Use ironic-inspector user for ironic-inspector

This change updates the ironic-inspector image to use the ironic-inspector user rather than the ironic user to execute the ironic inspector service as this more closely aligns with what is typically done by downstream packagers (specifically, Ubuntu and RDO). This change rebases the ironic-inspector image onto the openstack-base image instead of the ironic-base image. We configure an ironic-inspector user and use this to execute the ironic-inspector service. We also configure ironic-inspector to log to /var/log/kolla/ironic-inspector instead of the previous ironic location. Following this change we no longer need the workaround of a sudoers file for the binary install type that was added in change I8ecd0b658b8df8f38ddf717fa9443d4dc2896984. Change-Id: Ibdc5ba35db61f4974d4282aff34bcb5ccd952d45 Closes-Bug: #1624457
2017-03-02 18:31:23 +00:00 · 2017-03-02 18:31:23 +00:00 · 8b63089e1c
commit 8b63089e1c
parent c74fb5058f
6 changed files with 25 additions and 12 deletions
--- a/docker/ironic/ironic-inspector/Dockerfile.j2
+++ b/docker/ironic/ironic-inspector/Dockerfile.j2
@ -1,10 +1,12 @@
-FROM {{ namespace }}/{{ image_prefix }}ironic-base:{{ tag }}
+FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
 MAINTAINER {{ maintainer }}

 {% block ironic_inspector_header %}{% endblock %}

 {% import "macros.j2" as macros with context %}

+{{ macros.configure_user(name='ironic-inspector') }}
+
 {% if install_type == 'binary' %}
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set ironic_inspector_packages = ['openstack-ironic-inspector'] %}
@ -17,8 +19,6 @@ MAINTAINER {{ maintainer }}

 {{ macros.install_packages(ironic_inspector_packages | customizable("packages")) }}

-COPY ironic_sudoers_binary /etc/sudoers.d/kolla_ironic_inspector_sudoers
-
 {% elif install_type == 'source' %}
    {% if base_distro in ['debian', 'ubuntu'] %}
        {% set ironic_inspector_packages = ['iptables'] %}
@ -33,23 +33,24 @@ ADD ironic-inspector-archive /ironic-inspector-source
 ] %}

 RUN ln -s ironic-inspector-source/* ironic-inspector \
-    && mv /etc/ironic /etc/ironic-inspector \
    && {{ macros.install_pip(ironic_inspector_pip_packages | customizable("pip_packages")) }} \
+    && mkdir -p /etc/ironic-inspector \
    && cp /ironic-inspector/rootwrap.conf /etc/ironic-inspector/ \
    && cp -r /ironic-inspector/rootwrap.d/ /etc/ironic-inspector/ \
    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic-inspector/rootwrap.conf

-COPY ironic_sudoers_source /etc/sudoers.d/kolla_ironic_inspector_sudoers
+ADD ironic_inspector_sudoers /etc/sudoers.d/kolla_ironic_inspector_sudoers
+RUN chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/kolla_ironic_inspector_sudoers

 {% endif %}

-COPY extend_start.sh /usr/local/bin/kolla_ironic_extend_start
+COPY extend_start.sh /usr/local/bin/kolla_extend_start

-RUN chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_ironic_inspector_sudoers \
-    && chmod 755 /usr/local/bin/kolla_ironic_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
+    && chown -R ironic-inspector: /etc/ironic-inspector

 {% block ironic_inspector_footer %}{% endblock %}
 {% block footer %}{% endblock %}

-USER ironic
+USER ironic-inspector
--- a/docker/ironic/ironic-inspector/extend_start.sh
+++ b/docker/ironic/ironic-inspector/extend_start.sh
@ -1,5 +1,14 @@
 #!/bin/bash

+LOG_PATH=/var/log/kolla/ironic-inspector
+
+if [[ ! -d "${LOG_PATH}" ]]; then
+    mkdir -p "${LOG_PATH}"
+fi
+if [[ $(stat -c %a "${LOG_PATH}") != "755" ]]; then
+    chmod 755 "${LOG_PATH}"
+fi
+
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
--- a/docker/ironic-inspector/ironic_inspector_sudoers
+++ b/docker/ironic-inspector/ironic_inspector_sudoers
@ -0,0 +1 @@
+ironic-inspector ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *
--- a/docker/ironic/ironic-inspector/ironic_sudoers_binary
+++ b/docker/ironic/ironic-inspector/ironic_sudoers_binary
@ -1 +0,0 @@
-ironic ALL=(root) NOPASSWD: /usr/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *
--- a/docker/ironic/ironic-inspector/ironic_sudoers_source
+++ b/docker/ironic/ironic-inspector/ironic_sudoers_source
@ -1 +0,0 @@
-ironic ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *
--- a/kolla/common/config.py
+++ b/kolla/common/config.py
@ -794,6 +794,10 @@ USERS = {
        'uid': 42460,
        'gid': 42460,
    },
+    'ironic-inspector-user': {
+        'uid': 42461,
+        'gid': 42461,
+    },
 }
				`@ -0,0 +1 @@`
				`ironic-inspector ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *`
				`@ -1 +0,0 @@`
				`ironic ALL=(root) NOPASSWD: /usr/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *`
				`@ -1 +0,0 @@`
				`ironic ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *`