Merge "Drop support for rootwrap"
This commit is contained in:
commit
a66596474f
|
@ -141,34 +141,14 @@
|
|||
group: "ironic"
|
||||
mode: "0755"
|
||||
|
||||
# Note(TheJulia): The rootwrap copies will need to be re-tooled
|
||||
# to possibly directly retreive current files if a source install
|
||||
# is not utilized.
|
||||
- name: "Copy rootwrap.conf from ironic source folder"
|
||||
copy:
|
||||
src: "{{ ironic_git_folder }}/etc/ironic/rootwrap.conf"
|
||||
dest: "/etc/ironic/rootwrap.conf"
|
||||
remote_src: yes
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
when: not skip_install | bool
|
||||
- name: "Copy rootwrap.d contents from ironic source folder"
|
||||
copy:
|
||||
src: "{{ ironic_git_folder }}/etc/ironic/rootwrap.d/"
|
||||
dest: "/etc/ironic/rootwrap.d/"
|
||||
remote_src: yes
|
||||
owner: root
|
||||
group: root
|
||||
when: not skip_install | bool
|
||||
- name: "Copy rootwrap.d contents from ironic-lib installation"
|
||||
copy:
|
||||
src: "{{ bifrost_venv_dir }}/etc/ironic/rootwrap.d/ironic-lib.filters"
|
||||
dest: "/etc/ironic/rootwrap.d/"
|
||||
remote_src: yes
|
||||
owner: root
|
||||
group: root
|
||||
when: not skip_install | bool
|
||||
- name: "Remove old rootwrap locations"
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- "/etc/ironic/rootwrap.conf"
|
||||
- "/etc/ironic/rootwrap.d"
|
||||
- "{{ ironic_rootwrap_dir }}/ironic-rootwrap"
|
||||
|
||||
- name: "Generate htpasswd(s) for ironic"
|
||||
htpasswd:
|
||||
|
|
|
@ -57,21 +57,14 @@
|
|||
mode: "0755"
|
||||
state: directory
|
||||
|
||||
# Note(TheJulia): The rootwrap copies will need to be re-tooled
|
||||
# to possibly directly retreive current files if a source install
|
||||
# is not utilized.
|
||||
- name: "Copy rootwrap.conf from ironic-inspector source folder"
|
||||
copy:
|
||||
src: "{{ ironicinspector_git_folder }}/rootwrap.conf"
|
||||
dest: "/etc/ironic-inspector/rootwrap.conf"
|
||||
remote_src: yes
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
# Note(ashestakov): "copy" module in ansible doesn't support recursive
|
||||
# copying on remote host. "cp" command used instead.
|
||||
- name: "Copy rootwrap.d contents from ironic-inspector source folder"
|
||||
command: cp -r "{{ ironicinspector_git_folder }}/rootwrap.d/" "/etc/ironic-inspector/rootwrap.d"
|
||||
- name: "Remove old rootwrap locations"
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- "/etc/ironic-inspector/rootwrap.conf"
|
||||
- "/etc/ironic-inspector/rootwrap.d"
|
||||
- "{{ ironic_rootwrap_dir }}/ironic-inspector-rootwrap"
|
||||
|
||||
- name: "Generate htpasswd(s) for ironic-inspector"
|
||||
htpasswd:
|
||||
|
|
|
@ -44,22 +44,3 @@
|
|||
owner: ironic
|
||||
group: ironic
|
||||
mode: "0640"
|
||||
|
||||
- name: "Symlinks from venv"
|
||||
file:
|
||||
state: link
|
||||
path: "{{ ironic_rootwrap_dir }}/{{ item | basename }}"
|
||||
src: "{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
loop:
|
||||
- "{{ bifrost_venv_dir }}/bin/ironic-rootwrap"
|
||||
- "{{ bifrost_venv_dir }}/bin/ironic-inspector-rootwrap"
|
||||
- name: "Set sudoers for rootwrap"
|
||||
lineinfile:
|
||||
dest: /etc/sudoers
|
||||
regexp: "^ironic(.*)/{{ item }}-rootwrap /etc/{{ item }}/rootwrap.conf(.*)"
|
||||
line: "ironic ALL = (root) NOPASSWD: {{ ironic_rootwrap_dir }}/{{ item }}-rootwrap /etc/{{ item }}/rootwrap.conf *"
|
||||
loop:
|
||||
- ironic
|
||||
- ironic-inspector
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Removes the ``rootwrap`` privilege escalation framework. Ironic no longer
|
||||
uses it, and Bifrost does not use the Inspector PXE filters that require
|
||||
root.
|
Loading…
Reference in New Issue