From 8b63089e1c3a55e3752229155d3a9e87d0511574 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Thu, 2 Mar 2017 18:31:23 +0000
Subject: [PATCH] Use ironic-inspector user for ironic-inspector

This change updates the ironic-inspector image to use the
ironic-inspector user rather than the ironic user to execute the
ironic inspector service as this more closely aligns with what is
typically done by downstream packagers (specifically, Ubuntu and
RDO).

This change rebases the ironic-inspector image onto the openstack-base
image instead of the ironic-base image. We configure an
ironic-inspector user and use this to execute the ironic-inspector
service. We also configure ironic-inspector to log to
/var/log/kolla/ironic-inspector instead of the previous ironic
location.

Following this change we no longer need the workaround of a
sudoers file for the binary install type that was added in change
I8ecd0b658b8df8f38ddf717fa9443d4dc2896984.

Change-Id: Ibdc5ba35db61f4974d4282aff34bcb5ccd952d45
Closes-Bug: #1624457
---
 .../ironic-inspector/Dockerfile.j2            | 21 ++++++++++---------
 .../ironic-inspector/extend_start.sh          |  9 ++++++++
 .../ironic-inspector/ironic_inspector_sudoers |  1 +
 .../ironic-inspector/ironic_sudoers_binary    |  1 -
 .../ironic-inspector/ironic_sudoers_source    |  1 -
 kolla/common/config.py                        |  4 ++++
 6 files changed, 25 insertions(+), 12 deletions(-)
 rename docker/{ironic => }/ironic-inspector/Dockerfile.j2 (76%)
 rename docker/{ironic => }/ironic-inspector/extend_start.sh (60%)
 create mode 100644 docker/ironic-inspector/ironic_inspector_sudoers
 delete mode 100644 docker/ironic/ironic-inspector/ironic_sudoers_binary
 delete mode 100644 docker/ironic/ironic-inspector/ironic_sudoers_source

diff --git a/docker/ironic/ironic-inspector/Dockerfile.j2 b/docker/ironic-inspector/Dockerfile.j2
similarity index 76%
rename from docker/ironic/ironic-inspector/Dockerfile.j2
rename to docker/ironic-inspector/Dockerfile.j2
index 8c3cd5a9d5..eea19fca72 100644
--- a/docker/ironic/ironic-inspector/Dockerfile.j2
+++ b/docker/ironic-inspector/Dockerfile.j2
@@ -1,10 +1,12 @@
-FROM {{ namespace }}/{{ image_prefix }}ironic-base:{{ tag }}
+FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
 MAINTAINER {{ maintainer }}
 
 {% block ironic_inspector_header %}{% endblock %}
 
 {% import "macros.j2" as macros with context %}
 
+{{ macros.configure_user(name='ironic-inspector') }}
+
 {% if install_type == 'binary' %}
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set ironic_inspector_packages = ['openstack-ironic-inspector'] %}
@@ -17,8 +19,6 @@ MAINTAINER {{ maintainer }}
 
 {{ macros.install_packages(ironic_inspector_packages | customizable("packages")) }}
 
-COPY ironic_sudoers_binary /etc/sudoers.d/kolla_ironic_inspector_sudoers
-
 {% elif install_type == 'source' %}
     {% if base_distro in ['debian', 'ubuntu'] %}
         {% set ironic_inspector_packages = ['iptables'] %}
@@ -33,23 +33,24 @@ ADD ironic-inspector-archive /ironic-inspector-source
 ] %}
 
 RUN ln -s ironic-inspector-source/* ironic-inspector \
-    && mv /etc/ironic /etc/ironic-inspector \
     && {{ macros.install_pip(ironic_inspector_pip_packages | customizable("pip_packages")) }} \
+    && mkdir -p /etc/ironic-inspector \
     && cp /ironic-inspector/rootwrap.conf /etc/ironic-inspector/ \
     && cp -r /ironic-inspector/rootwrap.d/ /etc/ironic-inspector/ \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic-inspector/rootwrap.conf
 
-COPY ironic_sudoers_source /etc/sudoers.d/kolla_ironic_inspector_sudoers
+ADD ironic_inspector_sudoers /etc/sudoers.d/kolla_ironic_inspector_sudoers
+RUN chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/kolla_ironic_inspector_sudoers
 
 {% endif %}
 
-COPY extend_start.sh /usr/local/bin/kolla_ironic_extend_start
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_ironic_inspector_sudoers \
-    && chmod 755 /usr/local/bin/kolla_ironic_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
+    && chown -R ironic-inspector: /etc/ironic-inspector
 
 {% block ironic_inspector_footer %}{% endblock %}
 {% block footer %}{% endblock %}
 
-USER ironic
+USER ironic-inspector
diff --git a/docker/ironic/ironic-inspector/extend_start.sh b/docker/ironic-inspector/extend_start.sh
similarity index 60%
rename from docker/ironic/ironic-inspector/extend_start.sh
rename to docker/ironic-inspector/extend_start.sh
index b87060adbf..2582b017a3 100644
--- a/docker/ironic/ironic-inspector/extend_start.sh
+++ b/docker/ironic-inspector/extend_start.sh
@@ -1,5 +1,14 @@
 #!/bin/bash
 
+LOG_PATH=/var/log/kolla/ironic-inspector
+
+if [[ ! -d "${LOG_PATH}" ]]; then
+    mkdir -p "${LOG_PATH}"
+fi
+if [[ $(stat -c %a "${LOG_PATH}") != "755" ]]; then
+    chmod 755 "${LOG_PATH}"
+fi
+
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
diff --git a/docker/ironic-inspector/ironic_inspector_sudoers b/docker/ironic-inspector/ironic_inspector_sudoers
new file mode 100644
index 0000000000..3958468207
--- /dev/null
+++ b/docker/ironic-inspector/ironic_inspector_sudoers
@@ -0,0 +1 @@
+ironic-inspector ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *
diff --git a/docker/ironic/ironic-inspector/ironic_sudoers_binary b/docker/ironic/ironic-inspector/ironic_sudoers_binary
deleted file mode 100644
index d1e0ef68d2..0000000000
--- a/docker/ironic/ironic-inspector/ironic_sudoers_binary
+++ /dev/null
@@ -1 +0,0 @@
-ironic ALL=(root) NOPASSWD: /usr/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *
diff --git a/docker/ironic/ironic-inspector/ironic_sudoers_source b/docker/ironic/ironic-inspector/ironic_sudoers_source
deleted file mode 100644
index 612f8dc3a4..0000000000
--- a/docker/ironic/ironic-inspector/ironic_sudoers_source
+++ /dev/null
@@ -1 +0,0 @@
-ironic ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf *
diff --git a/kolla/common/config.py b/kolla/common/config.py
index c7b5b1e4a2..25b3db3512 100755
--- a/kolla/common/config.py
+++ b/kolla/common/config.py
@@ -794,6 +794,10 @@ USERS = {
         'uid': 42460,
         'gid': 42460,
     },
+    'ironic-inspector-user': {
+        'uid': 42461,
+        'gid': 42461,
+    },
 }