Merge "Fix glance-api privsep errors"
This commit is contained in:
Zuul
Gerrit Code Review
commit
665b2b5ca3
|
|
@ -31,6 +31,11 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
|
|||
|
||||
{{ macros.install_packages(glance_base_packages | customizable("packages")) }}
|
||||
|
||||
{% if base_package_type == 'deb' %}
|
||||
# fix up Ubuntu and Debian packaging of config (glance_store's rootwrap)
|
||||
RUN ln -s /etc/glance/glance/* /etc/glance/
|
||||
{% endif %}
|
||||
|
||||
{% elif install_type == 'source' %}
|
||||
{% if base_package_type == 'rpm' %}
|
||||
{% set glance_base_packages = [
|
||||
|
|
@ -53,17 +58,24 @@ ADD glance-base-archive /glance-base-source
|
|||
'glance_store[cinder,vmware,swift]'
|
||||
] %}
|
||||
|
||||
# add missing rootwrap config present in glance_store repo
|
||||
COPY etc/glance /etc/glance
|
||||
|
||||
RUN ln -s glance-base-source/* glance \
|
||||
&& {{ macros.install_pip(glance_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/glance \
|
||||
&& cp -r /glance/etc/* /etc/glance/ \
|
||||
&& chown -R glance: /etc/glance
|
||||
&& chown -R glance: /etc/glance \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/glance/rootwrap.conf
|
||||
|
||||
{% endif %}
|
||||
|
||||
COPY glance_sudoers /etc/sudoers.d/kolla_glance_sudoers
|
||||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||
|
||||
RUN touch /usr/local/bin/kolla_glance_extend_start \
|
||||
RUN chmod 750 /etc/sudoers.d \
|
||||
&& chmod 440 /etc/sudoers.d/kolla_glance_sudoers \
|
||||
&& touch /usr/local/bin/kolla_glance_extend_start \
|
||||
&& chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_glance_extend_start
|
||||
|
||||
{% block glance_base_footer %}{% endblock %}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,27 @@
|
|||
# Configuration for glance-rootwrap
|
||||
# This file should be owned by (and only-writable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
# glance-rootwrap command filters for glance cinder store
|
||||
# This file should be owned by (and only-writable by) the root user
|
||||
|
||||
[Filters]
|
||||
# cinder store driver
|
||||
disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).*
|
||||
|
||||
# os-brick library commands
|
||||
# os_brick.privileged.run_as_root oslo.privsep context
|
||||
# This line ties the superuser privs with the config files, context name,
|
||||
# and (implicitly) the actual python code invoked.
|
||||
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
|
||||
|
|
@ -0,0 +1 @@
|
|||
glance ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/glance-rootwrap /etc/glance/rootwrap.conf *
|
||||
Loading…
Reference in New Issue