Fix permissions to /var/lib/nova/

Due to changes with the drop-root work, we lost the ability to write
to /var/lib/nova/*. This fixes those permissions and ensures cross
container talk works properly between nova_libvirt and nova_compute

Additionally, this fixes another issue introduced which saw that
nova-compute could not run sudo commands as it did not have a proper
sudoers entry

Testing from previous deploys means you need a fresh environment. You
have to remove all of the named volumes that kolla created in docker.
Check these with `docker volume ls`

Signed-off-by: Hui Kang <kangh@us.ibm.com>
Signed-off-by: Artur Zarzycki <azarzycki@mirantis.com>
Co-Authored-By: Sam Yaple <sam@yaple.net>
Co-Authored-By: Hui Kang <kangh@us.ibm.com>
Closes-Bug: #1533350
Change-Id: I7f864c448a2414e0b5d89f48337be411b891df35

ansible/roles/nova/tasks/bootstrap.yml

@@ -50,3 +50,32 @@
   run_once: True
   delegate_to: "{{ groups['nova-api'][0] }}"
   when: database_created
+
+- name: Creating nova-compute volume
+  kolla_docker:
+    action: "create_volume"
+    common_options: "{{ docker_common_options }}"
+    name: "nova_compute"
+  register: nova_compute_volume
+  when:
+    - inventory_hostname in groups['compute']
+    - not enable_nova_fake | bool
+
+- name: Starting Nova compute bootstrap container
+  kolla_docker:
+    action: "start_container"
+    common_options: "{{ docker_common_options }}"
+    detach: False
+    environment:
+      KOLLA_BOOTSTRAP:
+      KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
+    image: "{{ nova_compute_image_full }}"
+    name: "bootstrap_nova_compute"
+    restart_policy: "never"
+    volumes:
+      - "{{ node_config_directory }}/nova-compute/:{{ container_config_directory }}/:ro"
+      - "nova_compute:/var/lib/nova/"
+  when:
+    - inventory_hostname in groups['compute']
+    - not enable_nova_fake | bool
+    - nova_compute_volume.changed

ansible/roles/nova/tasks/deploy.yml

@@ -27,7 +27,8 @@
     - inventory_hostname in groups['compute']
 
 - include: bootstrap.yml
-  when: inventory_hostname in groups['nova-api']
+  when: inventory_hostname in groups['nova-api'] or
+        inventory_hostname in groups['compute']
 
 - include: start.yml
   when: inventory_hostname in groups['compute'] or

ansible/roles/nova/tasks/start.yml

@@ -10,9 +10,8 @@
     volumes:
       - "{{ node_config_directory }}/nova-libvirt/:{{ container_config_directory }}/:ro"
       - "/lib/modules:/lib/modules:ro"
-      - "/run:/run"
       - "/sys/fs/cgroup:/sys/fs/cgroup"
-      - "nova_compute:/var/lib/nova/instances"
+      - "nova_compute:/var/lib/nova/"
       - "nova_libvirt:/var/lib/libvirt"
   when: inventory_hostname in groups['compute']
 
@@ -100,7 +99,7 @@
       - "/lib/modules:/lib/modules:ro"
       - "/run:/run"
       - "/var/lib/kolla/dev/log:/dev/log"
-      - "nova_compute:/var/lib/nova/instances"
+      - "nova_compute:/var/lib/nova/"
       - "nova_libvirt:/var/lib/libvirt"
   when:
     - inventory_hostname in groups['compute']

docker/nova/nova-base/Dockerfile.j2

@@ -52,6 +52,10 @@ RUN ln -s nova-base-source/* nova \
     && cp -r /nova/etc/nova/* /etc/nova/ \
     && chown -R nova: /etc/nova /var/log/nova /home/nova /var/lib/nova
 
+COPY nova_sudoers /etc/sudoers.d/nova_sudoers
+RUN chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/nova_sudoers
+
 {% endif %}
 
 RUN usermod -a -G kolla nova

docker/nova/nova-base/nova_sudoers

@@ -0,0 +1 @@
+nova ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *

docker/nova/nova-compute/Dockerfile.j2

@@ -50,6 +50,12 @@ RUN /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements
 
 {% endif %}
 
+COPY nova_compute_sudoers /etc/sudoers.d/nova_compute_sudoers
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/nova_compute_sudoers
+
 {{ include_footer }}
 
 USER nova

docker/nova/nova-compute/extend_start.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
+# of the KOLLA_BOOTSTRAP variable being set, including empty.
+if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
+    sudo chown nova: /var/lib/nova/
+    mkdir /var/lib/nova/instances
+    exit 0
+fi

docker/nova/nova-compute/nova_compute_sudoers

@@ -0,0 +1 @@
+%kolla ALL=(root) NOPASSWD: /usr/bin/chown nova\: /var/lib/nova/, /bin/chown nova\: /var/lib/nova/