From c2428ab8da9cc3868b5ae86140a63e4a33e28eca Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Tue, 14 Nov 2023 18:49:27 +0100
Subject: [PATCH] Add glance_bin to rootwrap defenition

At the moment rootwrap can not find privsep-helper binary as it's located
in glance bin directory, which is inside the virtual environemnt.
In order to properly use privsep we must define venv bin directory in
allowed exec_dirs of rootwrap.

This also introduces new variable  `glance_rootwrap_conf_overrides`
that allows to manage some extra overrides for rootwrap if needed.

Closes-Bug: #2043503
Change-Id: I4ee3fc33fdbeb50fc7b102bf62d6134f83c5925f
---
 defaults/main.yml |  1 +
 vars/main.yml     | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 472c683b..dc85eae3 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -333,6 +333,7 @@ glance_glance_swift_store_conf_overrides: {}
 glance_policy_overrides: {}
 glance_policy_content: {}
 glance_api_uwsgi_ini_overrides: {}
+glance_rootwrap_conf_overrides: {}
 
 # Specify path on the local filesystem for glance-image-import.conf
 # glance_glance_image_import_conf_location: /path/to/local/glance-image-import.conf
diff --git a/vars/main.yml b/vars/main.yml
index 0f9ee526..f9291eb0 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -79,8 +79,19 @@ glance_mount_points: |-
   {% endfor %}
   {{ mps }}
 
+_glance_rootwrap_conf_overrides:
+  DEFAULT:
+    exec_dirs: "{{ _glance_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin"
+
 glance_core_files:
   - tmp_f: "/tmp/glance-api-paste.ini"
     target_f: "{{ glance_etc_dir }}/glance-api-paste.ini"
     config_overrides: "{{ glance_glance_api_paste_ini_overrides }}"
     config_type: "ini"
+  - tmp_f: "/tmp/rootwrap.conf"
+    target_f: "{{ glance_etc_dir }}/rootwrap.conf"
+    config_overrides: "{{ _glance_rootwrap_conf_overrides | combine(glance_rootwrap_conf_overrides, recursive=True) }}"
+    config_type: "ini"
+    owner: "root"
+    group: "{{ glance_system_group_name }}"
+    mode: "0640"