First pass at script cleanup
This change removes bits from our imported scripts that are irrelevant
for a TripleO environment. All of the sudoers implementations have been
moved into files which are copied into containers. This move will unify
how we deploy privledge escallations.
The kolla user will now be able to execute any kolla* command which
should allow us to generally simplify how we handle sudoers across
our container base.
Story: 2007780
Task: 40014
Change-Id: I2e0b98d9f60e3c862e9db3f7d87f09b5bd3a0887
Signed-off-by: Kevin Carter <kecarter@redhat.com>
(cherry picked from commit 9190a3d000
)
This commit is contained in:
parent
7638f86e80
commit
844f1d56c5
|
@ -0,0 +1 @@
|
|||
%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R barbican /var/lib/barbican/, /bin/chown -R barbican /var/lib/barbican/
|
|
@ -14,7 +14,7 @@ if [[ "$(whoami)" == 'root' ]]; then
|
|||
# on startup:
|
||||
# SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
|
||||
# Work around this by generating certificates manually.
|
||||
if [[ ${KOLLA_BASE_DISTRO} = centos ]] && [[ ! -e /etc/pki/tls/certs/localhost.crt ]]; then
|
||||
if [[ ! -e /etc/pki/tls/certs/localhost.crt ]]; then
|
||||
/usr/libexec/httpd-ssl-gencerts
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -13,6 +13,6 @@ root ALL=(ALL) ALL
|
|||
|
||||
# anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
|
||||
# root user via sudo without password confirmation
|
||||
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
|
||||
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla*
|
||||
|
||||
#includedir /etc/sudoers.d
|
||||
|
|
|
@ -4,7 +4,7 @@ set -o errexit
|
|||
|
||||
FORCE_GENERATE="${FORCE_GENERATE}"
|
||||
HASH_PATH=/var/lib/kolla/.settings.md5sum.txt
|
||||
MANAGE_PY="/usr/bin/python${KOLLA_DISTRO_PYTHON_VERSION} /usr/bin/manage.py"
|
||||
MANAGE_PY="/usr/bin/python3 /usr/bin/manage.py"
|
||||
|
||||
if [[ -f /etc/openstack-dashboard/custom_local_settings ]]; then
|
||||
CUSTOM_SETTINGS_FILE="${SITE_PACKAGES}/openstack_dashboard/local/custom_local_settings.py"
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
|
||||
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
|
||||
neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
|
||||
neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
|
||||
neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --auto iptables
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
tcib_actions:
|
||||
- run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_security_reset" > /etc/sudoers.d/security_reset && chmod 640 /etc/sudoers.d/security_reset'
|
||||
- run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }}
|
||||
- run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
|
||||
- copy: /usr/share/tripleo-common/container-images/kolla/mariadb/extend_start.sh /usr/local/bin/kolla_extend_start
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
tcib_actions:
|
||||
- run: bash /usr/local/bin/uid_gid_manage nfast barbican
|
||||
- run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf
|
||||
- run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R barbican /var/lib/barbican/, /bin/chown -R barbican /var/lib/barbican/" > /etc/sudoers.d/barbican_sudoers && chmod 640 /etc/sudoers.d/barbican_sudoers'
|
||||
- copy: /usr/share/tripleo-common/container-images/kolla/barbican-base/sudoers /etc/sudoers.d/barbican_sudoers
|
||||
- run: chmod 640 /etc/sudoers.d/barbican_sudoers
|
||||
tcib_gather_files: '{{ lookup(''fileglob'', ''/usr/share/tripleo-common/container-images/kolla/barbican-base/*'', wantlist=True) }}'
|
||||
tcib_packages:
|
||||
common:
|
||||
- openstack-barbican-common
|
||||
|
|
Loading…
Reference in New Issue