diff options
| author | Bruce Ashfield <bruce.ashfield@windriver.com> | 2013-11-28 23:28:04 -0500 |
|---|---|---|
| committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2013-11-28 23:39:16 -0500 |
| commit | 811633754e5cf5e51b26c569f650d3fd115cb089 (patch) | |
| tree | 432b22d9c1f0092457dcfef2d3a808b82fda13e0 /meta-openstack/recipes-devtools/python | |
| parent | c158209a05d11cdfaf35b13888151777eaf41dba (diff) | |
| download | meta-cloud-services-811633754e5cf5e51b26c569f650d3fd115cb089.tar.gz | |
python-nova: run services as nova user instead of root
With this change we now run both the nova controller services and compute
node agents as the dedicated "nova" user.
Changes to configuration were made to relocated locks and logs to nova
writeable directories. Wherever possible configuration files and directories
have been changed to nova instead of root (with the notable exception of
rootwrap configuration).
nova has also been granted sudo privileges to run rootwrap commands.
And finally, a libvirt system group has been created and nova added to
that group. This allows the compute agent to communicate with libvirtd
via the "libvirt" group while keeping permissions tight.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Diffstat (limited to 'meta-openstack/recipes-devtools/python')
3 files changed, 17 insertions, 8 deletions
diff --git a/meta-openstack/recipes-devtools/python/python-nova/nova.conf b/meta-openstack/recipes-devtools/python/python-nova/nova.conf index a495a7d..84ef48b 100644 --- a/meta-openstack/recipes-devtools/python/python-nova/nova.conf +++ b/meta-openstack/recipes-devtools/python/python-nova/nova.conf | |||
| @@ -19,6 +19,8 @@ debug = True | |||
| 19 | verbose = True | 19 | verbose = True |
| 20 | my_ip = %CONTROLLER_IP% | 20 | my_ip = %CONTROLLER_IP% |
| 21 | glance_host = %CONTROLLER_IP% | 21 | glance_host = %CONTROLLER_IP% |
| 22 | lock_path=/var/lock/nova/ | ||
| 23 | state_path=/var/run/nova/ | ||
| 22 | 24 | ||
| 23 | #VNC | 25 | #VNC |
| 24 | vnc_enabled = true | 26 | vnc_enabled = true |
diff --git a/meta-openstack/recipes-devtools/python/python-nova/nova.init b/meta-openstack/recipes-devtools/python/python-nova/nova.init index 3a2bbac..c2882b6 100644 --- a/meta-openstack/recipes-devtools/python/python-nova/nova.init +++ b/meta-openstack/recipes-devtools/python/python-nova/nova.init | |||
| @@ -30,7 +30,8 @@ start () | |||
| 30 | 30 | ||
| 31 | echo -n "Starting $DESC..." | 31 | echo -n "Starting $DESC..." |
| 32 | 32 | ||
| 33 | start-stop-daemon --start --quiet --background \ | 33 | sudo -u nova \ |
| 34 | start-stop-daemon --start --quiet --background \ | ||
| 34 | --pidfile ${PIDFILE} --make-pidfile --exec ${DAEMON} | 35 | --pidfile ${PIDFILE} --make-pidfile --exec ${DAEMON} |
| 35 | 36 | ||
| 36 | if [ $? -eq 0 ]; then | 37 | if [ $? -eq 0 ]; then |
diff --git a/meta-openstack/recipes-devtools/python/python-nova_git.bb b/meta-openstack/recipes-devtools/python/python-nova_git.bb index 6a065cb..dd199a7 100644 --- a/meta-openstack/recipes-devtools/python/python-nova_git.bb +++ b/meta-openstack/recipes-devtools/python/python-nova_git.bb | |||
| @@ -38,7 +38,7 @@ do_install_append() { | |||
| 38 | NOVA_CONF_DIR=${D}/${sysconfdir}/nova | 38 | NOVA_CONF_DIR=${D}/${sysconfdir}/nova |
| 39 | 39 | ||
| 40 | install -d ${NOVA_CONF_DIR} | 40 | install -d ${NOVA_CONF_DIR} |
| 41 | install -m 600 ${S}/etc/nova/policy.json ${NOVA_CONF_DIR}/ | 41 | install -o nova -m 664 ${S}/etc/nova/policy.json ${NOVA_CONF_DIR}/ |
| 42 | 42 | ||
| 43 | # Deploy filters to /etc/nova/rootwrap.d | 43 | # Deploy filters to /etc/nova/rootwrap.d |
| 44 | install -m 755 -d ${NOVA_CONF_DIR}/rootwrap.d | 44 | install -m 755 -d ${NOVA_CONF_DIR}/rootwrap.d |
