[openstack-dev] [Fuel] Running Fuel node as non-superuser

Dmitry Nikishov dnikishov at mirantis.com
Mon Nov 9 23:14:10 UTC 2015


Hey guys.

I've been working on making Fuel not to rely on superuser privileges
at least for day-to-day operations. These include:
a) running Fuel services (nailgun, astute etc)
b) user operations (create env, deploy, update, log in)

The reason for this is that many security policies simply do not
allow root access (especially remote) to servers/environments.

This feature/enhancement means that anything that currently is being
run under root, will be evaluated and, if possible, put under a
non-privileged
user. This also means that remote root access will be disabled.
Instead, users will have to log in with "fueladmin" user.

Together with Omar <gomarivera> we've put together a blueprint[0] and a
spec[1] for this feature. I've been developing this for Fuel 6.1, so there
are two patches into fuel-main[2] and fuel-library[3] that can give you an
impression of current approach.

These patches do following:
- Add fuel-admin-user package, which creates 'fueladmin'
- Make all other fuel-* packages depend on fuel-admin-user
- Put supervisord under 'fueladmin' user.

Please review the spec/patches and let's have a discussion on the approach
to
this feature.

Thank you.

[0] https://blueprints.launchpad.net/fuel/+spec/fuel-nonsuperuser
[1] https://review.openstack.org/243340
[2] https://review.openstack.org/243337
[3] https://review.openstack.org/243313

-- 
Dmitry Nikishov,
Deployment Engineer,
Mirantis, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151109/aa2f13cc/attachment.html>


More information about the OpenStack-dev mailing list