Merge "Drop support for rootwrap"

2024-01-05 00:25:32 +00:00 · 2024-01-05 00:25:32 +00:00 · a66596474f
parent 87e594943a 0fd1e03907
commit a66596474f
4 changed files with 22 additions and 62 deletions
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@ -141,34 +141,14 @@
    group: "ironic"
    mode: "0755"

-# Note(TheJulia): The rootwrap copies will need to be re-tooled
-# to possibly directly retreive current files if a source install
-# is not utilized.
- name: "Copy rootwrap.conf from ironic source folder"
-  copy:
-    src: "{{ ironic_git_folder }}/etc/ironic/rootwrap.conf"
-    dest: "/etc/ironic/rootwrap.conf"
-    remote_src: yes
-    mode: "0644"
-    owner: root
-    group: root
-  when: not skip_install | bool
- name: "Copy rootwrap.d contents from ironic source folder"
-  copy:
-    src: "{{ ironic_git_folder }}/etc/ironic/rootwrap.d/"
-    dest: "/etc/ironic/rootwrap.d/"
-    remote_src: yes
-    owner: root
-    group: root
-  when: not skip_install | bool
- name: "Copy rootwrap.d contents from ironic-lib installation"
-  copy:
-    src: "{{ bifrost_venv_dir }}/etc/ironic/rootwrap.d/ironic-lib.filters"
-    dest: "/etc/ironic/rootwrap.d/"
-    remote_src: yes
-    owner: root
-    group: root
-  when: not skip_install | bool
+- name: "Remove old rootwrap locations"
+  file:
+    name: "{{ item }}"
+    state: absent
+  loop:
+    - "/etc/ironic/rootwrap.conf"
+    - "/etc/ironic/rootwrap.d"
+    - "{{ ironic_rootwrap_dir }}/ironic-rootwrap"

 - name: "Generate htpasswd(s) for ironic"
  htpasswd:
--- a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
@ -57,21 +57,14 @@
    mode: "0755"
    state: directory

-# Note(TheJulia): The rootwrap copies will need to be re-tooled
-# to possibly directly retreive current files if a source install
-# is not utilized.
- name: "Copy rootwrap.conf from ironic-inspector source folder"
-  copy:
-    src: "{{ ironicinspector_git_folder }}/rootwrap.conf"
-    dest: "/etc/ironic-inspector/rootwrap.conf"
-    remote_src: yes
-    mode: "0644"
-    owner: root
-    group: root
-# Note(ashestakov): "copy" module in ansible doesn't support recursive
-# copying on remote host. "cp" command used instead.
- name: "Copy rootwrap.d contents from ironic-inspector source folder"
-  command: cp -r "{{ ironicinspector_git_folder }}/rootwrap.d/" "/etc/ironic-inspector/rootwrap.d"
+- name: "Remove old rootwrap locations"
+  file:
+    name: "{{ item }}"
+    state: absent
+  loop:
+    - "/etc/ironic-inspector/rootwrap.conf"
+    - "/etc/ironic-inspector/rootwrap.d"
+    - "{{ ironic_rootwrap_dir }}/ironic-inspector-rootwrap"

 - name: "Generate htpasswd(s) for ironic-inspector"
  htpasswd:
--- a/playbooks/roles/bifrost-ironic-install/tasks/ironic_config.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/ironic_config.yml
@ -44,22 +44,3 @@
    owner: ironic
    group: ironic
    mode: "0640"
-
- name: "Symlinks from venv"
-  file:
-    state: link
-    path: "{{ ironic_rootwrap_dir }}/{{ item | basename }}"
-    src: "{{ item }}"
-    owner: root
-    group: root
-  loop:
-    - "{{ bifrost_venv_dir }}/bin/ironic-rootwrap"
-    - "{{ bifrost_venv_dir }}/bin/ironic-inspector-rootwrap"
- name: "Set sudoers for rootwrap"
-  lineinfile:
-    dest: /etc/sudoers
-    regexp: "^ironic(.*)/{{ item }}-rootwrap /etc/{{ item }}/rootwrap.conf(.*)"
-    line: "ironic ALL = (root) NOPASSWD: {{ ironic_rootwrap_dir }}/{{ item }}-rootwrap /etc/{{ item }}/rootwrap.conf *"
-  loop:
-    - ironic
-    - ironic-inspector
--- a/releasenotes/notes/no-rootwrap-d9678d9904ee169f.yaml
+++ b/releasenotes/notes/no-rootwrap-d9678d9904ee169f.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Removes the ``rootwrap`` privilege escalation framework. Ironic no longer
+    uses it, and Bifrost does not use the Inspector PXE filters that require
+    root.