Add missing pre-reqs for glance cinder store
There are a number of missing dependencies in the role when using cinder store with glance. Specifically rootwrap is required for elevating access when using os-brick to connect to cinder iscsi/fc volume back end storage. This patch addresses the following: - olso.rootwrap is not included in glance_pip_packages - files/rootwrap.d/glance_cinder_store.filters is missing - glance user is not added to sudoers glance_pip_packages updated, missing rootwrap.d and sudoer files now dropped in to Their required locations by glance_post_install.yml task Change-Id: I55162bc2bf3cbb8858950e4abcf60a3de9929008 Closes-Bug: #1833725
This commit is contained in:
Craig McIntyre
parent
96f0d5bd4a
commit
2636d7eaea
@ -240,6 +240,7 @@ glance_pip_packages:
|
|||||||
- glance
|
- glance
|
||||||
- keystonemiddleware
|
- keystonemiddleware
|
||||||
- os-brick
|
- os-brick
|
||||||
|
- oslo.rootwrap
|
||||||
- osprofiler
|
- osprofiler
|
||||||
- PyMySQL
|
- PyMySQL
|
||||||
- python-cinderclient
|
- python-cinderclient
|
||||||
@ -307,4 +308,4 @@ glance_policy_overrides: {}
|
|||||||
glance_api_uwsgi_ini_overrides: {}
|
glance_api_uwsgi_ini_overrides: {}
|
||||||
|
|
||||||
# Specify path on the local filesystem for glance-image-import.conf
|
# Specify path on the local filesystem for glance-image-import.conf
|
||||||
#glance_glance_image_import_conf_location: /path/to/local/glance-image-import.conf
|
#glance_glance_image_import_conf_location: /path/to/local/glance-image-import.conf
|
||||||
|
|||||||
29
files/rootwrap.d/glance_cinder_store.filters
Normal file
29
files/rootwrap.d/glance_cinder_store.filters
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
# glance-rootwrap command filters for glance cinder store
|
||||||
|
# This file should be owned by (and only-writable by) the root user
|
||||||
|
|
||||||
|
[Filters]
|
||||||
|
# cinder store driver
|
||||||
|
disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).*
|
||||||
|
|
||||||
|
# os-brick
|
||||||
|
mount: CommandFilter, mount, root
|
||||||
|
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
|
||||||
|
tee: CommandFilter, tee, root
|
||||||
|
mkdir: CommandFilter, mkdir, root
|
||||||
|
chown: RegExpFilter, chown, root, chown root:root /etc/pstorage/clusters/(?!.*/\.\.).*
|
||||||
|
ip: CommandFilter, ip, root
|
||||||
|
dd: CommandFilter, dd, root
|
||||||
|
iscsiadm: CommandFilter, iscsiadm, root
|
||||||
|
aoe-revalidate: CommandFilter, aoe-revalidate, root
|
||||||
|
aoe-discover: CommandFilter, aoe-discover, root
|
||||||
|
aoe-flush: CommandFilter, aoe-flush, root
|
||||||
|
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
|
||||||
|
multipath: CommandFilter, multipath, root
|
||||||
|
multipathd: CommandFilter, multipathd, root
|
||||||
|
systool: CommandFilter, systool, root
|
||||||
|
sg_scan: CommandFilter, sg_scan, root
|
||||||
|
cp: CommandFilter, cp, root
|
||||||
|
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
|
||||||
|
sds_cli: CommandFilter, /usr/local/bin/sds/sds_cli, root
|
||||||
|
vgc-cluster: CommandFilter, vgc-cluster, root
|
||||||
|
scsi_id: CommandFilter, /lib/udev/scsi_id, root
|
||||||
@ -13,6 +13,32 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
# NOTE(CeeMac): This task is required to copy rootwrap filters that we need
|
||||||
|
# and glance does not provide by default.
|
||||||
|
- name: Create aux glance dir
|
||||||
|
file:
|
||||||
|
path: "{{ item.path | default(omit) }}"
|
||||||
|
state: "directory"
|
||||||
|
owner: "{{ item.owner|default(glance_system_user_name) }}"
|
||||||
|
group: "{{ item.group|default(glance_system_group_name) }}"
|
||||||
|
mode: "{{ item.mode | default(omit) }}"
|
||||||
|
loop:
|
||||||
|
- path: "/etc/glance/rootwrap.d"
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
|
||||||
|
- name: Copy glance rootwrap filter config
|
||||||
|
copy:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: "/etc/glance/rootwrap.d/"
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
with_fileglob:
|
||||||
|
- rootwrap.d/*
|
||||||
|
tags:
|
||||||
|
- glance-config
|
||||||
|
- glance-post-install
|
||||||
|
|
||||||
- name: Deploy Glance configuration files
|
- name: Deploy Glance configuration files
|
||||||
config_template:
|
config_template:
|
||||||
src: "{{ item.src }}"
|
src: "{{ item.src }}"
|
||||||
@ -158,3 +184,15 @@
|
|||||||
- name: "{{ glance_bin }}/glance-cache-cleaner"
|
- name: "{{ glance_bin }}/glance-cache-cleaner"
|
||||||
hour: "*/5"
|
hour: "*/5"
|
||||||
when: glance_flavor is search("cache")
|
when: glance_flavor is search("cache")
|
||||||
|
|
||||||
|
- name: Drop sudoers file
|
||||||
|
template:
|
||||||
|
src: "sudoers.j2"
|
||||||
|
dest: "/etc/sudoers.d/{{ glance_system_user_name }}_sudoers"
|
||||||
|
mode: "0440"
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
validate: '/usr/sbin/visudo -cf %s'
|
||||||
|
tags:
|
||||||
|
- sudoers
|
||||||
|
- glance-sudoers
|
||||||
|
|||||||
6
templates/sudoers.j2
Normal file
6
templates/sudoers.j2
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
Defaults:{{ glance_system_user_name }} !requiretty
|
||||||
|
Defaults:{{ glance_system_user_name }} secure_path="{{ glance_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
|
||||||
|
glance ALL = (root) NOPASSWD: {{ glance_bin }}/{{ glance_service_name }}-rootwrap
|
||||||
Loading…
x
Reference in New Issue
Block a user