First pass at script cleanup

This change removes bits from our imported scripts that are irrelevant
for a TripleO environment. All of the sudoers implementations have been
moved into files which are copied into containers. This move will unify
how we deploy privledge escallations.

The kolla user will now be able to execute any kolla* command which
should allow us to generally simplify how we handle sudoers across
our container base.

Story: 2007780
Task: 40014
Change-Id: I2e0b98d9f60e3c862e9db3f7d87f09b5bd3a0887
Signed-off-by: Kevin Carter <kecarter@redhat.com>

container-images/kolla/barbican-base/sudoers

@@ -0,0 +1 @@
+%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R barbican /var/lib/barbican/, /bin/chown -R barbican /var/lib/barbican/

container-images/kolla/base/httpd_setup.sh

@@ -14,7 +14,7 @@ if [[ "$(whoami)" == 'root' ]]; then
     # on startup:
     #   SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
     # Work around this by generating certificates manually.
-    if [[ ${KOLLA_BASE_DISTRO} = centos ]] && [[ ! -e /etc/pki/tls/certs/localhost.crt ]]; then
+    if [[ ! -e /etc/pki/tls/certs/localhost.crt ]]; then
         /usr/libexec/httpd-ssl-gencerts
     fi
 fi

container-images/kolla/base/sudoers

@@ -13,6 +13,6 @@ root ALL=(ALL) ALL
 
 # anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
 # root user via sudo without password confirmation
-%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
+%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla*
 
 #includedir /etc/sudoers.d

container-images/kolla/horizon/extend_start.sh

@@ -4,7 +4,7 @@ set -o errexit
 
 FORCE_GENERATE="${FORCE_GENERATE}"
 HASH_PATH=/var/lib/kolla/.settings.md5sum.txt
-MANAGE_PY="/usr/bin/python${KOLLA_DISTRO_PYTHON_VERSION} /usr/bin/manage.py"
+MANAGE_PY="/usr/bin/python3 /usr/bin/manage.py"
 
 if [[ -f /etc/openstack-dashboard/custom_local_settings ]]; then
     CUSTOM_SETTINGS_FILE="${SITE_PACKAGES}/openstack_dashboard/local/custom_local_settings.py"

container-images/kolla/neutron-base/neutron_sudoers

@@ -1,5 +1,3 @@
-neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
-neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
 neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
 neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
 neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --auto iptables

container-images/tcib/base/mariadb/mariadb.yaml

@@ -1,5 +1,4 @@
 tcib_actions:
-- run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_security_reset" > /etc/sudoers.d/security_reset && chmod 640 /etc/sudoers.d/security_reset'
 - run: if [ '{{ tcib_distro }}' == 'rhel' ]; then {% for item in tcib_packages.modules %}{% set key, value = (item.items() | list).0 %}dnf module -y {{ key }} {{ value }}; {% endfor %}fi
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
 - copy: /usr/share/tripleo-common/container-images/kolla/mariadb/extend_start.sh /usr/local/bin/kolla_extend_start

container-images/tcib/base/os/barbican-base/barbican-base.yaml

@@ -1,7 +1,9 @@
 tcib_actions:
 - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
-- run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R barbican /var/lib/barbican/, /bin/chown -R barbican /var/lib/barbican/" > /etc/sudoers.d/barbican_sudoers && chmod 640 /etc/sudoers.d/barbican_sudoers'
+- copy: /usr/share/tripleo-common/container-images/kolla/barbican-base/sudoers /etc/sudoers.d/barbican_sudoers
+- run: chmod 640 /etc/sudoers.d/barbican_sudoers
 - run: usermod -a -G kolla barbican
+tcib_gather_files: '{{ lookup(''fileglob'', ''/usr/share/tripleo-common/container-images/kolla/barbican-base/*'', wantlist=True) }}'
 tcib_packages:
   common:
   - openstack-barbican-common