Merge "Drop support for rootwrap"
This commit is contained in:
commit
a66596474f
|
@ -141,34 +141,14 @@
|
||||||
group: "ironic"
|
group: "ironic"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
# Note(TheJulia): The rootwrap copies will need to be re-tooled
|
- name: "Remove old rootwrap locations"
|
||||||
# to possibly directly retreive current files if a source install
|
file:
|
||||||
# is not utilized.
|
name: "{{ item }}"
|
||||||
- name: "Copy rootwrap.conf from ironic source folder"
|
state: absent
|
||||||
copy:
|
loop:
|
||||||
src: "{{ ironic_git_folder }}/etc/ironic/rootwrap.conf"
|
- "/etc/ironic/rootwrap.conf"
|
||||||
dest: "/etc/ironic/rootwrap.conf"
|
- "/etc/ironic/rootwrap.d"
|
||||||
remote_src: yes
|
- "{{ ironic_rootwrap_dir }}/ironic-rootwrap"
|
||||||
mode: "0644"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
when: not skip_install | bool
|
|
||||||
- name: "Copy rootwrap.d contents from ironic source folder"
|
|
||||||
copy:
|
|
||||||
src: "{{ ironic_git_folder }}/etc/ironic/rootwrap.d/"
|
|
||||||
dest: "/etc/ironic/rootwrap.d/"
|
|
||||||
remote_src: yes
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
when: not skip_install | bool
|
|
||||||
- name: "Copy rootwrap.d contents from ironic-lib installation"
|
|
||||||
copy:
|
|
||||||
src: "{{ bifrost_venv_dir }}/etc/ironic/rootwrap.d/ironic-lib.filters"
|
|
||||||
dest: "/etc/ironic/rootwrap.d/"
|
|
||||||
remote_src: yes
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
when: not skip_install | bool
|
|
||||||
|
|
||||||
- name: "Generate htpasswd(s) for ironic"
|
- name: "Generate htpasswd(s) for ironic"
|
||||||
htpasswd:
|
htpasswd:
|
||||||
|
|
|
@ -57,21 +57,14 @@
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
# Note(TheJulia): The rootwrap copies will need to be re-tooled
|
- name: "Remove old rootwrap locations"
|
||||||
# to possibly directly retreive current files if a source install
|
file:
|
||||||
# is not utilized.
|
name: "{{ item }}"
|
||||||
- name: "Copy rootwrap.conf from ironic-inspector source folder"
|
state: absent
|
||||||
copy:
|
loop:
|
||||||
src: "{{ ironicinspector_git_folder }}/rootwrap.conf"
|
- "/etc/ironic-inspector/rootwrap.conf"
|
||||||
dest: "/etc/ironic-inspector/rootwrap.conf"
|
- "/etc/ironic-inspector/rootwrap.d"
|
||||||
remote_src: yes
|
- "{{ ironic_rootwrap_dir }}/ironic-inspector-rootwrap"
|
||||||
mode: "0644"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
# Note(ashestakov): "copy" module in ansible doesn't support recursive
|
|
||||||
# copying on remote host. "cp" command used instead.
|
|
||||||
- name: "Copy rootwrap.d contents from ironic-inspector source folder"
|
|
||||||
command: cp -r "{{ ironicinspector_git_folder }}/rootwrap.d/" "/etc/ironic-inspector/rootwrap.d"
|
|
||||||
|
|
||||||
- name: "Generate htpasswd(s) for ironic-inspector"
|
- name: "Generate htpasswd(s) for ironic-inspector"
|
||||||
htpasswd:
|
htpasswd:
|
||||||
|
|
|
@ -44,22 +44,3 @@
|
||||||
owner: ironic
|
owner: ironic
|
||||||
group: ironic
|
group: ironic
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
|
|
||||||
- name: "Symlinks from venv"
|
|
||||||
file:
|
|
||||||
state: link
|
|
||||||
path: "{{ ironic_rootwrap_dir }}/{{ item | basename }}"
|
|
||||||
src: "{{ item }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
loop:
|
|
||||||
- "{{ bifrost_venv_dir }}/bin/ironic-rootwrap"
|
|
||||||
- "{{ bifrost_venv_dir }}/bin/ironic-inspector-rootwrap"
|
|
||||||
- name: "Set sudoers for rootwrap"
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/sudoers
|
|
||||||
regexp: "^ironic(.*)/{{ item }}-rootwrap /etc/{{ item }}/rootwrap.conf(.*)"
|
|
||||||
line: "ironic ALL = (root) NOPASSWD: {{ ironic_rootwrap_dir }}/{{ item }}-rootwrap /etc/{{ item }}/rootwrap.conf *"
|
|
||||||
loop:
|
|
||||||
- ironic
|
|
||||||
- ironic-inspector
|
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Removes the ``rootwrap`` privilege escalation framework. Ironic no longer
|
||||||
|
uses it, and Bifrost does not use the Inspector PXE filters that require
|
||||||
|
root.
|
Loading…
Reference in New Issue