[openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder
Chris Jones
cmsj at tenshu.net
Tue Jul 23 16:39:13 UTC 2013
Hi
On 23 July 2013 10:52, Robert Collins <robertc at robertcollins.net> wrote:
> So I'd like to change things to say:
> - either run sudo disk-image-create or
>
This is probably the simplest option, but it does increase the amount of
code we're running with elevated privileges, which might be a concern, but
probably isn't, given the ratio of stuff that currently runs without sudo,
to the stuff that does.
I think we also need to do a little work to make this option functional, a
quick test just now suggests we are doing something wrong with
ELEMENTS_PATH at least.
> - setup passwordless sudo or
>
Doesn't sound like a super awesome option to me, it places an ugly security
problem on anyone wanting to set this up anywhere, imo.
> - don't run unattended.
>
I like being able to run a build while I read email or do some reviews, so
I do not like this option ;)
I think if we make option 1 work, then option 2 is a viable option for
people who want it, they have a single command to allow in sudoers. Option
3 essentially works in all scenarios :)
FWIW I do quite like the implicit auditing of sudo commands that is
currently required to manually create the sudoers file, but I take your
point that it's probably unnecessary work at this point.
Cheers,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130723/5a574ba1/attachment.html>
More information about the OpenStack-dev
mailing list