Browse Source

First pass at script cleanup

This change removes bits from our imported scripts that are irrelevant
for a TripleO environment. All of the sudoers implementations have been
moved into files which are copied into containers. This move will unify
how we deploy privledge escallations.

The kolla user will now be able to execute any kolla* command which
should allow us to generally simplify how we handle sudoers across
our container base.

Story: 2007780
Task: 40014
Change-Id: I2e0b98d9f60e3c862e9db3f7d87f09b5bd3a0887
Signed-off-by: Kevin Carter <kecarter@redhat.com>
changes/61/735661/22
Kevin Carter 2 years ago
parent
commit
9190a3d000
  1. 1
      container-images/kolla/barbican-base/sudoers
  2. 2
      container-images/kolla/base/httpd_setup.sh
  3. 2
      container-images/kolla/base/sudoers
  4. 2
      container-images/kolla/horizon/extend_start.sh
  5. 2
      container-images/kolla/neutron-base/neutron_sudoers
  6. 1
      container-images/tcib/base/mariadb/mariadb.yaml
  7. 4
      container-images/tcib/base/os/barbican-base/barbican-base.yaml

1
container-images/kolla/barbican-base/sudoers

@ -0,0 +1 @@
%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R barbican /var/lib/barbican/, /bin/chown -R barbican /var/lib/barbican/

2
container-images/kolla/base/httpd_setup.sh

@ -14,7 +14,7 @@ if [[ "$(whoami)" == 'root' ]]; then
# on startup:
# SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
# Work around this by generating certificates manually.
if [[ ${KOLLA_BASE_DISTRO} = centos ]] && [[ ! -e /etc/pki/tls/certs/localhost.crt ]]; then
if [[ ! -e /etc/pki/tls/certs/localhost.crt ]]; then
/usr/libexec/httpd-ssl-gencerts
fi
fi

2
container-images/kolla/base/sudoers

@ -13,6 +13,6 @@ root ALL=(ALL) ALL
# anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
# root user via sudo without password confirmation
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla*
#includedir /etc/sudoers.d

2
container-images/kolla/horizon/extend_start.sh

@ -4,7 +4,7 @@ set -o errexit
FORCE_GENERATE="${FORCE_GENERATE}"
HASH_PATH=/var/lib/kolla/.settings.md5sum.txt
MANAGE_PY="/usr/bin/python${KOLLA_DISTRO_PYTHON_VERSION} /usr/bin/manage.py"
MANAGE_PY="/usr/bin/python3 /usr/bin/manage.py"
if [[ -f /etc/openstack-dashboard/custom_local_settings ]]; then
CUSTOM_SETTINGS_FILE="${SITE_PACKAGES}/openstack_dashboard/local/custom_local_settings.py"

2
container-images/kolla/neutron-base/neutron_sudoers

@ -1,5 +1,3 @@
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --auto iptables

1
container-images/tcib/base/mariadb/mariadb.yaml

@ -1,5 +1,4 @@
tcib_actions:
- run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_security_reset" > /etc/sudoers.d/security_reset && chmod 640 /etc/sudoers.d/security_reset'
- run: if [ '{{ tcib_distro }}' == 'rhel' ]; then {% for item in tcib_packages.modules %}{% set key, value = (item.items() | list).0 %}dnf module -y {{ key }} {{ value }}; {% endfor %}fi
- run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
- copy: /usr/share/tripleo-common/container-images/kolla/mariadb/extend_start.sh /usr/local/bin/kolla_extend_start

4
container-images/tcib/base/os/barbican-base/barbican-base.yaml

@ -1,7 +1,9 @@
tcib_actions:
- run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
- run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R barbican /var/lib/barbican/, /bin/chown -R barbican /var/lib/barbican/" > /etc/sudoers.d/barbican_sudoers && chmod 640 /etc/sudoers.d/barbican_sudoers'
- copy: /usr/share/tripleo-common/container-images/kolla/barbican-base/sudoers /etc/sudoers.d/barbican_sudoers
- run: chmod 640 /etc/sudoers.d/barbican_sudoers
- run: usermod -a -G kolla barbican
tcib_gather_files: '{{ lookup(''fileglob'', ''/usr/share/tripleo-common/container-images/kolla/barbican-base/*'', wantlist=True) }}'
tcib_packages:
common:
- openstack-barbican-common

Loading…
Cancel
Save