Use separate sudoers for ironic conductor modprobe

The original fix (8b101b28a1) for bug 1676466 added unnecessary entries to the sudoers file in the ironic-base image. These included a rootwrap entry pointing to the virtualenv used by source type images (not present in binary type images) and a modprobe iscsi_tcp which is only required by the ironic-conductor image. This change adds a single sudoers file for the iscsi_tcp modprobe to the ironic-conductor image and reverts to the common pattern of adding a sudoers file to ironic-base only for source type images. Change-Id: I89f1c4bd741de9ba184f14fcbcb708636616e420 Closes-bug: #1678143 Related-bug: #1676466 Related-bug: #1667864
2017-03-31 14:32:43 +01:00 · 2017-03-31 14:32:43 +01:00 · 1c3336c8c9
commit 1c3336c8c9
parent f5be229ae6
4 changed files with 7 additions and 4 deletions
--- a/docker/ironic/ironic-base/Dockerfile.j2
+++ b/docker/ironic/ironic-base/Dockerfile.j2
@ -31,12 +31,12 @@ RUN ln -s ironic-base-source/* ironic \
    && chown -R ironic: /etc/ironic \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic/rootwrap.conf

-{% endif %}
-
 ADD ironic_sudoers /etc/sudoers.d/kolla_ironic_sudoers
 RUN chmod 750 /etc/sudoers.d \
    && chmod 440 /etc/sudoers.d/kolla_ironic_sudoers

+{% endif %}
+
 COPY extend_start.sh /usr/local/bin/kolla_extend_start

 RUN touch /usr/local/bin/kolla_ironic_extend_start \
--- a/docker/ironic/ironic-base/ironic_sudoers
+++ b/docker/ironic/ironic-base/ironic_sudoers
@ -1 +1 @@
-ironic ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-rootwrap /etc/ironic/rootwrap.conf *, /usr/sbin/modprobe iscsi_tcp, /sbin/modprobe iscsi_tcp
+ironic ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-rootwrap /etc/ironic/rootwrap.conf *
--- a/docker/ironic/ironic-conductor/Dockerfile.j2
+++ b/docker/ironic/ironic-conductor/Dockerfile.j2
@ -90,7 +90,9 @@ RUN {{ macros.install_pip(ironic_conductor_pip_packages | customizable("pip_pack
 {{ macros.install_packages(ironic_conductor_packages | customizable("packages")) }}

 COPY extend_start.sh /usr/local/bin/kolla_ironic_extend_start
-RUN chmod 755 /usr/local/bin/kolla_ironic_extend_start
+COPY iscsi_tcp_sudoers /etc/sudoers.d/kolla_iscsi_tcp_sudoers
+RUN chmod 755 /usr/local/bin/kolla_ironic_extend_start \
+    && chmod 440 /etc/sudoers.d/kolla_iscsi_tcp_sudoers

 {% block ironic_conductor_footer %}{% endblock %}
 {% block footer %}{% endblock %}
--- a/docker/ironic/ironic-conductor/iscsi_tcp_sudoers
+++ b/docker/ironic/ironic-conductor/iscsi_tcp_sudoers
@ -0,0 +1 @@
+ironic ALL = (root) NOPASSWD: /usr/sbin/modprobe iscsi_tcp, /sbin/modprobe iscsi_tcp
				`@ -0,0 +1 @@`
				`ironic ALL = (root) NOPASSWD: /usr/sbin/modprobe iscsi_tcp, /sbin/modprobe iscsi_tcp`