7:30 a.m.
Ok,
thank you all, it looks like I had a problem during major upgrades...
For example package nova-common was installed, but file
/etc/sudoers.d/nova was not present.
Reinstalled the package with DNF and now it's there... I don't know what
happened
Regards
Francesco Di Nucci
On 13/06/24 14:17, smooney(a)redhat.com wrote:
On Thu, 2024-06-13 at 13:46 +0200, Francesco Di Nucci wrote:
> I'm sorry,
>
> I have only checked using EL with CentOS Stream repos
its in the rdo repos which is the supproted way to install on centos
https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-sudoers
https://github.com/rdo-packages/neutron-distgit/blob/rpm-master/neutron-s...
i didnt check all the packages but it should be covered.
are you using the packages form the rpm packaging tooling
it looks like its there too
https://github.com/openstack/rpm-packaging/blob/master/openstack/nova/ope...
> Regards
>
> Francesco Di Nucci
>
> On 13/06/24 12:43, Thomas Goirand wrote:
>> On 6/13/24 09:48, Francesco Di Nucci wrote:
>>> Hello,
>>>
>>> I was reviewing the sudoers entries I'm using for rootwrap
>>> (https://wiki.openstack.org/wiki/Rootwrap) and I was wondering -
>>> would it be possible to sudoers config in the packages?
>>>
>>> Maybe as files to be placed in /etc/sudoers.d, especially as apart
>>> from Nova the usage is not well documented, and I had to use kolla's
>>> files as examples
>>>
>>> Best regards
>>>
>>> Francesco Di Nucci
>> Hi Francesco,
>>
>> I'm not sure for what distribution you're talking about, but at least
>> in Debian, each package that needs it has a /etc/sudoers.d file. For
>> example, in a compute node, you'll get:
>>
>> - ceph-smartctl
>> - cinder-common
>> - neutron_sudoers
>> - nova-common
>>
>> For example, the Neutron one contains:
>>
>> # cat neutron_sudoers
>> Defaults:neutron !requiretty
>>
>> neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap
>> /etc/neutron/rootwrap.conf *
>> neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon
>> /etc/neutron/rootwrap.conf
>>
>> I hope this helps,
>> Cheers,
>>
>> Thomas Goirand (zigo)
>>
>>
3:15 a.m.
New subject: [Rootwrap] Package sudoers file for rootwrap?
Just for the record
if someone stumbles on the same issue, we had a problem with Puppet and
sudo module. Existing sudoers config should have not been purged, but
due to a configuration mistake, all pre-existing configs were purged,
including the ones provided by packages
Thank you again for the support
Francesco Di Nucci
On 6/13/24 14:30, Francesco Di Nucci wrote:
Ok,
thank you all, it looks like I had a problem during major upgrades...
For example package nova-common was installed, but file
/etc/sudoers.d/nova was not present.
Reinstalled the package with DNF and now it's there... I don't know
what happened
Regards
Francesco Di Nucci
On 13/06/24 14:17, smooney(a)redhat.com wrote:
> On Thu, 2024-06-13 at 13:46 +0200, Francesco Di Nucci wrote:
>> I'm sorry,
>>
>> I have only checked using EL with CentOS Stream repos
> its in the rdo repos which is the supproted way to install on centos
> https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-sudoers
>
> https://github.com/rdo-packages/neutron-distgit/blob/rpm-master/neutron-s...
>
>
> i didnt check all the packages but it should be covered.
>
> are you using the packages form the rpm packaging tooling
> it looks like its there too
>
https://github.com/openstack/rpm-packaging/blob/master/openstack/nova/ope...
>
>
>> Regards
>>
>> Francesco Di Nucci
>>
>> On 13/06/24 12:43, Thomas Goirand wrote:
>>> On 6/13/24 09:48, Francesco Di Nucci wrote:
>>>> Hello,
>>>>
>>>> I was reviewing the sudoers entries I'm using for rootwrap
>>>> (https://wiki.openstack.org/wiki/Rootwrap) and I was wondering -
>>>> would it be possible to sudoers config in the packages?
>>>>
>>>> Maybe as files to be placed in /etc/sudoers.d, especially as apart
>>>> from Nova the usage is not well documented, and I had to use kolla's
>>>> files as examples
>>>>
>>>> Best regards
>>>>
>>>> Francesco Di Nucci
>>> Hi Francesco,
>>>
>>> I'm not sure for what distribution you're talking about, but at
least
>>> in Debian, each package that needs it has a /etc/sudoers.d file. For
>>> example, in a compute node, you'll get:
>>>
>>> - ceph-smartctl
>>> - cinder-common
>>> - neutron_sudoers
>>> - nova-common
>>>
>>> For example, the Neutron one contains:
>>>
>>> # cat neutron_sudoers
>>> Defaults:neutron !requiretty
>>>
>>> neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap
>>> /etc/neutron/rootwrap.conf *
>>> neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon
>>> /etc/neutron/rootwrap.conf
>>>
>>> I hope this helps,
>>> Cheers,
>>>
>>> Thomas Goirand (zigo)
>>>
>>>
>
>
147
days inactive
153
days old
1 comments
1 participants
participants (1)
-
Francesco Di Nucci