[rdo-dev] Re: [Rootwrap] Package sudoers file for rootwrap?

Thu, 13 Jun 2024 05:31:06 -0700 

Ok,

thank you all, it looks like I had a problem during major upgrades...
For example package nova-common was installed, but file /etc/sudoers.d/nova was not present.
Reinstalled the package with DNF and now it's there... I don't know what happened 

Regards

Francesco Di Nucci

On 13/06/24 14:17, smoo...@redhat.com wrote:

On Thu, 2024-06-13 at 13:46 +0200, Francesco Di Nucci wrote:

I'm sorry,

I have only checked using EL with CentOS Stream repos

its in the rdo repos which is the supproted way to install on centos
https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-sudoers
https://github.com/rdo-packages/neutron-distgit/blob/rpm-master/neutron-sudoers

i didnt check all the packages but it should be covered.

are you using the packages form the rpm packaging tooling
  it looks like its there too
https://github.com/openstack/rpm-packaging/blob/master/openstack/nova/openstack-nova.sudoers


Regards

Francesco Di Nucci

On 13/06/24 12:43, Thomas Goirand wrote:

On 6/13/24 09:48, Francesco Di Nucci wrote:

Hello,

I was reviewing the sudoers entries I'm using for rootwrap
(https://wiki.openstack.org/wiki/Rootwrap) and I was wondering -
would it be possible to sudoers config in the packages?

Maybe as files to be placed in /etc/sudoers.d, especially as apart
from Nova the usage is not well documented, and I had to use kolla's
files as examples

Best regards

Francesco Di Nucci

Hi Francesco,

I'm not sure for what distribution you're talking about, but at least
in Debian, each package that needs it has a /etc/sudoers.d file. For
example, in a compute node, you'll get:

- ceph-smartctl
- cinder-common
- neutron_sudoers
- nova-common

For example, the Neutron one contains:

# cat neutron_sudoers
Defaults:neutron !requiretty

neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap
/etc/neutron/rootwrap.conf *
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon
/etc/neutron/rootwrap.conf

I hope this helps,
Cheers,

Thomas Goirand (zigo)






_______________________________________________
dev mailing list -- dev@lists.rdoproject.org
To unsubscribe send an email to dev-le...@lists.rdoproject.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

To unsubscribe: %(_internal_name)s-unsubscribe@%(host_name)s

Reply via email to