[Rootwrap] Package sudoers file for rootwrap?
Hello,
I was reviewing the sudoers entries I'm using for rootwrap (https://wiki.openstack.org/wiki/Rootwrap) and I was wondering - would it be possible to sudoers config in the packages?
Maybe as files to be placed in /etc/sudoers.d, especially as apart from Nova the usage is not well documented, and I had to use kolla's files as examples
Best regards
Francesco Di Nucci
On 6/13/24 09:48, Francesco Di Nucci wrote:
Hello,
I was reviewing the sudoers entries I'm using for rootwrap (https://wiki.openstack.org/wiki/Rootwrap) and I was wondering - would it be possible to sudoers config in the packages?
Maybe as files to be placed in /etc/sudoers.d, especially as apart from Nova the usage is not well documented, and I had to use kolla's files as examples
Best regards
Francesco Di Nucci
Hi Francesco,
I'm not sure for what distribution you're talking about, but at least in Debian, each package that needs it has a /etc/sudoers.d file. For example, in a compute node, you'll get:
- ceph-smartctl - cinder-common - neutron_sudoers - nova-common
For example, the Neutron one contains:
# cat neutron_sudoers Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
I hope this helps, Cheers,
Thomas Goirand (zigo)
I'm sorry,
I have only checked using EL with CentOS Stream repos
Regards
Francesco Di Nucci
On 13/06/24 12:43, Thomas Goirand wrote:
On 6/13/24 09:48, Francesco Di Nucci wrote:
Hello,
I was reviewing the sudoers entries I'm using for rootwrap (https://wiki.openstack.org/wiki/Rootwrap) and I was wondering - would it be possible to sudoers config in the packages?
Maybe as files to be placed in /etc/sudoers.d, especially as apart from Nova the usage is not well documented, and I had to use kolla's files as examples
Best regards
Francesco Di Nucci
Hi Francesco,
I'm not sure for what distribution you're talking about, but at least in Debian, each package that needs it has a /etc/sudoers.d file. For example, in a compute node, you'll get:
- ceph-smartctl
- cinder-common
- neutron_sudoers
- nova-common
For example, the Neutron one contains:
# cat neutron_sudoers Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
I hope this helps, Cheers,
Thomas Goirand (zigo)
I'm sorry,
I have only checked using EL with CentOS Stream repos
Regards
Francesco Di Nucci
On 13/06/24 12:43, Thomas Goirand wrote:
On 6/13/24 09:48, Francesco Di Nucci wrote:
Hello,
I was reviewing the sudoers entries I'm using for rootwrap (https://wiki.openstack.org/wiki/Rootwrap) and I was wondering - would it be possible to sudoers config in the packages?
Maybe as files to be placed in /etc/sudoers.d, especially as apart from Nova the usage is not well documented, and I had to use kolla's files as examples
Best regards
Francesco Di Nucci
Hi Francesco,
I'm not sure for what distribution you're talking about, but at least in Debian, each package that needs it has a /etc/sudoers.d file. For example, in a compute node, you'll get:
- ceph-smartctl
- cinder-common
- neutron_sudoers
- nova-common
For example, the Neutron one contains:
# cat neutron_sudoers Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
I hope this helps, Cheers,
Thomas Goirand (zigo)
On Thu, 2024-06-13 at 13:46 +0200, Francesco Di Nucci wrote:
I'm sorry,
I have only checked using EL with CentOS Stream repos
its in the rdo repos which is the supproted way to install on centos https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-sudoers https://github.com/rdo-packages/neutron-distgit/blob/rpm-master/neutron-sudo...
i didnt check all the packages but it should be covered.
are you using the packages form the rpm packaging tooling it looks like its there too https://github.com/openstack/rpm-packaging/blob/master/openstack/nova/openst...
Regards
Francesco Di Nucci
On 13/06/24 12:43, Thomas Goirand wrote:
On 6/13/24 09:48, Francesco Di Nucci wrote:
Hello,
I was reviewing the sudoers entries I'm using for rootwrap (https://wiki.openstack.org/wiki/Rootwrap) and I was wondering - would it be possible to sudoers config in the packages?
