Browse Source

First pass at script cleanup

This change removes bits from our imported scripts that are irrelevant
for a TripleO environment. All of the sudoers implementations have been
moved into files which are copied into containers. This move will unify
how we deploy privledge escallations.

The kolla user will now be able to execute any kolla* command which
should allow us to generally simplify how we handle sudoers across
our container base.

Story: 2007780
Task: 40014
Change-Id: I2e0b98d9f60e3c862e9db3f7d87f09b5bd3a0887
Signed-off-by: Kevin Carter <kecarter@redhat.com>
(cherry picked from commit 9190a3d0001bed39a12f097750bef90d5015a42c)
changes/43/746543/6
Kevin Carter 3 months ago
committed by Emilien Macchi
parent
commit
844f1d56c5
7 changed files with 7 additions and 7 deletions
  1. +1
    -0
      container-images/kolla/barbican-base/sudoers
  2. +1
    -1
      container-images/kolla/base/httpd_setup.sh
  3. +1
    -1
      container-images/kolla/base/sudoers
  4. +1
    -1
      container-images/kolla/horizon/extend_start.sh
  5. +0
    -2
      container-images/kolla/neutron-base/neutron_sudoers
  6. +0
    -1
      container-images/tcib/base/mariadb/mariadb.yaml
  7. +3
    -1
      container-images/tcib/base/os/barbican-base/barbican-base.yaml

+ 1
- 0
container-images/kolla/barbican-base/sudoers View File

@@ -0,0 +1 @@
%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R barbican /var/lib/barbican/, /bin/chown -R barbican /var/lib/barbican/

+ 1
- 1
container-images/kolla/base/httpd_setup.sh View File

@@ -14,7 +14,7 @@ if [[ "$(whoami)" == 'root' ]]; then
# on startup:
# SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
# Work around this by generating certificates manually.
if [[ ${KOLLA_BASE_DISTRO} = centos ]] && [[ ! -e /etc/pki/tls/certs/localhost.crt ]]; then
if [[ ! -e /etc/pki/tls/certs/localhost.crt ]]; then
/usr/libexec/httpd-ssl-gencerts
fi
fi

+ 1
- 1
container-images/kolla/base/sudoers View File

@@ -13,6 +13,6 @@ root ALL=(ALL) ALL

# anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
# root user via sudo without password confirmation
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla*

#includedir /etc/sudoers.d

+ 1
- 1
container-images/kolla/horizon/extend_start.sh View File

@@ -4,7 +4,7 @@ set -o errexit

FORCE_GENERATE="${FORCE_GENERATE}"
HASH_PATH=/var/lib/kolla/.settings.md5sum.txt
MANAGE_PY="/usr/bin/python${KOLLA_DISTRO_PYTHON_VERSION} /usr/bin/manage.py"
MANAGE_PY="/usr/bin/python3 /usr/bin/manage.py"

if [[ -f /etc/openstack-dashboard/custom_local_settings ]]; then
CUSTOM_SETTINGS_FILE="${SITE_PACKAGES}/openstack_dashboard/local/custom_local_settings.py"


+ 0
- 2
container-images/kolla/neutron-base/neutron_sudoers View File

@@ -1,5 +1,3 @@
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --auto iptables


+ 0
- 1
container-images/tcib/base/mariadb/mariadb.yaml View File

@@ -1,5 +1,4 @@
tcib_actions:
- run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_security_reset" > /etc/sudoers.d/security_reset && chmod 640 /etc/sudoers.d/security_reset'
- run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }}
- run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
- copy: /usr/share/tripleo-common/container-images/kolla/mariadb/extend_start.sh /usr/local/bin/kolla_extend_start


+ 3
- 1
container-images/tcib/base/os/barbican-base/barbican-base.yaml View File

@@ -1,7 +1,9 @@
tcib_actions:
- run: bash /usr/local/bin/uid_gid_manage nfast barbican
- run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
- run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R barbican /var/lib/barbican/, /bin/chown -R barbican /var/lib/barbican/" > /etc/sudoers.d/barbican_sudoers && chmod 640 /etc/sudoers.d/barbican_sudoers'
- copy: /usr/share/tripleo-common/container-images/kolla/barbican-base/sudoers /etc/sudoers.d/barbican_sudoers
- run: chmod 640 /etc/sudoers.d/barbican_sudoers
tcib_gather_files: '{{ lookup(''fileglob'', ''/usr/share/tripleo-common/container-images/kolla/barbican-base/*'', wantlist=True) }}'
tcib_packages:
common:
- openstack-barbican-common

Loading…
Cancel
Save