[rdo-dev] Re: [Rootwrap] Package sudoers file for rootwrap?

On Thu, 2024-06-13 at 13:46 +0200, Francesco Di Nucci wrote: > I'm sorry, > > I have only checked using EL with CentOS Stream repos its in the rdo repos which is the supproted way to install on centos https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-sudoers https://github.com/rdo-packages/neutron-distgit/blob/rpm-master/neutron-s... i didnt check all the packages but it should be covered. are you using the packages form the rpm packaging tooling it looks like its there too https://github.com/openstack/rpm-packaging/blob/master/openstack/nova/ope... > Regards > > Francesco Di Nucci > > On 13/06/24 12:43, Thomas Goirand wrote: >> On 6/13/24 09:48, Francesco Di Nucci wrote: >>> Hello, >>> >>> I was reviewing the sudoers entries I'm using for rootwrap >>> (https://wiki.openstack.org/wiki/Rootwrap) and I was wondering - >>> would it be possible to sudoers config in the packages? >>> >>> Maybe as files to be placed in /etc/sudoers.d, especially as apart >>> from Nova the usage is not well documented, and I had to use kolla's >>> files as examples >>> >>> Best regards >>> >>> Francesco Di Nucci >> Hi Francesco, >> >> I'm not sure for what distribution you're talking about, but at least >> in Debian, each package that needs it has a /etc/sudoers.d file. For >> example, in a compute node, you'll get: >> >> - ceph-smartctl >> - cinder-common >> - neutron_sudoers >> - nova-common >> >> For example, the Neutron one contains: >> >> # cat neutron_sudoers >> Defaults:neutron !requiretty >> >> neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap >> /etc/neutron/rootwrap.conf * >> neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon >> /etc/neutron/rootwrap.conf >> >> I hope this helps, >> Cheers, >> >> Thomas Goirand (zigo) >> >>