Document info about packages dropping their own sudo rules in /etc/sudoers.d
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-manuals |
Fix Released
|
Medium
|
Matt Kassawara |
Bug Description
Reported on the openstack mailing list:
I just spent a couple hours trying to figure this out so I thought I'd share.
I'm using the stackforge puppet modules and writing my own integration module to pull the individual modules together. That allows me to integrate better with our current puppet methodology and with local security policy.
One of the things we disallow, by accident actually, is packages dropping their own sudo rules in /etc/sudoers.d. All sudo rules must be explicitly specified and managed via puppet resources. As a side effect of this when I went to start the nova metadata api on the controller node my logs blew up (as did the inboxes of my coworkers) with security violations from the nova metadata api attempting to use the nova root wrapper via sudo.
I thought it a little odd that the nova metadata api would need to do anything as root since I'm running the neutron metadata agents which already run actions as root. I figured out that this was coming from the nova.api.
I couldn't find this documented anywhere, so hopefully this helps someone in the future.
-----
Not sure where to document this - Install Guide if it's distro-specific? Cloud Admin Guide? Maybe it's not a doc bug since it's a packaging problem?
tags: | added: install-guide |
Changed in openstack-manuals: | |
assignee: | nobody → Matt Kassawara (ionosphere80) |
status: | Confirmed → In Progress |
milestone: | none → juno |
Rootwrap is currently listed at
Neutron: http:// docs.openstack. org/trunk/ config- reference/ content/ networking- options- rootwrap. html
Cinder: http:// docs.openstack. org/trunk/ config- reference/ content/ section_ cinder- rootwrap. conf.html
Nova: http:// docs.openstack. org/trunk/ config- reference/ content/ list-of- compute- config- options. html
Admin guide: http:// docs.openstack. org/admin- guide-cloud/ content/ root-wrap- reference. html
I don't think it's distro specific - I'd expect all packages to handle sudo access for OpenStack somehow.