From 49df962f7560915a421025e251a36204850df074 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Tue, 23 Sep 2014 09:40:26 -0700 Subject: [PATCH] Give nodepool user sudo access for dib Disk image builder requires root permissions to chroot and mount images. Update the puppet manifest for nodepool to optionally enable passwordless sudo access for the nodepool user. This defaults to being allowed but can be toggled if this is deemed an unnecessary security risk. Change-Id: If0bf5f182d88c848cd2a64c5c75cc64cc0b42c58 --- modules/nodepool/files/nodepool-sudo.sudo | 1 + modules/nodepool/manifests/init.pp | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 modules/nodepool/files/nodepool-sudo.sudo diff --git a/modules/nodepool/files/nodepool-sudo.sudo b/modules/nodepool/files/nodepool-sudo.sudo new file mode 100644 index 0000000000..5651f1beaa --- /dev/null +++ b/modules/nodepool/files/nodepool-sudo.sudo @@ -0,0 +1 @@ +nodepool ALL=(ALL) NOPASSWD:ALL diff --git a/modules/nodepool/manifests/init.pp b/modules/nodepool/manifests/init.pp index 29295349ea..af6c019d24 100644 --- a/modules/nodepool/manifests/init.pp +++ b/modules/nodepool/manifests/init.pp @@ -28,6 +28,8 @@ class nodepool ( $image_log_document_root = '/var/log/nodepool/image', $enable_image_log_via_http = false, $environment = {}, + # enable sudo for nodepool user. Useful for using dib with nodepool + $sudo = true, ) { # needed by python-keystoneclient, has system bindings @@ -220,4 +222,18 @@ class nodepool ( } } } + + if $sudo == true { + $sudo_file_ensure = present + } + else { + $sudo_file_ensure = absent + } + file { '/etc/sudoers.d/nodepool-sudo': + ensure => $sudo_file_ensure, + source => 'puppet:///modules/nodepool/nodepool-sudo.sudo', + owner => 'root', + group => 'root', + mode => '0440', + } }