Merge "Configure nova-rootwrap"
diff --git a/files/sudo/nova b/files/sudo/nova
deleted file mode 100644
index 60dca2b..0000000
--- a/files/sudo/nova
+++ /dev/null
@@ -1,50 +0,0 @@
-Cmnd_Alias NOVADEVCMDS = /bin/chmod /var/lib/nova/tmp/*/root/.ssh, \
- /bin/chown /var/lib/nova/tmp/*/root/.ssh, \
- /bin/chown, \
- /bin/chmod, \
- /bin/dd, \
- /sbin/ifconfig, \
- /sbin/ip, \
- /sbin/route, \
- /sbin/iptables, \
- /sbin/iptables-save, \
- /sbin/iptables-restore, \
- /sbin/ip6tables-save, \
- /sbin/ip6tables-restore, \
- /sbin/kpartx, \
- /sbin/losetup, \
- /sbin/lvcreate, \
- /sbin/lvdisplay, \
- /sbin/lvremove, \
- /bin/mkdir, \
- /bin/mount, \
- /sbin/pvcreate, \
- /usr/bin/tee, \
- /sbin/tune2fs, \
- /bin/umount, \
- /sbin/vgcreate, \
- /usr/bin/virsh, \
- /usr/bin/qemu-nbd, \
- /usr/sbin/brctl, \
- /sbin/brctl, \
- /usr/sbin/radvd, \
- /usr/sbin/vblade-persist, \
- /sbin/pvcreate, \
- /sbin/aoe-discover, \
- /sbin/vgcreate, \
- /bin/aoe-stat, \
- /bin/kill, \
- /sbin/vconfig, \
- /usr/sbin/ietadm, \
- /sbin/vgs, \
- /sbin/iscsiadm, \
- /usr/bin/socat, \
- /sbin/parted, \
- /usr/sbin/dnsmasq, \
- /usr/sbin/tgtadm, \
- /usr/bin/ovs-vsctl, \
- /usr/bin/ovs-ofctl, \
- /usr/sbin/arping
-
-%USER% ALL = (root) NOPASSWD: SETENV: NOVADEVCMDS
-
diff --git a/stack.sh b/stack.sh
index 2c535b9..d56be8a 100755
--- a/stack.sh
+++ b/stack.sh
@@ -136,17 +136,30 @@
fi
exit 1
else
- # Our user needs passwordless priviledges for certain commands which nova
- # uses internally.
- # Natty uec images sudoers does not have a '#includedir'. add one.
+ # We're not root, make sure sudo is available
+ dpkg -l sudo
+ die_if_error "Sudo is required. Re-run stack.sh as root ONE TIME ONLY to set up sudo."
+
+ # UEC images /etc/sudoers does not have a '#includedir'. add one.
sudo grep -q "^#includedir.*/etc/sudoers.d" /etc/sudoers ||
echo "#includedir /etc/sudoers.d" | sudo tee -a /etc/sudoers
+
+ # Set up devstack sudoers
TEMPFILE=`mktemp`
- cat $FILES/sudo/nova > $TEMPFILE
- sed -e "s,%USER%,$USER,g" -i $TEMPFILE
+ echo "`whoami` ALL=(root) NOPASSWD:ALL" >$TEMPFILE
chmod 0440 $TEMPFILE
sudo chown root:root $TEMPFILE
- sudo mv $TEMPFILE /etc/sudoers.d/stack_sh_nova
+ sudo mv $TEMPFILE /etc/sudoers.d/50_stack_sh
+
+ # Set up the rootwrap sudoers
+ TEMPFILE=`mktemp`
+ echo "$USER ALL=(root) NOPASSWD: /usr/local/bin/nova-rootwrap" >$TEMPFILE
+ chmod 0440 $TEMPFILE
+ sudo chown root:root $TEMPFILE
+ sudo mv $TEMPFILE /etc/sudoers.d/nova-rootwrap
+
+ # Remove old file
+ sudo rm -f /etc/sudoers.d/stack_sh_nova
fi
# Set True to configure stack.sh to run cleanly without Internet access.
@@ -1222,6 +1235,7 @@
add_nova_opt "verbose=True"
add_nova_opt "auth_strategy=keystone"
add_nova_opt "allow_resize_to_same_host=True"
+add_nova_opt "root_helper=sudo /usr/local/bin/nova-rootwrap"
add_nova_opt "compute_scheduler_driver=$SCHEDULER"
add_nova_opt "dhcpbridge_flagfile=$NOVA_CONF_DIR/$NOVA_CONF"
add_nova_opt "fixed_range=$FIXED_RANGE"