From 811633754e5cf5e51b26c569f650d3fd115cb089 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield Date: Thu, 28 Nov 2013 23:28:04 -0500 Subject: python-nova: run services as nova user instead of root With this change we now run both the nova controller services and compute node agents as the dedicated "nova" user. Changes to configuration were made to relocated locks and logs to nova writeable directories. Wherever possible configuration files and directories have been changed to nova instead of root (with the notable exception of rootwrap configuration). nova has also been granted sudo privileges to run rootwrap commands. And finally, a libvirt system group has been created and nova added to that group. This allows the compute agent to communicate with libvirtd via the "libvirt" group while keeping permissions tight. Signed-off-by: Bruce Ashfield --- .../recipes-devtools/python/python-nova_git.bb | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'meta-openstack/recipes-devtools/python/python-nova_git.bb') diff --git a/meta-openstack/recipes-devtools/python/python-nova_git.bb b/meta-openstack/recipes-devtools/python/python-nova_git.bb index 6a065cb..dd199a7 100644 --- a/meta-openstack/recipes-devtools/python/python-nova_git.bb +++ b/meta-openstack/recipes-devtools/python/python-nova_git.bb @@ -38,7 +38,7 @@ do_install_append() { NOVA_CONF_DIR=${D}/${sysconfdir}/nova install -d ${NOVA_CONF_DIR} - install -m 600 ${S}/etc/nova/policy.json ${NOVA_CONF_DIR}/ + install -o nova -m 664 ${S}/etc/nova/policy.json ${NOVA_CONF_DIR}/ # Deploy filters to /etc/nova/rootwrap.d install -m 755 -d ${NOVA_CONF_DIR}/rootwrap.d @@ -57,8 +57,12 @@ do_install_append() { touch ${D}${sysconfdir}/sudoers.d/nova-rootwrap chmod 0440 ${D}${sysconfdir}/sudoers.d/nova-rootwrap chown root:root ${D}${sysconfdir}/sudoers.d/nova-rootwrap + # root user setup echo "root ALL=(root) NOPASSWD: ${bindir}/nova-rootwrap" > \ ${D}${sysconfdir}/sudoers.d/nova-rootwrap + # nova user setup + echo "nova ALL=(root) NOPASSWD: ${bindir}/nova-rootwrap ${sysconfdir}/nova/rootwrap.conf *" >> \ + ${D}${sysconfdir}/sudoers.d/nova-rootwrap # Configuration options sed -e "s:%SERVICE_TENANT_NAME%:${SERVICE_TENANT_NAME}:g" \ @@ -84,11 +88,11 @@ do_install_append() { sed -e "s:%CONTROLLER_HOST%:${CONTROLLER_HOST}:g" -i ${WORKDIR}/openrc # Copy the configuration file - install -m 664 ${WORKDIR}/nova.conf ${NOVA_CONF_DIR}/nova.conf - install -m 664 ${WORKDIR}/api-paste.ini ${NOVA_CONF_DIR} - install -m 664 ${WORKDIR}/openrc ${NOVA_CONF_DIR} + install -o nova -m 664 ${WORKDIR}/nova.conf ${NOVA_CONF_DIR}/nova.conf + install -o nova -m 664 ${WORKDIR}/api-paste.ini ${NOVA_CONF_DIR} + install -o nova -m 664 ${WORKDIR}/openrc ${NOVA_CONF_DIR} - install -d ${NOVA_CONF_DIR}/instances + install -o nova -d ${NOVA_CONF_DIR}/instances if ${@base_contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/init.d @@ -136,7 +140,7 @@ pkg_postinst_${SRCNAME}-common () { USERADD_PACKAGES = "${PN}" GROUPADD_PARAM_${PN} = "--system nova" -USERADD_PARAM_${PN} = "--system --home /var/lib/nova -g nova \ +USERADD_PARAM_${PN} = "--system --home /var/lib/nova -g nova -G libvirt \ --no-create-home --shell /bin/false nova" PACKAGES += " ${SRCNAME}-setup ${SRCNAME}-common ${SRCNAME}-compute ${SRCNAME}-controller" @@ -185,7 +189,8 @@ FILES_${SRCNAME}-api = " \ ${sysconfdir}/init.d/nova-api \ " -RDEPENDS_${PN} = " python-modules \ +RDEPENDS_${PN} = " libvirt \ + python-modules \ python-misc \ python-argparse \ python-amqplib \ @@ -193,6 +198,7 @@ RDEPENDS_${PN} = " python-modules \ python-babel \ python-boto \ python-cinderclient \ + python-cliff \ python-cheetah \ python-eventlet \ python-feedparser \ -- cgit v1.2.3-54-g00ecf From e0927d68cb468b43238c799d27237f4649f45e34 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield Date: Mon, 2 Dec 2013 19:08:50 -0500 Subject: python-nova: add libvirt to DEPENDS Since python-nova uses the group "libvirt", which is created by the libvirt recipe, we must specify libvirt explicitly in DEPENDS. Signed-off-by: Bruce Ashfield --- meta-openstack/recipes-devtools/python/python-nova_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'meta-openstack/recipes-devtools/python/python-nova_git.bb') diff --git a/meta-openstack/recipes-devtools/python/python-nova_git.bb b/meta-openstack/recipes-devtools/python/python-nova_git.bb index dd199a7..9fb1daa 100644 --- a/meta-openstack/recipes-devtools/python/python-nova_git.bb +++ b/meta-openstack/recipes-devtools/python/python-nova_git.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=1dece7821bf3fd70fe1309eaa37d52a2" -DEPENDS = "sudo" +DEPENDS = "sudo libvirt" PR = "r0" SRCNAME = "nova" -- cgit v1.2.3-54-g00ecf