Maybe as files to be placed in /etc/sudoers.d, especially as apart from Nova the usage is not well documented, and I had to use kolla's files as examples
Best regards
Francesco Di Nucci
Hi Francesco,
I'm not sure for what distribution you're talking about, but at least in Debian, each package that needs it has a /etc/sudoers.d file. For example, in a compute node, you'll get:
- ceph-smartctl
- cinder-common
- neutron_sudoers
- nova-common
For example, the Neutron one contains:
# cat neutron_sudoers Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
I hope this helps, Cheers,
Thomas Goirand (zigo)
Ok,
thank you all, it looks like I had a problem during major upgrades...
For example package nova-common was installed, but file /etc/sudoers.d/nova was not present.
Reinstalled the package with DNF and now it's there... I don't know what happened
Regards
Francesco Di Nucci
On 13/06/24 14:17, smooney@redhat.com wrote:
On Thu, 2024-06-13 at 13:46 +0200, Francesco Di Nucci wrote:
I'm sorry,
I have only checked using EL with CentOS Stream repos
its in the rdo repos which is the supproted way to install on centos https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-sudoers https://github.com/rdo-packages/neutron-distgit/blob/rpm-master/neutron-sudo...
i didnt check all the packages but it should be covered.
are you using the packages form the rpm packaging tooling it looks like its there too https://github.com/openstack/rpm-packaging/blob/master/openstack/nova/openst...
Regards
Francesco Di Nucci
On 13/06/24 12:43, Thomas Goirand wrote:
On 6/13/24 09:48, Francesco Di Nucci wrote:
Hello,
I was reviewing the sudoers entries I'm using for rootwrap (https://wiki.openstack.org/wiki/Rootwrap) and I was wondering - would it be possible to sudoers config in the packages?
Maybe as files to be placed in /etc/sudoers.d, especially as apart from Nova the usage is not well documented, and I had to use kolla's files as examples
Best regards
Francesco Di Nucci
Hi Francesco,
I'm not sure for what distribution you're talking about, but at least in Debian, each package that needs it has a /etc/sudoers.d file. For example, in a compute node, you'll get:
- ceph-smartctl
- cinder-common
- neutron_sudoers
- nova-common
For example, the Neutron one contains:
# cat neutron_sudoers Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
I hope this helps, Cheers,
Thomas Goirand (zigo)
Just for the record
if someone stumbles on the same issue, we had a problem with Puppet and sudo module. Existing sudoers config should have not been purged, but due to a configuration mistake, all pre-existing configs were purged, including the ones provided by packages
Thank you again for the support
Francesco Di Nucci
On 6/13/24 14:30, Francesco Di Nucci wrote:
Ok,
thank you all, it looks like I had a problem during major upgrades...
For example package nova-common was installed, but file /etc/sudoers.d/nova was not present.
Reinstalled the package with DNF and now it's there... I don't know what happened
Regards
Francesco Di Nucci
On 13/06/24 14:17, smooney@redhat.com wrote:
On Thu, 2024-06-13 at 13:46 +0200, Francesco Di Nucci wrote:
I'm sorry,
I have only checked using EL with CentOS Stream repos
its in the rdo repos which is the supproted way to install on centos https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-sudoers
https://github.com/rdo-packages/neutron-distgit/blob/rpm-master/neutron-sudo...
i didnt check all the packages but it should be covered.
are you using the packages form the rpm packaging tooling it looks like its there too https://github.com/openstack/rpm-packaging/blob/master/openstack/nova/openst...
Regards
Francesco Di Nucci
On 13/06/24 12:43, Thomas Goirand wrote:
On 6/13/24 09:48, Francesco Di Nucci wrote:
Hello,
I was reviewing the sudoers entries I'm using for rootwrap (https://wiki.openstack.org/wiki/Rootwrap) and I was wondering - would it be possible to sudoers config in the packages?
Maybe as files to be placed in /etc/sudoers.d, especially as apart from Nova the usage is not well documented, and I had to use kolla's files as examples
Best regards
Francesco Di Nucci
Hi Francesco,
I'm not sure for what distribution you're talking about, but at least in Debian, each package that needs it has a /etc/sudoers.d file. For example, in a compute node, you'll get:
- ceph-smartctl
- cinder-common
- neutron_sudoers
- nova-common
For example, the Neutron one contains:
# cat neutron_sudoers Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
I hope this helps, Cheers,
Thomas Goirand (zigo)
participants (3)
-
Francesco Di Nucci
-
smooney@redhat.com
-
Thomas Goirand