Fix issues in Glance filesystem backend

The drop root change for Glance highlighted the fact that we were
binding volumes from glance_data into the wrong container - it was
glance_registry whereas it should be glance_api. This would result in
all images being lost if the glance_api container happens to restart.

Also, we need a sudoers file to chown the file backend dir to the glance
user.

Change-Id: If04337045bb94b3126e48d1f5bf0ea29e20373ae
Closes-Bug: #1516729

ansible/roles/glance/tasks/start.yml

@@ -16,8 +16,6 @@
     volumes:
       - "{{ node_config_directory }}/glance-registry/:{{ container_config_directory }}/:ro"
       - "/var/lib/kolla/dev/log:/dev/log"
-    volumes_from:
-      - glance_data
     env:
       KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
   when: inventory_hostname in groups['glance-registry']
@@ -39,6 +37,8 @@
     volumes:
       - "{{ node_config_directory }}/glance-api/:{{ container_config_directory }}/:ro"
       - "/var/lib/kolla/dev/log:/dev/log"
+    volumes_from:
+      - glance_data
     env:
       KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
   when: inventory_hostname in groups['glance-api']

docker/glance/glance-api/extend_start.sh

@@ -4,5 +4,6 @@
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
     glance-manage db_sync
+    sudo chown -R glance: /var/lib/glance/
     exit 0
 fi

docker/glance/glance-base/Dockerfile.j2

@@ -44,4 +44,8 @@ RUN ln -s glance-base-source/* glance \
 
 {% endif %}
 
-RUN usermod -a -G kolla glance
+COPY glance_sudoers /etc/sudoers.d/glance_sudoers
+
+RUN usermod -a -G kolla glance \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/glance_sudoers

docker/glance/glance-base/glance_sudoers

@@ -0,0 +1 @@
+%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R glance\: /var/lib/glance/, /bin/chown -R glance\: /var/lib/glance/