Use ironic-inspector user for ironic-inspector

This change updates the ironic-inspector image to use the
ironic-inspector user rather than the ironic user to execute the
ironic inspector service as this more closely aligns with what is
typically done by downstream packagers (specifically, Ubuntu and
RDO).

This change rebases the ironic-inspector image onto the openstack-base
image instead of the ironic-base image. We configure an
ironic-inspector user and use this to execute the ironic-inspector
service. We also configure ironic-inspector to log to
/var/log/kolla/ironic-inspector instead of the previous ironic
location.

Following this change we no longer need the workaround of a
sudoers file for the binary install type that was added in change
I8ecd0b658b8df8f38ddf717fa9443d4dc2896984.

Change-Id: Ibdc5ba35db61f4974d4282aff34bcb5ccd952d45
Closes-Bug: #1624457
This commit is contained in:
Mark Goddard 2017-03-02 18:31:23 +00:00
parent c74fb5058f
commit 8b63089e1c
6 changed files with 25 additions and 12 deletions

View File

@ -1,10 +1,12 @@
FROM {{ namespace }}/{{ image_prefix }}ironic-base:{{ tag }}
FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
MAINTAINER {{ maintainer }}
{% block ironic_inspector_header %}{% endblock %}
{% import "macros.j2" as macros with context %}
{{ macros.configure_user(name='ironic-inspector') }}
{% if install_type == 'binary' %}
{% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
{% set ironic_inspector_packages = ['openstack-ironic-inspector'] %}
@ -17,8 +19,6 @@ MAINTAINER {{ maintainer }}
{{ macros.install_packages(ironic_inspector_packages | customizable("packages")) }}
COPY ironic_sudoers_binary /etc/sudoers.d/kolla_ironic_inspector_sudoers
{% elif install_type == 'source' %}
{% if base_distro in ['debian', 'ubuntu'] %}
{% set ironic_inspector_packages = ['iptables'] %}
@ -33,23 +33,24 @@ ADD ironic-inspector-archive /ironic-inspector-source
] %}
RUN ln -s ironic-inspector-source/* ironic-inspector \
&& mv /etc/ironic /etc/ironic-inspector \
&& {{ macros.install_pip(ironic_inspector_pip_packages | customizable("pip_packages")) }} \
&& mkdir -p /etc/ironic-inspector \
&& cp /ironic-inspector/rootwrap.conf /etc/ironic-inspector/ \
&& cp -r /ironic-inspector/rootwrap.d/ /etc/ironic-inspector/ \
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic-inspector/rootwrap.conf
COPY ironic_sudoers_source /etc/sudoers.d/kolla_ironic_inspector_sudoers
ADD ironic_inspector_sudoers /etc/sudoers.d/kolla_ironic_inspector_sudoers
RUN chmod 750 /etc/sudoers.d \
&& chmod 440 /etc/sudoers.d/kolla_ironic_inspector_sudoers
{% endif %}
COPY extend_start.sh /usr/local/bin/kolla_ironic_extend_start
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN chmod 750 /etc/sudoers.d \
&& chmod 440 /etc/sudoers.d/kolla_ironic_inspector_sudoers \
&& chmod 755 /usr/local/bin/kolla_ironic_extend_start
RUN chmod 755 /usr/local/bin/kolla_extend_start \
&& chown -R ironic-inspector: /etc/ironic-inspector
{% block ironic_inspector_footer %}{% endblock %}
{% block footer %}{% endblock %}
USER ironic
USER ironic-inspector

View File

@ -1,5 +1,14 @@
#!/bin/bash
LOG_PATH=/var/log/kolla/ironic-inspector
if [[ ! -d "${LOG_PATH}" ]]; then
mkdir -p "${LOG_PATH}"
fi
if [[ $(stat -c %a "${LOG_PATH}") != "755" ]]; then
chmod 755 "${LOG_PATH}"
fi
# Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
# of the KOLLA_BOOTSTRAP variable being set, including empty.
if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then

View File

@ -0,0 +1 @@
ironic-inspector ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *

View File

@ -1 +0,0 @@
ironic ALL=(root) NOPASSWD: /usr/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *

View File

@ -1 +0,0 @@
ironic ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *

View File

@ -794,6 +794,10 @@ USERS = {
'uid': 42460,
'gid': 42460,
},
'ironic-inspector-user': {
'uid': 42461,
'gid': 42461,
},
}