commit 4e823ff4ad8fb22602c6d70c02b5910e0ad467ef
author John Griffith <john.griffith@solidfire.com> Fri Jul 20 13:18:17 2012 -0600
committer John Griffith <john.griffith@solidfire.com> Fri Jul 20 15:06:27 2012 -0600
tree 6d41ecfbdd21fd840d4ee7fc1a66ce68cb291ab8
parent 51f5f88f1065c502fa8ac287d37c645af46cddbc

Add Cinder to ROOTWRAP_SUDOERS

 * Perform operations in lib/cinder
 * Use specific cidner-rootwrap file
 * Add root_helper to cinder.conf

Change-Id: Ibcae8bae2d06c9cbb4c41c39791e8dbdc8bbb0ac

lib/cinder

diff --git a/lib/cinder b/lib/cinder
index 119cc91..0e42600 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -52,6 +52,42 @@
 
     cp -p $CINDER_DIR/etc/cinder/policy.json $CINDER_CONF_DIR
 
+    # Set the paths of certain binaries
+    if [[ "$os_PACKAGE" = "deb" ]]; then
+        CINDER_ROOTWRAP=/usr/local/bin/cinder-rootwrap
+    else
+        CINDER_ROOTWRAP=/usr/bin/cinder-rootwrap
+    fi
+
+    # If Cinder ships the new rootwrap filters files, deploy them
+    # (owned by root) and add a parameter to $CINDER_ROOTWRAP
+    ROOTWRAP_CINDER_SUDOER_CMD="$CINDER_ROOTWRAP"
+    if [[ -d $CINDER_DIR/etc/cinder/rootwrap.d ]]; then
+        # Wipe any existing rootwrap.d files first
+        if [[ -d $CINDER_CONF_DIR/rootwrap.d ]]; then
+            sudo rm -rf $CINDER_CONF_DIR/rootwrap.d
+        fi
+        # Deploy filters to /etc/cinder/rootwrap.d
+        sudo mkdir -m 755 $CINDER_CONF_DIR/rootwrap.d
+        sudo cp $CINDER_DIR/etc/cinder/rootwrap.d/*.filters $CINDER_CONF_DIR/rootwrap.d
+        sudo chown -R root:root $CINDER_CONF_DIR/rootwrap.d
+        sudo chmod 644 $CINDER_CONF_DIR/rootwrap.d/*
+        # Set up rootwrap.conf, pointing to /etc/cinder/rootwrap.d
+        sudo cp $CINDER_DIR/etc/cinder/rootwrap.conf $CINDER_CONF_DIR/
+        sudo sed -e "s:^filters_path=.*$:filters_path=$CINDER_CONF_DIR/rootwrap.d:" -i $CINDER_CONF_DIR/rootwrap.conf
+        sudo chown root:root $CINDER_CONF_DIR/rootwrap.conf
+        sudo chmod 0644 $CINDER_CONF_DIR/rootwrap.conf
+        # Specify rootwrap.conf as first parameter to cinder-rootwrap
+        CINDER_ROOTWRAP="$CINDER_ROOTWRAP $CINDER_CONF_DIR/rootwrap.conf"
+        ROOTWRAP_CINDER_SUDOER_CMD="$CINDER_ROOTWRAP *"
+    fi
+
+    TEMPFILE=`mktemp`
+    echo "$USER ALL=(root) NOPASSWD: $ROOTWRAP_CINDER_SUDOER_CMD" >$TEMPFILE
+    chmod 0440 $TEMPFILE
+    sudo chown root:root $TEMPFILE
+    sudo mv $TEMPFILE /etc/sudoers.d/cinder-rootwrap
+
     CINDER_API_PASTE_INI=$CINDER_CONF_DIR/api-paste.ini
     cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI
     iniset $CINDER_API_PASTE_INI filter:authtoken auth_host $KEYSTONE_AUTH_HOST
@@ -71,6 +107,8 @@
     iniset $CINDER_CONF DEFAULT rabbit_host $RABBIT_HOST
     iniset $CINDER_CONF DEFAULT rabbit_password $RABBIT_PASSWORD
     iniset $CINDER_CONF DEFAULT api_paste_config $CINDER_API_PASTE_INI
+    iniset $CINDER_CONF DEFAULT root_helper "sudo ${CINDER_ROOTWRAP}"
+
 }
 
 # init_cinder() - Initialize database and volume group