Fix binary ironic-inspector rootwrap configuration

When built with the binary install type (at least on CentOS), Ironic inspector fails to start and the container remains in a restarting state. The log file shows that it is failing to execute iptables, and analysis found that this was due to an incorrect rootwrap configuration. The RDO ironic inspector RPM expects Ironic inspector to be run as the ironic-inspector user, however Kolla uses the ironic user. This means that neither of the packaged ironic nor ironic-inspector sudoers configuration files works for us. Kolla currently installs a sudoers file pointing to the rootwrap script in the virtualenv of the source install, but of course this only makes sense for source installs, and should not be installed for binary installs. This change adds a second sudoers file that will work for the binary install type, and installs the correct sudoers file for the install type. Change-Id: I8ecd0b658b8df8f38ddf717fa9443d4dc2896984 Closes-Bug: #1624457
2017-02-22 02:23:05 +00:00 · 2017-02-22 02:23:05 +00:00 · 5752c7eb0b
commit 5752c7eb0b
parent 1fbe35815c
3 changed files with 5 additions and 1 deletions
--- a/docker/ironic/ironic-inspector/Dockerfile.j2
+++ b/docker/ironic/ironic-inspector/Dockerfile.j2
@ -17,6 +17,8 @@ MAINTAINER {{ maintainer }}

 {{ macros.install_packages(ironic_inspector_packages | customizable("packages")) }}

+COPY ironic_sudoers_binary /etc/sudoers.d/kolla_ironic_inspector_sudoers
+
 {% elif install_type == 'source' %}
    {% if base_distro in ['ubuntu'] %}
        {% set ironic_inspector_packages = ['iptables'] %}
@ -37,9 +39,10 @@ RUN ln -s ironic-inspector-source/* ironic-inspector \
    && cp -r /ironic-inspector/rootwrap.d/ /etc/ironic-inspector/ \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic-inspector/rootwrap.conf

+COPY ironic_sudoers_source /etc/sudoers.d/kolla_ironic_inspector_sudoers
+
 {% endif %}

-COPY ironic_sudoers /etc/sudoers.d/kolla_ironic_inspector_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_ironic_extend_start

 RUN chmod 750 /etc/sudoers.d \
--- a/docker/ironic/ironic-inspector/ironic_sudoers_binary
+++ b/docker/ironic/ironic-inspector/ironic_sudoers_binary
@ -0,0 +1 @@
+ironic ALL=(root) NOPASSWD: /usr/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *
--- a/docker/ironic/ironic-inspector/ironic_sudoers_source
+++ b/docker/ironic/ironic-inspector/ironic_sudoers_source
				`@ -0,0 +1 @@`
				`ironic ALL=(root) NOPASSWD: /usr/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *`