Browse Source

Merge "Fix glance-api privsep errors"

changes/17/710217/12
Zuul 2 years ago committed by Gerrit Code Review
parent
commit
665b2b5ca3
  1. 16
      docker/glance/glance-base/Dockerfile.j2
  2. 27
      docker/glance/glance-base/etc/glance/rootwrap.conf
  3. 12
      docker/glance/glance-base/etc/glance/rootwrap.d/glance_cinder_store.filters
  4. 1
      docker/glance/glance-base/glance_sudoers

16
docker/glance/glance-base/Dockerfile.j2

@ -31,6 +31,11 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
{{ macros.install_packages(glance_base_packages | customizable("packages")) }}
{% if base_package_type == 'deb' %}
# fix up Ubuntu and Debian packaging of config (glance_store's rootwrap)
RUN ln -s /etc/glance/glance/* /etc/glance/
{% endif %}
{% elif install_type == 'source' %}
{% if base_package_type == 'rpm' %}
{% set glance_base_packages = [
@ -53,17 +58,24 @@ ADD glance-base-archive /glance-base-source
'glance_store[cinder,vmware,swift]'
] %}
# add missing rootwrap config present in glance_store repo
COPY etc/glance /etc/glance
RUN ln -s glance-base-source/* glance \
&& {{ macros.install_pip(glance_base_pip_packages | customizable("pip_packages")) }} \
&& mkdir -p /etc/glance \
&& cp -r /glance/etc/* /etc/glance/ \
&& chown -R glance: /etc/glance
&& chown -R glance: /etc/glance \
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/glance/rootwrap.conf
{% endif %}
COPY glance_sudoers /etc/sudoers.d/kolla_glance_sudoers
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN touch /usr/local/bin/kolla_glance_extend_start \
RUN chmod 750 /etc/sudoers.d \
&& chmod 440 /etc/sudoers.d/kolla_glance_sudoers \
&& touch /usr/local/bin/kolla_glance_extend_start \
&& chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_glance_extend_start
{% block glance_base_footer %}{% endblock %}

27
docker/glance/glance-base/etc/glance/rootwrap.conf

@ -0,0 +1,27 @@
# Configuration for glance-rootwrap
# This file should be owned by (and only-writable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR

12
docker/glance/glance-base/etc/glance/rootwrap.d/glance_cinder_store.filters

@ -0,0 +1,12 @@
# glance-rootwrap command filters for glance cinder store
# This file should be owned by (and only-writable by) the root user
[Filters]
# cinder store driver
disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).*
# os-brick library commands
# os_brick.privileged.run_as_root oslo.privsep context
# This line ties the superuser privs with the config files, context name,
# and (implicitly) the actual python code invoked.
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*

1
docker/glance/glance-base/glance_sudoers

@ -0,0 +1 @@
glance ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/glance-rootwrap /etc/glance/rootwrap.conf *
Loading…
Cancel
Save