From 49df962f7560915a421025e251a36204850df074 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Tue, 23 Sep 2014 09:40:26 -0700
Subject: [PATCH] Give nodepool user sudo access for dib

Disk image builder requires root permissions to chroot and mount images.
Update the puppet manifest for nodepool to optionally enable
passwordless sudo access for the nodepool user. This defaults to being
allowed but can be toggled if this is deemed an unnecessary security
risk.

Change-Id: If0bf5f182d88c848cd2a64c5c75cc64cc0b42c58
---
 modules/nodepool/files/nodepool-sudo.sudo |  1 +
 modules/nodepool/manifests/init.pp        | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 modules/nodepool/files/nodepool-sudo.sudo

diff --git a/modules/nodepool/files/nodepool-sudo.sudo b/modules/nodepool/files/nodepool-sudo.sudo
new file mode 100644
index 0000000000..5651f1beaa
--- /dev/null
+++ b/modules/nodepool/files/nodepool-sudo.sudo
@@ -0,0 +1 @@
+nodepool ALL=(ALL) NOPASSWD:ALL
diff --git a/modules/nodepool/manifests/init.pp b/modules/nodepool/manifests/init.pp
index 29295349ea..af6c019d24 100644
--- a/modules/nodepool/manifests/init.pp
+++ b/modules/nodepool/manifests/init.pp
@@ -28,6 +28,8 @@ class nodepool (
   $image_log_document_root = '/var/log/nodepool/image',
   $enable_image_log_via_http = false,
   $environment = {},
+  # enable sudo for nodepool user. Useful for using dib with nodepool
+  $sudo = true,
 ) {
 
   # needed by python-keystoneclient, has system bindings
@@ -220,4 +222,18 @@ class nodepool (
       }
     }
   }
+
+  if $sudo == true {
+    $sudo_file_ensure = present
+  }
+  else {
+    $sudo_file_ensure = absent
+  }
+  file { '/etc/sudoers.d/nodepool-sudo':
+    ensure => $sudo_file_ensure,
+    source => 'puppet:///modules/nodepool/nodepool-sudo.sudo',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0440',
+  }
 }