diff --git a/docker/glance/glance-base/Dockerfile.j2 b/docker/glance/glance-base/Dockerfile.j2 index b5d6d00c77..5a691473fc 100644 --- a/docker/glance/glance-base/Dockerfile.j2 +++ b/docker/glance/glance-base/Dockerfile.j2 @@ -31,6 +31,11 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.install_packages(glance_base_packages | customizable("packages")) }} +{% if base_package_type == 'deb' %} +# fix up Ubuntu and Debian packaging of config (glance_store's rootwrap) +RUN ln -s /etc/glance/glance/* /etc/glance/ +{% endif %} + {% elif install_type == 'source' %} {% if base_package_type == 'rpm' %} {% set glance_base_packages = [ @@ -53,17 +58,24 @@ ADD glance-base-archive /glance-base-source 'glance_store[cinder,vmware,swift]' ] %} +# add missing rootwrap config present in glance_store repo +COPY etc/glance /etc/glance + RUN ln -s glance-base-source/* glance \ && {{ macros.install_pip(glance_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/glance \ && cp -r /glance/etc/* /etc/glance/ \ - && chown -R glance: /etc/glance + && chown -R glance: /etc/glance \ + && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/glance/rootwrap.conf {% endif %} +COPY glance_sudoers /etc/sudoers.d/kolla_glance_sudoers COPY extend_start.sh /usr/local/bin/kolla_extend_start -RUN touch /usr/local/bin/kolla_glance_extend_start \ +RUN chmod 750 /etc/sudoers.d \ + && chmod 440 /etc/sudoers.d/kolla_glance_sudoers \ + && touch /usr/local/bin/kolla_glance_extend_start \ && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_glance_extend_start {% block glance_base_footer %}{% endblock %} diff --git a/docker/glance/glance-base/etc/glance/rootwrap.conf b/docker/glance/glance-base/etc/glance/rootwrap.conf new file mode 100644 index 0000000000..421dd256e6 --- /dev/null +++ b/docker/glance/glance-base/etc/glance/rootwrap.conf @@ -0,0 +1,27 @@ +# Configuration for glance-rootwrap +# This file should be owned by (and only-writable by) the root user + +[DEFAULT] +# List of directories to load filter definitions from (separated by ','). +# These directories MUST all be only writeable by root ! +filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap + +# List of directories to search executables in, in case filters do not +# explicitely specify a full path (separated by ',') +# If not specified, defaults to system PATH environment variable. +# These directories MUST all be only writeable by root ! +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin + +# Enable logging to syslog +# Default value is False +use_syslog=False + +# Which syslog facility to use. +# Valid values include auth, authpriv, syslog, local0, local1... +# Default value is 'syslog' +syslog_log_facility=syslog + +# Which messages to log. +# INFO means log all usage +# ERROR means only log unsuccessful attempts +syslog_log_level=ERROR diff --git a/docker/glance/glance-base/etc/glance/rootwrap.d/glance_cinder_store.filters b/docker/glance/glance-base/etc/glance/rootwrap.d/glance_cinder_store.filters new file mode 100644 index 0000000000..46c389b7e0 --- /dev/null +++ b/docker/glance/glance-base/etc/glance/rootwrap.d/glance_cinder_store.filters @@ -0,0 +1,12 @@ +# glance-rootwrap command filters for glance cinder store +# This file should be owned by (and only-writable by) the root user + +[Filters] +# cinder store driver +disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).* + +# os-brick library commands +# os_brick.privileged.run_as_root oslo.privsep context +# This line ties the superuser privs with the config files, context name, +# and (implicitly) the actual python code invoked. +privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* diff --git a/docker/glance/glance-base/glance_sudoers b/docker/glance/glance-base/glance_sudoers new file mode 100644 index 0000000000..9af8709831 --- /dev/null +++ b/docker/glance/glance-base/glance_sudoers @@ -0,0 +1 @@ +glance ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/glance-rootwrap /etc/glance/rootwrap.conf *