Merge "Add rootwrap config and command for solum"

2017-09-20 14:49:43 +00:00 · 2017-09-20 14:49:43 +00:00 · 77b70abbab
commit 77b70abbab
parent a3ae4486d9 f15ab604d0
6 changed files with 50 additions and 0 deletions
--- a/etc/solum/rootwrap.conf
+++ b/etc/solum/rootwrap.conf
@ -0,0 +1,27 @@
+# Configuration for solum-rootwrap
+# This file should be owned by (and only writable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writable by root !
+filters_path=/etc/solum/rootwrap.d,/usr/share/solum/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitly specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, user0, user1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR
--- a/etc/solum/rootwrap.d/solum.filters
+++ b/etc/solum/rootwrap.d/solum.filters
@ -0,0 +1,4 @@
+# solum-rootwrap command filters for scripts
+# This file should be owned by (and only-writable by) the root user
+
+[Filters]
--- a/requirements.txt
+++ b/requirements.txt
@ -17,6 +17,7 @@ oslo.middleware>=3.27.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=1.10.0 # Apache-2.0
 oslo.utils>=3.20.0 # Apache-2.0
 oslo.log>=3.30.0 # Apache-2.0
+oslo.rootwrap>=5.0.0 # Apache-2.0
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
 pecan!=1.0.2,!=1.0.3,!=1.0.4,!=1.2,>=1.0.0 # BSD
 pycrypto>=2.6 # Public Domain
--- a/setup.cfg
+++ b/setup.cfg
@ -52,6 +52,7 @@ console_scripts =
    solum-db-manage = solum.cmd.db_manage:main
    solum-deployer = solum.cmd.deployer:main
    solum-worker = solum.cmd.worker:main
+    solum-rootwrap = oslo_rootwrap.cmd:main

 wsgi_scripts =
    solum-wsgi-api = solum.httpd.solum_api:init_application
--- a/solum/common/utils.py
+++ b/solum/common/utils.py
@ -12,6 +12,7 @@


 from Crypto.Cipher import AES
+from oslo_concurrency import processutils
 from oslo_config import cfg


@ -54,3 +55,15 @@ def decrypt(ciphertext):
    obj = AES.new(encryption_key, AES.MODE_CFB, init_vector)
    value = obj.decrypt(ciphertext)
    return value
+
+
+def get_root_helper():
+    solum_rootwrap_config = cfg.CONF.worker.rootwrap_config
+    return 'sudo solum-rootwrap %s' % solum_rootwrap_config
+
+
+def execute(*cmd, **kwargs):
+    """Convenience wrapper around oslo's execute() method."""
+    if 'run_as_root' in kwargs and 'root_helper' not in kwargs:
+        kwargs['root_helper'] = get_root_helper()
+    return processutils.execute(*cmd, **kwargs)
--- a/solum/worker/config.py
+++ b/solum/worker/config.py
@ -96,6 +96,10 @@ SERVICE_OPTS = [
               help='max memory a container can consume. No limit by default'),
    cfg.IntOpt('docker_build_timeout', default=1800,
               help='max time a docker build can take. Default: 30 minutes'),
+    cfg.StrOpt('rootwrap_config',
+               default='/etc/solum/rootwrap.conf',
+               help='Path to the rootwrap configuration file to use for '
+                    'running commands as root.'),
 ]

 opt_group = cfg.OptGroup(