| @@ -57,8 +57,12 @@ do_install_append() { | |||
| 57 | touch ${D}${sysconfdir}/sudoers.d/nova-rootwrap | 57 | touch ${D}${sysconfdir}/sudoers.d/nova-rootwrap |
| 58 | chmod 0440 ${D}${sysconfdir}/sudoers.d/nova-rootwrap | 58 | chmod 0440 ${D}${sysconfdir}/sudoers.d/nova-rootwrap |
| 59 | chown root:root ${D}${sysconfdir}/sudoers.d/nova-rootwrap | 59 | chown root:root ${D}${sysconfdir}/sudoers.d/nova-rootwrap |
| 60 | # root user setup | ||
| 60 | echo "root ALL=(root) NOPASSWD: ${bindir}/nova-rootwrap" > \ | 61 | echo "root ALL=(root) NOPASSWD: ${bindir}/nova-rootwrap" > \ |
| 61 | ${D}${sysconfdir}/sudoers.d/nova-rootwrap | 62 | ${D}${sysconfdir}/sudoers.d/nova-rootwrap |
| 63 | # nova user setup | ||
| 64 | echo "nova ALL=(root) NOPASSWD: ${bindir}/nova-rootwrap ${sysconfdir}/nova/rootwrap.conf *" >> \ | ||
| 65 | ${D}${sysconfdir}/sudoers.d/nova-rootwrap | ||
| 62 | 66 | ||
| 63 | # Configuration options | 67 | # Configuration options |
| 64 | sed -e "s:%SERVICE_TENANT_NAME%:${SERVICE_TENANT_NAME}:g" \ | 68 | sed -e "s:%SERVICE_TENANT_NAME%:${SERVICE_TENANT_NAME}:g" \ |
| @@ -84,11 +88,11 @@ do_install_append() { | |||
| 84 | sed -e "s:%CONTROLLER_HOST%:${CONTROLLER_HOST}:g" -i ${WORKDIR}/openrc | 88 | sed -e "s:%CONTROLLER_HOST%:${CONTROLLER_HOST}:g" -i ${WORKDIR}/openrc |
| 85 | 89 | ||
| 86 | # Copy the configuration file | 90 | # Copy the configuration file |
| 87 | install -m 664 ${WORKDIR}/nova.conf ${NOVA_CONF_DIR}/nova.conf | 91 | install -o nova -m 664 ${WORKDIR}/nova.conf ${NOVA_CONF_DIR}/nova.conf |
| 88 | install -m 664 ${WORKDIR}/api-paste.ini ${NOVA_CONF_DIR} | 92 | install -o nova -m 664 ${WORKDIR}/api-paste.ini ${NOVA_CONF_DIR} |
| 89 | install -m 664 ${WORKDIR}/openrc ${NOVA_CONF_DIR} | 93 | install -o nova -m 664 ${WORKDIR}/openrc ${NOVA_CONF_DIR} |
| 90 | 94 | ||
| 91 | install -d ${NOVA_CONF_DIR}/instances | 95 | install -o nova -d ${NOVA_CONF_DIR}/instances |
| 92 | 96 | ||
| 93 | if ${@base_contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then | 97 | if ${@base_contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then |
| 94 | install -d ${D}${sysconfdir}/init.d | 98 | install -d ${D}${sysconfdir}/init.d |
| @@ -136,7 +140,7 @@ pkg_postinst_${SRCNAME}-common () { | |||
| 136 | 140 | ||
| 137 | USERADD_PACKAGES = "${PN}" | 141 | USERADD_PACKAGES = "${PN}" |
| 138 | GROUPADD_PARAM_${PN} = "--system nova" | 142 | GROUPADD_PARAM_${PN} = "--system nova" |
| 139 | USERADD_PARAM_${PN} = "--system --home /var/lib/nova -g nova \ | 143 | USERADD_PARAM_${PN} = "--system --home /var/lib/nova -g nova -G libvirt \ |
| 140 | --no-create-home --shell /bin/false nova" | 144 | --no-create-home --shell /bin/false nova" |
| 141 | 145 | ||
| 142 | PACKAGES += " ${SRCNAME}-setup ${SRCNAME}-common ${SRCNAME}-compute ${SRCNAME}-controller" | 146 | PACKAGES += " ${SRCNAME}-setup ${SRCNAME}-common ${SRCNAME}-compute ${SRCNAME}-controller" |
| @@ -185,7 +189,8 @@ FILES_${SRCNAME}-api = " \ | |||
| 185 | ${sysconfdir}/init.d/nova-api \ | 189 | ${sysconfdir}/init.d/nova-api \ |
| 186 | " | 190 | " |
| 187 | 191 | ||
| 188 | RDEPENDS_${PN} = " python-modules \ | 192 | RDEPENDS_${PN} = " libvirt \ |
| 193 | python-modules \ | ||
| 189 | python-misc \ | 194 | python-misc \ |
| 190 | python-argparse \ | 195 | python-argparse \ |
| 191 | python-amqplib \ | 196 | python-amqplib \ |
| @@ -193,6 +198,7 @@ RDEPENDS_${PN} = " python-modules \ | |||
| 193 | python-babel \ | 198 | python-babel \ |
| 194 | python-boto \ | 199 | python-boto \ |
| 195 | python-cinderclient \ | 200 | python-cinderclient \ |
| 201 | python-cliff \ | ||
| 196 | python-cheetah \ | 202 | python-cheetah \ |
| 197 | python-eventlet \ | 203 | python-eventlet \ |
| 198 | python-feedparser \ | 204 | python-feedparser \ |