So I looked at this a bit more and it is not specific to nova. This is how kolla really works.
When a container calls '/usr/local/bin/kolla_start' the following line gets invoked:
sudo -E kolla_set_configs
This will make sure that we invoke kolla_set_config via sudo (in case we're running as a non-root user). From /etc/sudoers
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
So now, given that this is how sudo/kolla work to set the configs, we need to find a way to avoid the denials.
So I looked at this a bit more and it is not specific to nova. This is how kolla really works.
When a container calls '/usr/local/ bin/kolla_ start' the following line gets invoked:
sudo -E kolla_set_configs
This will make sure that we invoke kolla_set_config via sudo (in case we're running as a non-root user). From /etc/sudoers bin/kolla_ set_configs
%kolla ALL=(root) NOPASSWD: /usr/local/
So now, given that this is how sudo/kolla work to set the configs, we need to find a way to avoid the denials.