From 844f1d56c5b2fce55eca97c34c1c7d83825876e2 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Mon, 15 Jun 2020 14:10:25 -0500 Subject: [PATCH] First pass at script cleanup This change removes bits from our imported scripts that are irrelevant for a TripleO environment. All of the sudoers implementations have been moved into files which are copied into containers. This move will unify how we deploy privledge escallations. The kolla user will now be able to execute any kolla* command which should allow us to generally simplify how we handle sudoers across our container base. Story: 2007780 Task: 40014 Change-Id: I2e0b98d9f60e3c862e9db3f7d87f09b5bd3a0887 Signed-off-by: Kevin Carter (cherry picked from commit 9190a3d0001bed39a12f097750bef90d5015a42c) --- container-images/kolla/barbican-base/sudoers | 1 + container-images/kolla/base/httpd_setup.sh | 2 +- container-images/kolla/base/sudoers | 2 +- container-images/kolla/horizon/extend_start.sh | 2 +- container-images/kolla/neutron-base/neutron_sudoers | 2 -- container-images/tcib/base/mariadb/mariadb.yaml | 1 - .../tcib/base/os/barbican-base/barbican-base.yaml | 4 +++- 7 files changed, 7 insertions(+), 7 deletions(-) create mode 100644 container-images/kolla/barbican-base/sudoers diff --git a/container-images/kolla/barbican-base/sudoers b/container-images/kolla/barbican-base/sudoers new file mode 100644 index 000000000..8252327e4 --- /dev/null +++ b/container-images/kolla/barbican-base/sudoers @@ -0,0 +1 @@ +%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R barbican /var/lib/barbican/, /bin/chown -R barbican /var/lib/barbican/ diff --git a/container-images/kolla/base/httpd_setup.sh b/container-images/kolla/base/httpd_setup.sh index c5effa785..f8921063d 100644 --- a/container-images/kolla/base/httpd_setup.sh +++ b/container-images/kolla/base/httpd_setup.sh @@ -14,7 +14,7 @@ if [[ "$(whoami)" == 'root' ]]; then # on startup: # SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty # Work around this by generating certificates manually. - if [[ ${KOLLA_BASE_DISTRO} = centos ]] && [[ ! -e /etc/pki/tls/certs/localhost.crt ]]; then + if [[ ! -e /etc/pki/tls/certs/localhost.crt ]]; then /usr/libexec/httpd-ssl-gencerts fi fi diff --git a/container-images/kolla/base/sudoers b/container-images/kolla/base/sudoers index 76baefcb0..61e2d7c0f 100644 --- a/container-images/kolla/base/sudoers +++ b/container-images/kolla/base/sudoers @@ -13,6 +13,6 @@ root ALL=(ALL) ALL # anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the # root user via sudo without password confirmation -%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs +%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla* #includedir /etc/sudoers.d diff --git a/container-images/kolla/horizon/extend_start.sh b/container-images/kolla/horizon/extend_start.sh index f4db52a33..5c34f56b2 100644 --- a/container-images/kolla/horizon/extend_start.sh +++ b/container-images/kolla/horizon/extend_start.sh @@ -4,7 +4,7 @@ set -o errexit FORCE_GENERATE="${FORCE_GENERATE}" HASH_PATH=/var/lib/kolla/.settings.md5sum.txt -MANAGE_PY="/usr/bin/python${KOLLA_DISTRO_PYTHON_VERSION} /usr/bin/manage.py" +MANAGE_PY="/usr/bin/python3 /usr/bin/manage.py" if [[ -f /etc/openstack-dashboard/custom_local_settings ]]; then CUSTOM_SETTINGS_FILE="${SITE_PACKAGES}/openstack_dashboard/local/custom_local_settings.py" diff --git a/container-images/kolla/neutron-base/neutron_sudoers b/container-images/kolla/neutron-base/neutron_sudoers index 7a7252e50..b859003e9 100644 --- a/container-images/kolla/neutron-base/neutron_sudoers +++ b/container-images/kolla/neutron-base/neutron_sudoers @@ -1,5 +1,3 @@ -neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * -neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy neutron ALL = (root) NOPASSWD: /usr/bin/update-alternatives --auto iptables diff --git a/container-images/tcib/base/mariadb/mariadb.yaml b/container-images/tcib/base/mariadb/mariadb.yaml index b944bc8ac..e401f5331 100644 --- a/container-images/tcib/base/mariadb/mariadb.yaml +++ b/container-images/tcib/base/mariadb/mariadb.yaml @@ -1,5 +1,4 @@ tcib_actions: -- run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_security_reset" > /etc/sudoers.d/security_reset && chmod 640 /etc/sudoers.d/security_reset' - run: bash /usr/local/bin/uid_gid_manage {{ tcib_user }} - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf - copy: /usr/share/tripleo-common/container-images/kolla/mariadb/extend_start.sh /usr/local/bin/kolla_extend_start diff --git a/container-images/tcib/base/os/barbican-base/barbican-base.yaml b/container-images/tcib/base/os/barbican-base/barbican-base.yaml index a4f5aef73..4597590f1 100644 --- a/container-images/tcib/base/os/barbican-base/barbican-base.yaml +++ b/container-images/tcib/base/os/barbican-base/barbican-base.yaml @@ -1,7 +1,9 @@ tcib_actions: - run: bash /usr/local/bin/uid_gid_manage nfast barbican - run: dnf -y install {{ tcib_packages['common'] | join(' ') }} && dnf clean all && rm -rf /var/cache/dnf -- run: 'echo "%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R barbican /var/lib/barbican/, /bin/chown -R barbican /var/lib/barbican/" > /etc/sudoers.d/barbican_sudoers && chmod 640 /etc/sudoers.d/barbican_sudoers' +- copy: /usr/share/tripleo-common/container-images/kolla/barbican-base/sudoers /etc/sudoers.d/barbican_sudoers +- run: chmod 640 /etc/sudoers.d/barbican_sudoers +tcib_gather_files: '{{ lookup(''fileglob'', ''/usr/share/tripleo-common/container-images/kolla/barbican-base/*'', wantlist=True) }}' tcib_packages: common: - openstack-barbican-common