[openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

Chris Jones cmsj at tenshu.net
Tue Jul 23 16:39:13 UTC 2013


Hi

On 23 July 2013 10:52, Robert Collins <robertc at robertcollins.net> wrote:

> So I'd like to change things to say:
>  - either run sudo disk-image-create or
>

This is probably the simplest option, but it does increase the amount of
code we're running with elevated privileges, which might be a concern, but
probably isn't, given the ratio of stuff that currently runs without sudo,
to the stuff that does.
I think we also need to do a little work to make this option functional, a
quick test just now suggests we are doing something wrong with
ELEMENTS_PATH at least.


>  - setup passwordless sudo or
>

Doesn't sound like a super awesome option to me, it places an ugly security
problem on anyone wanting to set this up anywhere, imo.


>  - don't run unattended.
>

I like being able to run a build while I read email or do some reviews, so
I do not like this option ;)

I think if we make option 1 work, then option 2 is a viable option for
people who want it, they have a single command to allow in sudoers. Option
3 essentially works in all scenarios :)

FWIW I do quite like the implicit auditing of sudo commands that is
currently required to manually create the sudoers file, but I take your
point that it's probably unnecessary work at this point.

Cheers,

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130723/5a574ba1/attachment.html>


More information about the OpenStack-dev mailing list