From 4607ab5e530310c9f3b5bf35490c40d087340d07 Mon Sep 17 00:00:00 2001
From: Steven Dake <stdake@cisco.com>
Date: Fri, 26 May 2017 21:33:17 -0700
Subject: [PATCH] Remove sudo operations that are no longer necessary

set_configs.py has logic to handle chown of directories.  Simplify
the codebase by removing these unnessary chowns.  Further the chowns
cause some forms of NFS backed storage to not work properly.

Change-Id: I8df95d06b1010778deb3e2a3065aaab26ed2eb6a
Closes-Bug: #1693973
---
 docker/elasticsearch/Dockerfile.j2         | 5 +----
 docker/elasticsearch/elasticsearch_sudoers | 1 -
 docker/elasticsearch/extend_start.sh       | 5 -----
 docker/glance/glance-api/extend_start.sh   | 1 -
 docker/glance/glance-base/Dockerfile.j2    | 5 +----
 docker/glance/glance-base/glance_sudoers   | 1 -
 docker/mariadb/extend_start.sh             | 5 -----
 docker/mariadb/mariadb_sudoers             | 2 +-
 docker/rabbitmq/Dockerfile.j2              | 5 +----
 docker/rabbitmq/extend_start.sh            | 1 -
 docker/rabbitmq/rabbitmq_sudoers           | 1 -
 11 files changed, 4 insertions(+), 28 deletions(-)
 delete mode 100644 docker/elasticsearch/elasticsearch_sudoers
 delete mode 100644 docker/glance/glance-base/glance_sudoers
 delete mode 100644 docker/rabbitmq/rabbitmq_sudoers

diff --git a/docker/elasticsearch/Dockerfile.j2 b/docker/elasticsearch/Dockerfile.j2
index e3c55bcde2..8f6adf9d4c 100644
--- a/docker/elasticsearch/Dockerfile.j2
+++ b/docker/elasticsearch/Dockerfile.j2
@@ -26,7 +26,6 @@ ENV JAVA_HOME /usr/lib/jvm/java-8-openjdk-amd64/
 {% endif %}
 
 {{ macros.install_packages(elasticsearch_packages | customizable("packages")) }}
-COPY elasticsearch_sudoers /etc/sudoers.d/kolla_elasticsearch_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
 # NOTE: By default the shell of the elasticsearch user is /bin/false. We have to
@@ -34,9 +33,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 #
 # https://discuss.elastic.co/t/running-as-non-root-user-service-wrapper-has-changed/7863
 
-RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_elasticsearch_sudoers
+RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {% block elasticsearch_footer %}{% endblock %}
 {% block footer %}{% endblock %}
diff --git a/docker/elasticsearch/elasticsearch_sudoers b/docker/elasticsearch/elasticsearch_sudoers
deleted file mode 100644
index 76396c68a7..0000000000
--- a/docker/elasticsearch/elasticsearch_sudoers
+++ /dev/null
@@ -1 +0,0 @@
-%kolla ALL=(root) NOPASSWD: /bin/chown elasticsearch\: /var/lib/elasticsearch/data, /usr/bin/chown elasticsearch\: /var/lib/elasticsearch/data
diff --git a/docker/elasticsearch/extend_start.sh b/docker/elasticsearch/extend_start.sh
index 97067b7df9..b39f5b3346 100644
--- a/docker/elasticsearch/extend_start.sh
+++ b/docker/elasticsearch/extend_start.sh
@@ -6,8 +6,3 @@ fi
 if [[ $(stat -c %a /var/log/kolla/elasticsearch) != "755" ]]; then
     chmod 755 /var/log/kolla/elasticsearch
 fi
-
-# Only update permissions if permissions need to be updated
-if [[ $(stat -c %U:%G /var/lib/elasticsearch/data) != "elasticsearch:elasticsearch" ]]; then
-    sudo chown elasticsearch: /var/lib/elasticsearch/data
-fi
diff --git a/docker/glance/glance-api/extend_start.sh b/docker/glance/glance-api/extend_start.sh
index be4b839611..3d8d7f512c 100644
--- a/docker/glance/glance-api/extend_start.sh
+++ b/docker/glance/glance-api/extend_start.sh
@@ -5,6 +5,5 @@
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
     glance-manage db_sync
     glance-manage db_load_metadefs
-    sudo chown -R glance: /var/lib/glance/
     exit 0
 fi
diff --git a/docker/glance/glance-base/Dockerfile.j2 b/docker/glance/glance-base/Dockerfile.j2
index e0d3b8224d..ec2204cdaf 100644
--- a/docker/glance/glance-base/Dockerfile.j2
+++ b/docker/glance/glance-base/Dockerfile.j2
@@ -49,12 +49,9 @@ RUN ln -s glance-base-source/* glance \
 
