Oh, my bad for the write permission of nova user. That should not be like
this. Thanks Jeffrey.
Cheers,
T
On Wed, Aug 24, 2016 at 2:39 PM, Jeffrey Zhang
wrote:
> On Wed, Aug 24, 2016 at 5:24 PM, lương hữu tuấn
> wrote:
> > However, with config
On Wed, Aug 24, 2016 at 5:24 PM, lương hữu tuấn wrote:
> However, with config file as nova.conf or in this case e.g. kolla.conf, it
> should be kolla:kolla and only owner can write as well, it means 644 since
> the kolla service is run under the name of kolla user, it is
Hi Jeffrey,
You are right with the rootwrap file since it is the root wrapper of the
specific service, e.g. nova. Then we should permit it as root:root and only
the owner can write.
However, with config file as nova.conf or in this case e.g. kolla.conf, it
should be kolla:kolla and only owner
Using the same user for running service and the configuration files is
danger. i.e. the service running user shouldn't be change the
configuration files.
a simple attack like:
* a hacker hacked into nova-api container with nova user
* he can change the /etc/nova/rootwrap.conf file and
On 8/23/16, 7:05 AM, "Gerard Braad" wrote:
>On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn wrote:
>> I also prefer a dedicated user ("kolla" seems the best choice) as same > On
>> Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke
On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn wrote:
> I also prefer a dedicated user ("kolla" seems the best choice) as same > On
> Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke wrote:
>> In my experience operators prefer a dedicated user
I also prefer a dedicated user ("kolla" seems the best choice) as same as
other projects in OpenStack.
Cheers,
Tuan
On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke wrote:
> In my experience operators prefer a dedicated user (kolla:kolla), though I
> can't see any major
In my experience operators prefer a dedicated user (kolla:kolla), though
I can't see any major problem with your root:kolla approach.
On 23/08/16 14:40, Steven Dake (stdake) wrote:
On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com" wrote:
Hi S.Dake,
Hello Kollish,
On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com" wrote:
>Hi S.Dake,
>
>>> Hello Kollish,
>>>
>>> I am working on bp ansible-specific-task-become so I need community opinion
>>> about Kolla configuration files owner and permissions.
>>>
>>> For files in
Hi S.Dake,
>> Hello Kollish,
>>
>> I am working on bp ansible-specific-task-become so I need community opinion
>> about Kolla configuration files owner and permissions.
>>
>> For files in "/var/lib/kolla", it's quite clear that the owner should be
>> 'root' as currently.
>>
>> For files in
It indeed makes me frightened when i just stopped at the part of
"writable by a group" of configuration files and tried myself to figure
out what you guys discussing on IRC.
Thanks Steve for making clear about "group of operators".
Cheers,
Tuan
On 08/23/2016 07:29 AM, Steven Dake (stdake)
On 8/22/16, 7:24 PM, "duon...@vn.fujitsu.com" wrote:
>Hello Kollish,
>
>I am working on bp ansible-specific-task-become so I need community opinion
>about Kolla configuration files owner and permissions.
>
>For files in "/var/lib/kolla", it's quite clear that the
Hello Kollish,
I am working on bp ansible-specific-task-become so I need community opinion
about Kolla configuration files owner and permissions.
For files in "/var/lib/kolla", it's quite clear that the owner should be 'root'
as currently.
For files in "/etc/kolla": After discussion with
13 matches
Mail list logo