Add glance_bin to rootwrap defenition
At the moment rootwrap can not find privsep-helper binary as it's located in glance bin directory, which is inside the virtual environemnt. In order to properly use privsep we must define venv bin directory in allowed exec_dirs of rootwrap. This also introduces new variable `glance_rootwrap_conf_overrides` that allows to manage some extra overrides for rootwrap if needed. Closes-Bug: #2043503 Change-Id: I4ee3fc33fdbeb50fc7b102bf62d6134f83c5925f
This commit is contained in:
Dmitriy Rabotyagov
parent
289ce991c4
commit
c2428ab8da
|
|
@ -333,6 +333,7 @@ glance_glance_swift_store_conf_overrides: {}
|
|||
glance_policy_overrides: {}
|
||||
glance_policy_content: {}
|
||||
glance_api_uwsgi_ini_overrides: {}
|
||||
glance_rootwrap_conf_overrides: {}
|
||||
|
||||
# Specify path on the local filesystem for glance-image-import.conf
|
||||
# glance_glance_image_import_conf_location: /path/to/local/glance-image-import.conf
|
||||
|
|
|
|||
|
|
@ -79,8 +79,19 @@ glance_mount_points: |-
|
|||
{% endfor %}
|
||||
{{ mps }}
|
||||
|
||||
_glance_rootwrap_conf_overrides:
|
||||
DEFAULT:
|
||||
exec_dirs: "{{ _glance_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin"
|
||||
|
||||
glance_core_files:
|
||||
- tmp_f: "/tmp/glance-api-paste.ini"
|
||||
target_f: "{{ glance_etc_dir }}/glance-api-paste.ini"
|
||||
config_overrides: "{{ glance_glance_api_paste_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
- tmp_f: "/tmp/rootwrap.conf"
|
||||
target_f: "{{ glance_etc_dir }}/rootwrap.conf"
|
||||
config_overrides: "{{ _glance_rootwrap_conf_overrides | combine(glance_rootwrap_conf_overrides, recursive=True) }}"
|
||||
config_type: "ini"
|
||||
owner: "root"
|
||||
group: "{{ glance_system_group_name }}"
|
||||
mode: "0640"
|
||||
|
|
|
|||
Loading…
Reference in New Issue