From 0c8d3f0586a5bbd797ee38786b58d004091dd104 Mon Sep 17 00:00:00 2001
From: Hongbin Lu <hongbin034@gmail.com>
Date: Sun, 30 Sep 2018 16:51:38 +0000
Subject: [PATCH] Add user 'zun' to group 'docker'

Zun compute needs to access the docker socket for API call.
The socket is owned by 'docker' group and the zun-compute process
is owned by 'zun' user. In order to allow the access, this commit
add zun user to docker group.

Change-Id: Ifa7d399242dddf8d07f8b495b344752131a0f110
---
 docker/zun/zun-compute/Dockerfile.j2   | 7 +++++++
 docker/zun/zun-compute/extend_start.sh | 5 +++++
 docker/zun/zun-compute/zun_sudoers     | 3 +++
 3 files changed, 15 insertions(+)
 create mode 100644 docker/zun/zun-compute/extend_start.sh
 create mode 100644 docker/zun/zun-compute/zun_sudoers

diff --git a/docker/zun/zun-compute/Dockerfile.j2 b/docker/zun/zun-compute/Dockerfile.j2
index 23ab689f74..33061893b3 100644
--- a/docker/zun/zun-compute/Dockerfile.j2
+++ b/docker/zun/zun-compute/Dockerfile.j2
@@ -10,6 +10,13 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 {% endif %}
 
+COPY zun_sudoers /etc/sudoers.d/kolla_zun_sudoers
+COPY extend_start.sh /usr/local/bin/kolla_zun_extend_start
+
+RUN chmod 755 /usr/local/bin/kolla_zun_extend_start \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 640 /etc/sudoers.d/kolla_zun_sudoers
+
 {% block zun_compute_footer %}{% endblock %}
 {% block footer %}{% endblock %}
 
diff --git a/docker/zun/zun-compute/extend_start.sh b/docker/zun/zun-compute/extend_start.sh
new file mode 100644
index 0000000000..f3b6fc48b5
--- /dev/null
+++ b/docker/zun/zun-compute/extend_start.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+gid=$(stat -c "%g" /var/run/docker.sock)
+sudo groupadd --force --gid $gid docker
+sudo usermod -aG docker zun
diff --git a/docker/zun/zun-compute/zun_sudoers b/docker/zun/zun-compute/zun_sudoers
new file mode 100644
index 0000000000..b3a39af7d8
--- /dev/null
+++ b/docker/zun/zun-compute/zun_sudoers
@@ -0,0 +1,3 @@
+zun ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/zun-rootwrap /etc/zun/rootwrap.conf *
+zun ALL=(root) NOPASSWD: /usr/sbin/groupadd --force --gid *
+zun ALL=(root) NOPASSWD: /usr/sbin/usermod -aG docker zun