lib/neutron: configure root_helper for agents Before the patch, we were only configuring root_helper_daemon to point to oslo.rootwrap, but not root_helper. (The former is used for long running commands only, while the latter is used for short lived commands.) This made neutron agents to directly call to sudo when a privileged process was to be executed. This failed because /etc/sudoers was not configured to allow anything except the rootwrap call itself. This patch simplifies rootwrap handling in the code; it also sets root_helper to point to rootwrap; as well as configure daemon in sudoers. While at it, we also set l2 agent to use rootwrap too. Hopefully, it will be enough for agents to actually configure backend as needed. Change-Id: Ib05a6e0e024f534d7f616d41d70fb67ecf6daeaf

commit: e65ab4a1c57a56161ebbf51a10b3c47a665037d7 [log] [tgz]
author: Ihar Hrachyshka <ihrachys@redhat.com> Fri Feb 24 17:47:55 2017 +0000
committer: Ihar Hrachyshka <ihrachys@redhat.com> Sun Mar 05 23:05:33 2017 +0000
tree: 31f9e158bce89c1c5a7712b7d00a9e0649d5aadf
parent: 8fe48af1625cd2deca496de81dd72573e78b3ef2 [diff] [blame]
diff --git a/lib/neutron b/lib/neutron
index 44d41f8..e72c9fe 100644
--- a/lib/neutron
+++ b/lib/neutron

@@ -72,7 +72,8 @@
 NEUTRON_AUTH_STRATEGY=${NEUTRON_AUTH_STRATEGY:-keystone}
 NEUTRON_ROOTWRAP=$(get_rootwrap_location neutron)
 NEUTRON_ROOTWRAP_CONF_FILE=$NEUTRON_CONF_DIR/rootwrap.conf
-NEUTRON_ROOTWRAP_DAEMON_CMD="sudo $NEUTRON_ROOTWRAP-daemon $NEUTRON_ROOTWRAP_CONF_FILE"
+NEUTRON_ROOTWRAP_CMD="$NEUTRON_ROOTWRAP $NEUTRON_ROOTWRAP_CONF_FILE"
+NEUTRON_ROOTWRAP_DAEMON_CMD="$NEUTRON_ROOTWRAP-daemon $NEUTRON_ROOTWRAP_CONF_FILE"
 
 # Additional neutron api config files
 declare -a _NEUTRON_SERVER_EXTRA_CONF_FILES_ABS
@@ -115,6 +116,13 @@
     done
 }
 
+# configure_root_helper_options() - Configure agent rootwrap helper options
+function configure_root_helper_options {
+    local conffile=$1
+    iniset $conffile agent root_helper "sudo $NEUTRON_ROOTWRAP_CMD"
+    iniset $conffile agent root_helper_daemon "sudo $NEUTRON_ROOTWRAP_DAEMON_CMD"
+}
+
 # configure_neutron() - Set config files, create data dirs, etc
 function configure_neutron_new {
     sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR
@@ -171,6 +179,7 @@
     if is_service_enabled neutron-agent; then
         iniset $NEUTRON_CORE_PLUGIN_CONF agent tunnel_types vxlan
         iniset $NEUTRON_CORE_PLUGIN_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
+        configure_root_helper_options $NEUTRON_CORE_PLUGIN_CONF
 
         # Configure the neutron agent
         if [[ $NEUTRON_AGENT == "linuxbridge" ]]; then
@@ -194,7 +203,7 @@
         # make it so we have working DNS from guests
         iniset $NEUTRON_DHCP_CONF DEFAULT dnsmasq_local_resolv True
 
-        iniset $NEUTRON_DHCP_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD"
+        configure_root_helper_options $NEUTRON_DHCP_CONF
         iniset $NEUTRON_DHCP_CONF DEFAULT interface_driver $NEUTRON_AGENT
         neutron_plugin_configure_dhcp_agent $NEUTRON_DHCP_CONF
     fi
@@ -203,7 +212,7 @@
         cp $NEUTRON_DIR/etc/l3_agent.ini.sample $NEUTRON_L3_CONF
         iniset $NEUTRON_L3_CONF DEFAULT interface_driver $NEUTRON_AGENT
         neutron_service_plugin_class_add router
-        iniset $NEUTRON_L3_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD"
+        configure_root_helper_options $NEUTRON_L3_CONF
         iniset $NEUTRON_L3_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
         neutron_plugin_configure_l3_agent $NEUTRON_L3_CONF
     fi
@@ -215,7 +224,8 @@
         iniset $NEUTRON_META_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
         iniset $NEUTRON_META_CONF DEFAULT nova_metadata_ip $SERVICE_HOST
         iniset $NEUTRON_META_CONF DEFAULT metadata_workers $API_WORKERS
-        iniset $NEUTRON_META_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD"
+        # TODO(ihrachys) do we really need to set rootwrap for metadata agent?
+        configure_root_helper_options $NEUTRON_META_CONF
 
         # TODO(dtroyer): remove the v2.0 hard code below
         iniset $NEUTRON_META_CONF DEFAULT auth_url $KEYSTONE_SERVICE_URI/v2.0
@@ -252,12 +262,6 @@
 
 # configure_neutron_rootwrap() - configure Neutron's rootwrap
 function configure_neutron_rootwrap {
-    # Set the paths of certain binaries
-    neutron_rootwrap=$(get_rootwrap_location neutron)
-
-    # Specify ``rootwrap.conf`` as first parameter to neutron-rootwrap
-    local rootwrap_sudoer_cmd="${neutron_rootwrap} $NEUTRON_CONF_DIR/rootwrap.conf"
-
     # Deploy new rootwrap filters files (owned by root).
     # Wipe any existing rootwrap.d files first
     if [[ -d $NEUTRON_CONF_DIR/rootwrap.d ]]; then
@@ -274,7 +278,8 @@
 
     # Set up the rootwrap sudoers for Neutron
     tempfile=`mktemp`
-    echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudoer_cmd *" >$tempfile
+    echo "$STACK_USER ALL=(root) NOPASSWD: $NEUTRON_ROOTWRAP_CMD *" >$tempfile
+    echo "$STACK_USER ALL=(root) NOPASSWD: $NEUTRON_ROOTWRAP_DAEMON_CMD" >>$tempfile
     chmod 0440 $tempfile
     sudo chown root:root $tempfile
     sudo mv $tempfile /etc/sudoers.d/neutron-rootwrap
commit	e65ab4a1c57a56161ebbf51a10b3c47a665037d7	[log] [tgz]
author	Ihar Hrachyshka <ihrachys@redhat.com>	Fri Feb 24 17:47:55 2017 +0000
committer	Ihar Hrachyshka <ihrachys@redhat.com>	Sun Mar 05 23:05:33 2017 +0000
tree	31f9e158bce89c1c5a7712b7d00a9e0649d5aadf
parent	8fe48af1625cd2deca496de81dd72573e78b3ef2 [diff] [blame]