python-nova: run services as nova user instead of root

With this change we now run both the nova controller services and compute
node agents as the dedicated "nova" user.

Changes to configuration were made to relocated locks and logs to nova
writeable directories. Wherever possible configuration files and directories
have been changed to nova instead of root (with the notable exception of
rootwrap configuration).

nova has also been granted sudo privileges to run rootwrap commands.

And finally, a libvirt system group has been created and nova added to
that group. This allows the compute agent to communicate with libvirtd
via the "libvirt" group while keeping permissions tight.

Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>

4 files changed, 26 insertions, 8 deletions

diff --git a/meta-openstack/recipes-devtools/python/python-nova/nova.conf b/meta-openstack/recipes-devtools/python/python-nova/nova.conf
index a495a7d..84ef48b 100644
--- a/meta-openstack/recipes-devtools/python/python-nova/nova.conf
+++ b/meta-openstack/recipes-devtools/python/python-nova/nova.conf
@@ -19,6 +19,8 @@ debug = True
 verbose = True
 my_ip = %CONTROLLER_IP%
 glance_host = %CONTROLLER_IP%
+lock_path=/var/lock/nova/
+state_path=/var/run/nova/
 
 #VNC
 vnc_enabled = true
diff --git a/meta-openstack/recipes-devtools/python/python-nova/nova.init b/meta-openstack/recipes-devtools/python/python-nova/nova.init
index 3a2bbac..c2882b6 100644
--- a/meta-openstack/recipes-devtools/python/python-nova/nova.init
+++ b/meta-openstack/recipes-devtools/python/python-nova/nova.init
@@ -30,7 +30,8 @@ start ()
 
     echo -n "Starting $DESC..."
 
-    start-stop-daemon --start --quiet --background \
+    sudo -u nova \
+        start-stop-daemon --start --quiet --background \
         --pidfile ${PIDFILE} --make-pidfile --exec ${DAEMON}
 
     if [ $? -eq 0 ]; then
diff --git a/meta-openstack/recipes-devtools/python/python-nova_git.bb b/meta-openstack/recipes-devtools/python/python-nova_git.bb
index 6a065cb..dd199a7 100644
--- a/meta-openstack/recipes-devtools/python/python-nova_git.bb
+++ b/meta-openstack/recipes-devtools/python/python-nova_git.bb
@@ -38,7 +38,7 @@ do_install_append() {
     NOVA_CONF_DIR=${D}/${sysconfdir}/nova
 
     install -d ${NOVA_CONF_DIR}
-    install -m 600 ${S}/etc/nova/policy.json ${NOVA_CONF_DIR}/
+    install -o nova -m 664 ${S}/etc/nova/policy.json ${NOVA_CONF_DIR}/
 
     # Deploy filters to /etc/nova/rootwrap.d
     install -m 755 -d ${NOVA_CONF_DIR}/rootwrap.d
@@ -57,8 +57,12 @@ do_install_append() {
     touch ${D}${sysconfdir}/sudoers.d/nova-rootwrap
     chmod 0440 ${D}${sysconfdir}/sudoers.d/nova-rootwrap
     chown root:root ${D}${sysconfdir}/sudoers.d/nova-rootwrap
+    # root user setup
     echo "root ALL=(root) NOPASSWD: ${bindir}/nova-rootwrap" > \
         ${D}${sysconfdir}/sudoers.d/nova-rootwrap
+    # nova user setup
+    echo "nova ALL=(root) NOPASSWD: ${bindir}/nova-rootwrap ${sysconfdir}/nova/rootwrap.conf *" >> \
+         ${D}${sysconfdir}/sudoers.d/nova-rootwrap
 
     # Configuration options
     sed -e "s:%SERVICE_TENANT_NAME%:${SERVICE_TENANT_NAME}:g" \
@@ -84,11 +88,11 @@ do_install_append() {
     sed -e "s:%CONTROLLER_HOST%:${CONTROLLER_HOST}:g" -i ${WORKDIR}/openrc
 
     # Copy the configuration file
-    install -m 664 ${WORKDIR}/nova.conf     ${NOVA_CONF_DIR}/nova.conf
-    install -m 664 ${WORKDIR}/api-paste.ini ${NOVA_CONF_DIR}
-    install -m 664 ${WORKDIR}/openrc        ${NOVA_CONF_DIR}
+    install -o nova -m 664 ${WORKDIR}/nova.conf     ${NOVA_CONF_DIR}/nova.conf
+    install -o nova -m 664 ${WORKDIR}/api-paste.ini ${NOVA_CONF_DIR}
+    install -o nova -m 664 ${WORKDIR}/openrc        ${NOVA_CONF_DIR}
 
-    install -d ${NOVA_CONF_DIR}/instances
+    install -o nova -d ${NOVA_CONF_DIR}/instances
 
     if ${@base_contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
         install -d ${D}${sysconfdir}/init.d
@@ -136,7 +140,7 @@ pkg_postinst_${SRCNAME}-common () {
 
 USERADD_PACKAGES = "${PN}"
 GROUPADD_PARAM_${PN} = "--system nova"
-USERADD_PARAM_${PN}  = "--system --home /var/lib/nova -g nova \
+USERADD_PARAM_${PN}  = "--system --home /var/lib/nova -g nova -G libvirt \
                         --no-create-home --shell /bin/false nova"
 
 PACKAGES += " ${SRCNAME}-setup ${SRCNAME}-common ${SRCNAME}-compute ${SRCNAME}-controller"
@@ -185,7 +189,8 @@ FILES_${SRCNAME}-api = " \
         ${sysconfdir}/init.d/nova-api \
 "
 
-RDEPENDS_${PN} = " python-modules \
+RDEPENDS_${PN} = " libvirt \
+                   python-modules \
                    python-misc \
                    python-argparse \
                    python-amqplib \
@@ -193,6 +198,7 @@ RDEPENDS_${PN} = " python-modules \
                    python-babel \
                    python-boto \
                    python-cinderclient \
+                   python-cliff \
                    python-cheetah \
                    python-eventlet \
                    python-feedparser \
diff --git a/meta-openstack/recipes-extended/libvirt/libvirt_1.1.2.bbappend b/meta-openstack/recipes-extended/libvirt/libvirt_1.1.2.bbappend
index 3a6634e..eb7a921 100644
--- a/meta-openstack/recipes-extended/libvirt/libvirt_1.1.2.bbappend
+++ b/meta-openstack/recipes-extended/libvirt/libvirt_1.1.2.bbappend
@@ -2,3 +2,12 @@ PACKAGECONFIG ?= "qemu lxc test remote macvtap libvirtd udev yajl \
                  python numactl sanlock ebtables \
                  ${@base_contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \
                 "
+
+inherit useradd
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "--system libvirt"
+
+do_install_append() {
+        sed -e "s:^#unix_sock_group =:unix_sock_group =:g" -i ${D}/etc/libvirt/libvirtd.conf
+        sed -e "s:^#unix_sock_rw_perms =:unix_sock_rw_perms =:g" -i ${D}/etc/libvirt/libvirtd.conf
+}