From 2636d7eaea6a22ccde8510b2de3d52de269a6445 Mon Sep 17 00:00:00 2001
From: Craig McIntyre <craig.mcintyre@k3btg.com>
Date: Wed, 26 Jun 2019 19:24:42 +0100
Subject: [PATCH] Add missing pre-reqs for glance cinder store

There are a number of missing dependencies in the role when using cinder
store with glance. Specifically rootwrap is required for elevating access
when using os-brick to connect to cinder iscsi/fc volume back end storage.
This patch addresses the following:

 - olso.rootwrap is not included in glance_pip_packages

 - files/rootwrap.d/glance_cinder_store.filters is missing

 - glance user is not added to sudoers

glance_pip_packages updated, missing rootwrap.d and sudoer files now dropped in to
Their required locations by glance_post_install.yml task

Change-Id: I55162bc2bf3cbb8858950e4abcf60a3de9929008
Closes-Bug: #1833725
---
 defaults/main.yml                            |  3 +-
 files/rootwrap.d/glance_cinder_store.filters | 29 +++++++++++++++
 tasks/glance_post_install.yml                | 38 ++++++++++++++++++++
 templates/sudoers.j2                         |  6 ++++
 4 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 files/rootwrap.d/glance_cinder_store.filters
 create mode 100644 templates/sudoers.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 6c8733c4..48cb44f2 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -240,6 +240,7 @@ glance_pip_packages:
   - glance
   - keystonemiddleware
   - os-brick
+  - oslo.rootwrap
   - osprofiler
   - PyMySQL
   - python-cinderclient
@@ -307,4 +308,4 @@ glance_policy_overrides: {}
 glance_api_uwsgi_ini_overrides: {}
 
 # Specify path on the local filesystem for glance-image-import.conf
-#glance_glance_image_import_conf_location: /path/to/local/glance-image-import.conf
\ No newline at end of file
+#glance_glance_image_import_conf_location: /path/to/local/glance-image-import.conf
diff --git a/files/rootwrap.d/glance_cinder_store.filters b/files/rootwrap.d/glance_cinder_store.filters
new file mode 100644
index 00000000..39f7de6a
--- /dev/null
+++ b/files/rootwrap.d/glance_cinder_store.filters
@@ -0,0 +1,29 @@
+# glance-rootwrap command filters for glance cinder store
+# This file should be owned by (and only-writable by) the root user
+
+[Filters]
+# cinder store driver
+disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).*
+
+# os-brick
+mount: CommandFilter, mount, root
+blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
+tee: CommandFilter, tee, root
+mkdir: CommandFilter, mkdir, root
+chown: RegExpFilter, chown, root, chown root:root /etc/pstorage/clusters/(?!.*/\.\.).*
+ip: CommandFilter, ip, root
+dd: CommandFilter, dd, root
+iscsiadm: CommandFilter, iscsiadm, root
+aoe-revalidate: CommandFilter, aoe-revalidate, root
+aoe-discover: CommandFilter, aoe-discover, root
+aoe-flush: CommandFilter, aoe-flush, root
+read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
+multipath: CommandFilter, multipath, root
+multipathd: CommandFilter, multipathd, root
+systool: CommandFilter, systool, root
+sg_scan: CommandFilter, sg_scan, root
+cp: CommandFilter, cp, root
+drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
+sds_cli: CommandFilter, /usr/local/bin/sds/sds_cli, root
+vgc-cluster: CommandFilter, vgc-cluster, root
+scsi_id: CommandFilter, /lib/udev/scsi_id, root
diff --git a/tasks/glance_post_install.yml b/tasks/glance_post_install.yml
index be0e8307..b54e8f29 100644
--- a/tasks/glance_post_install.yml
+++ b/tasks/glance_post_install.yml
@@ -13,6 +13,32 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# NOTE(CeeMac): This task is required to copy rootwrap filters that we need
+# and glance does not provide by default.
+- name: Create aux glance dir
+  file:
+    path: "{{ item.path | default(omit) }}"
+    state: "directory"
+    owner: "{{ item.owner|default(glance_system_user_name) }}"
+    group: "{{ item.group|default(glance_system_group_name) }}"
+    mode: "{{ item.mode | default(omit) }}"
+  loop:
+    - path: "/etc/glance/rootwrap.d"
+      owner: "root"
+      group: "root"
+
+- name: Copy glance rootwrap filter config
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/glance/rootwrap.d/"
+    owner: "root"
+    group: "root"
+  with_fileglob:
+    - rootwrap.d/*
+  tags:
+    - glance-config
+    - glance-post-install
+
 - name: Deploy Glance configuration files
   config_template:
     src: "{{ item.src }}"
@@ -158,3 +184,15 @@
     - name: "{{ glance_bin }}/glance-cache-cleaner"
       hour: "*/5"
   when: glance_flavor is search("cache")
+
+- name: Drop sudoers file
+  template:
+    src: "sudoers.j2"
+    dest: "/etc/sudoers.d/{{ glance_system_user_name }}_sudoers"
+    mode: "0440"
+    owner: "root"
+    group: "root"
+    validate: '/usr/sbin/visudo -cf %s'
+  tags:
+    - sudoers
+    - glance-sudoers
diff --git a/templates/sudoers.j2 b/templates/sudoers.j2
new file mode 100644
index 00000000..da8685f2
--- /dev/null
+++ b/templates/sudoers.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+Defaults:{{ glance_system_user_name }} !requiretty
+Defaults:{{ glance_system_user_name }} secure_path="{{ glance_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+glance ALL = (root) NOPASSWD: {{ glance_bin }}/{{ glance_service_name }}-rootwrap