 {% endif %}
 
-COPY glance_sudoers /etc/sudoers.d/kolla_glance_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_glance_sudoers \
-    && touch /usr/local/bin/kolla_glance_extend_start \
+RUN touch /usr/local/bin/kolla_glance_extend_start \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_glance_extend_start
 
 {% block glance_base_footer %}{% endblock %}
diff --git a/docker/glance/glance-base/glance_sudoers b/docker/glance/glance-base/glance_sudoers
deleted file mode 100644
index ffb536abf5..0000000000
--- a/docker/glance/glance-base/glance_sudoers
+++ /dev/null
@@ -1 +0,0 @@
-%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R glance\: /var/lib/glance/, /bin/chown -R glance\: /var/lib/glance/
diff --git a/docker/mariadb/extend_start.sh b/docker/mariadb/extend_start.sh
index 2eb0bd99b2..06bb8b4f49 100644
--- a/docker/mariadb/extend_start.sh
+++ b/docker/mariadb/extend_start.sh
@@ -37,11 +37,6 @@ function bootstrap_db {
     mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown
 }
 
-# Only update permissions if permissions need to be updated
-if [[ $(stat -c %U:%G /var/lib/mysql) != "mysql:mysql" ]]; then
-    sudo chown mysql: /var/lib/mysql
-fi
-
 # Create log directory, with appropriate permissions
 if [[ ! -d "/var/log/kolla/mariadb" ]]; then
     mkdir -p /var/log/kolla/mariadb
diff --git a/docker/mariadb/mariadb_sudoers b/docker/mariadb/mariadb_sudoers
index c95b1e2ad5..150534e165 100644
--- a/docker/mariadb/mariadb_sudoers
+++ b/docker/mariadb/mariadb_sudoers
@@ -1 +1 @@
-%kolla ALL=(root) NOPASSWD: /bin/chown mysql\: /var/lib/mysql, /usr/bin/chown mysql\: /var/lib/mysql, /usr/local/bin/kolla_security_reset
+%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_security_reset
diff --git a/docker/rabbitmq/Dockerfile.j2 b/docker/rabbitmq/Dockerfile.j2
index 118b040871..054a63a31b 100644
--- a/docker/rabbitmq/Dockerfile.j2
+++ b/docker/rabbitmq/Dockerfile.j2
@@ -45,11 +45,8 @@ RUN rm -rf /var/lib/rabbitmq/* \
 {% endblock %}
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-COPY rabbitmq_sudoers /etc/sudoers.d/kolla_rabbitmq_sudoers
 COPY rabbitmq_get_gospel_node.py /usr/local/bin/rabbitmq_get_gospel_node
-RUN chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/rabbitmq_get_gospel_node \
-    && chmod 750 /etc/sudoers.d \
-    && chmod 440 /etc/sudoers.d/kolla_rabbitmq_sudoers
+RUN chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/rabbitmq_get_gospel_node
 
 {% block rabbitmq_footer %}{% endblock %}
 {% block footer %}{% endblock %}
diff --git a/docker/rabbitmq/extend_start.sh b/docker/rabbitmq/extend_start.sh
index 56d06aaf90..7aa685e821 100644
--- a/docker/rabbitmq/extend_start.sh
+++ b/docker/rabbitmq/extend_start.sh
@@ -3,7 +3,6 @@
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
-    sudo chown -R rabbitmq: /var/lib/rabbitmq
 
 # NOTE(sbezverk): In kubernetes environment, if this file exists from previous
 # bootstrap, the system does not allow to overwrite it (it bootstrap files with
diff --git a/docker/rabbitmq/rabbitmq_sudoers b/docker/rabbitmq/rabbitmq_sudoers
deleted file mode 100644
index 7d3d091d8a..0000000000
--- a/docker/rabbitmq/rabbitmq_sudoers
+++ /dev/null
@@ -1 +0,0 @@
-%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R rabbitmq\: /var/lib/rabbitmq, /bin/chown -R rabbitmq\: /var/lib/rabbitmq