Implement rootwrap

This patch adds the rootwrap templates, filters, etc in order to
ensure that the designate service is capable of executing commands
against bind9 when it needs to.

defaults/main.yml

@@ -154,4 +154,5 @@ designate_service_names:
 designate_policy_overrides: {}
 designate_designate_conf_overrides: {}
 designate_api_paste_ini_overrides: {}
+designate_rootwrap_conf_overrides: {}
 

files/rootwrap.d/bind9.filters

@@ -0,0 +1,10 @@
+# designate-rootwrap command filters for nodes on which designate is
+# expected to control network
+#
+# This file should be owned by (and only-writeable by) the root user
+
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+
+[Filters]
+rndc: CommandFilter, /usr/sbin/rndc, root

tasks/designate_post_install.yml

@@ -35,6 +35,25 @@
       dest: "/etc/designate/policy.json"
       config_overrides: "{{ designate_policy_overrides }}"
       config_type: "json"
+    - src: "rootwrap.conf.j2"
+      dest: "/etc/designate/rootwrap.conf"
+      owner: "root"
+      group: "root"
+      config_overrides: "{{ designate_rootwrap_conf_overrides }}"
+      config_type: "ini"
+  notify: Restart designate services
+  tags:
+    - designate-config
+    - designate-post-install
+
+- name: Copy designate rootwrap filter config
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "root"
+    group: "root"
+  with_items:
+    - { src: "rootwrap.d/bind9.filters", dest: "/etc/designate/rootwrap.d/bind9.filters" }
   notify: Restart designate services
   tags:
     - designate-config

templates/designate.conf.j2

@@ -3,6 +3,9 @@ auth_strategy = keystone
 verbose = {{ verbose }}
 debug = {{ debug }}
 
+# Root helper
+root_helper = sudo designate-rootwrap /etc/designate/rootwrap.conf
+
 [oslo_messaging_rabbit]
 rpc_backend = rabbit
 rabbit_port = {{ rabbitmq_port }}

templates/rootwrap.conf.j2

@@ -0,0 +1,27 @@
+# Configuration for designate-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/designate/rootwrap.d,/usr/share/designate/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs={{ designate_bin }},/sbin,/usr/sbin,/bin,/usr/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, user0, user1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR