffile=$1
+ iniset $conffile agent root_helper "sudo $NEUTRON_ROOTWRAP_CMD"
+ iniset $conffile agent root_helper_daemon "sudo $NEUTRON_ROOTWRAP_DAEMON_CMD"
+}
+
# configure_neutron() - Set config files, create data dirs, etc
function configure_neutron_new {
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR
@@ -171,6 +179,7 @@ function configure_neutron_new {
if is_service_enabled neutron-agent; then
iniset $NEUTRON_CORE_PLUGIN_CONF agent tunnel_types vxlan
iniset $NEUTRON_CORE_PLUGIN_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
+ configure_root_helper_options $NEUTRON_CORE_PLUGIN_CONF
# Configure the neutron agent
if [[ $NEUTRON_AGENT == "linuxbridge" ]]; then
@@ -194,7 +203,7 @@ function configure_neutron_new {
# make it so we have working DNS from guests
iniset $NEUTRON_DHCP_CONF DEFAULT dnsmasq_local_resolv True
- iniset $NEUTRON_DHCP_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD"
+ configure_root_helper_options $NEUTRON_DHCP_CONF
iniset $NEUTRON_DHCP_CONF DEFAULT interface_driver $NEUTRON_AGENT
neutron_plugin_configure_dhcp_agent $NEUTRON_DHCP_CONF
fi
@@ -203,7 +212,7 @@ function configure_neutron_new {
cp $NEUTRON_DIR/etc/l3_agent.ini.sample $NEUTRON_L3_CONF
iniset $NEUTRON_L3_CONF DEFAULT interface_driver $NEUTRON_AGENT
neutron_service_plugin_class_add router
- iniset $NEUTRON_L3_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD"
+ configure_root_helper_options $NEUTRON_L3_CONF
iniset $NEUTRON_L3_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
neutron_plugin_configure_l3_agent $NEUTRON_L3_CONF
fi
@@ -215,7 +224,8 @@ function configure_neutron_new {
iniset $NEUTRON_META_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
iniset $NEUTRON_META_CONF DEFAULT nova_metadata_ip $SERVICE_HOST
iniset $NEUTRON_META_CONF DEFAULT metadata_workers $API_WORKERS
- iniset $NEUTRON_META_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD"
+ # TODO(ihrachys) do we really need to set rootwrap for metadata agent?
+ configure_root_helper_options $NEUTRON_META_CONF
# TODO(dtroyer): remove the v2.0 hard code below
iniset $NEUTRON_META_CONF DEFAULT auth_url $KEYSTONE_SERVICE_URI/v2.0
@@ -252,12 +262,6 @@ function configure_neutron_new {
# configure_neutron_rootwrap() - configure Neutron's rootwrap
function configure_neutron_rootwrap {
- # Set the paths of certain binaries
- neutron_rootwrap=$(get_rootwrap_location neutron)
-
- # Specify ``rootwrap.conf`` as first parameter to neutron-rootwrap
- local rootwrap_sudoer_cmd="${neutron_rootwrap} $NEUTRON_CONF_DIR/rootwrap.conf"
-
# Deploy new rootwrap filters files (owned by root).
# Wipe any existing rootwrap.d files first
if [[ -d $NEUTRON_CONF_DIR/rootwrap.d ]]; then
@@ -274,7 +278,8 @@ function configure_neutron_rootwrap {
# Set up the rootwrap sudoers for Neutron
tempfile=`mktemp`
- echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudoer_cmd *" >$tempfile
+ echo "$STACK_USER ALL=(root) NOPASSWD: $NEUTRON_ROOTWRAP_CMD *" >$tempfile
+ echo "$STACK_USER ALL=(root) NOPASSWD: $NEUTRON_ROOTWRAP_DAEMON_CMD" >>$tempfile
chmod 0440 $tempfile
sudo chown root:root $tempfile
sudo mv $tempfile /etc/sudoers.d/neutron-rootwrap