Open Stack

Bartolomiej, it's customer-related patches, they, I think, have to be done
for 6.1 prior to 8+ release.

Dmitry, it's nice to hear about it. Did you consider to use linux
capabilities on fuel-related processes instead of just using non-extended
POSIX privileged/non-privileged permission checks?

On Tue, Nov 10, 2015 at 10:11 AM, Bartlomiej Piotrowski <
bpiotrowski at mirantis.com> wrote:

> We don't develop features for already released versions… It should be done
> for master instead.
>
> BP
>
> On Tue, Nov 10, 2015 at 7:02 AM, Adam Heczko <aheczko at mirantis.com> wrote:
>
>> Dmitry,
>> +1
>>
>> Do you plan to port your patchset to future Fuel releases?
>>
>> A.
>>
>> On Tue, Nov 10, 2015 at 12:14 AM, Dmitry Nikishov <dnikishov at mirantis.com
>> > wrote:
>>
>>> Hey guys.
>>>
>>> I've been working on making Fuel not to rely on superuser privileges
>>> at least for day-to-day operations. These include:
>>> a) running Fuel services (nailgun, astute etc)
>>> b) user operations (create env, deploy, update, log in)
>>>
>>> The reason for this is that many security policies simply do not
>>> allow root access (especially remote) to servers/environments.
>>>
>>> This feature/enhancement means that anything that currently is being
>>> run under root, will be evaluated and, if possible, put under a
>>> non-privileged
>>> user. This also means that remote root access will be disabled.
>>> Instead, users will have to log in with "fueladmin" user.
>>>
>>> Together with Omar <gomarivera> we've put together a blueprint[0] and a
>>> spec[1] for this feature. I've been developing this for Fuel 6.1, so
>>> there
>>> are two patches into fuel-main[2] and fuel-library[3] that can give you
>>> an
>>> impression of current approach.
>>>
>>> These patches do following:
>>> - Add fuel-admin-user package, which creates 'fueladmin'
>>> - Make all other fuel-* packages depend on fuel-admin-user
>>> - Put supervisord under 'fueladmin' user.
>>>
>>> Please review the spec/patches and let's have a discussion on the
>>> approach to
>>> this feature.
>>>
>>> Thank you.
>>>
>>> [0] https://blueprints.launchpad.net/fuel/+spec/fuel-nonsuperuser
>>> [1] https://review.openstack.org/243340
>>> [2] https://review.openstack.org/243337
>>> [3] https://review.openstack.org/243313
>>>
>>> --
>>> Dmitry Nikishov,
>>> Deployment Engineer,
>>> Mirantis, Inc.
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>> Adam Heczko
>> Security Engineer @ Mirantis Inc.
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151110/fb0490dc/attachment.html>