Comment 3 for bug 1761595

fun fact: `openstack' command wants a non-root user; but the undercloud deploy actually runs with a global sudo call - partly because of things done in python directly (like symlinks in /etc tree).

A way to avoid that would be to use ansible instead of python for the deploy part, even its preparation... Might be the longest path, but at least it will be the safest one.

Having a nice "stack" sudoers listing only some "yum install/update" things and, possibly, some tiny more bits, is probably better than the dreadful "NOPASSWD:ALL" we currently see in the doc.