> Any solution where you need to modify sudoers every time the code > changes is painful, because there is only one sudo configuration on a > machine and it's owned by root.
Hmm? At least on ubuntu there is a default /etc/sudoers.d directory, where we could land per-service files like nova-compute.conf, nova-network.conf, etc. I don't think that's there by default on Fedora or RHEL, but adding the includedir to the base config works as expected. > The end result was that the sudoers file were not maintained and > everyone ran and tested with a convenient blanket-permission sudoers > file. Last I checked, The nova rootwrap policy includes blanket approvals for things like chmod, which pretty much eliminates any sort of expectation of reasonable security without improvement by the operator (which I think is unrealistic). I'm not sure what the right answer is here. I'm a little afraid of a rootwrap daemon. However, nova-network choking on 50 instances seems to be obviously not an option... --Dan _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
