Add privsep-helper to nova sudoers file

Code Issues Proposed changes

With the new oslo-privsep library, there is now a
privsep-helper command that is used to escalate
privledges.
This command needs to be runnable by the nova user
via sudo without a password. The old rootwrap command
is still used as well, so for now we need to have
both.
Change-Id: I3bf334bf9498f67a1e91041d1d50870964e6141c

This commit is contained in:

Mohammed Naser

2019年03月31日 21:24:27 -04:00

parent 83cd24912d

commit 8e48646eb6

1 changed files with 1 additions and 0 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

1
templates/sudoers.j2

View File

@@ -4,3 +4,4 @@ Defaults:{{ nova_system_user_name }} !requiretty

Defaults:{{ nova_system_user_name }} secure_path="{{ nova_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

{{ nova_system_user_name }} ALL = (root) NOPASSWD: {{ nova_bin }}/{{ nova_service_name }}-rootwrap

{{ nova_system_user_name }} ALL = (root) NOPASSWD: {{ nova_bin }}/privsep-helper

Add privsep-helper to nova sudoers file

1 templates/sudoers.j2 Unescape Escape View File

1
templates/sudoers.j2

View File