Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-24 Thread lương hữu tuấn
Oh, my bad for the write permission of nova user. That should not be like this. Thanks Jeffrey. Cheers, T On Wed, Aug 24, 2016 at 2:39 PM, Jeffrey Zhang wrote: > On Wed, Aug 24, 2016 at 5:24 PM, lương hữu tuấn > wrote: > > However, with config

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-24 Thread Jeffrey Zhang
On Wed, Aug 24, 2016 at 5:24 PM, lương hữu tuấn wrote: > However, with config file as nova.conf or in this case e.g. kolla.conf, it > should be kolla:kolla and only owner can write as well, it means 644 since > the kolla service is run under the name of kolla user, it is

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-24 Thread lương hữu tuấn
Hi Jeffrey, You are right with the rootwrap file since it is the root wrapper of the specific service, e.g. nova. Then we should permit it as root:root and only the owner can write. However, with config file as nova.conf or in this case e.g. kolla.conf, it should be kolla:kolla and only owner

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Jeffrey Zhang
Using the same user for running service and the configuration files is danger. i.e. the service running user shouldn't be change the configuration files. a simple attack like: * a hacker hacked into nova-api container with nova user * he can change the /etc/nova/rootwrap.conf file and

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Steven Dake (stdake)
On 8/23/16, 7:05 AM, "Gerard Braad" wrote: >On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn wrote: >> I also prefer a dedicated user ("kolla" seems the best choice) as same > On >> Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Gerard Braad
On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn wrote: > I also prefer a dedicated user ("kolla" seems the best choice) as same > On > Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke wrote: >> In my experience operators prefer a dedicated user

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread lương hữu tuấn
I also prefer a dedicated user ("kolla" seems the best choice) as same as other projects in OpenStack. Cheers, Tuan On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke wrote: > In my experience operators prefer a dedicated user (kolla:kolla), though I > can't see any major

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Paul Bourke
In my experience operators prefer a dedicated user (kolla:kolla), though I can't see any major problem with your root:kolla approach. On 23/08/16 14:40, Steven Dake (stdake) wrote: On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com" wrote: Hi S.Dake, Hello Kollish,

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Steven Dake (stdake)
On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com" wrote: >Hi S.Dake, > >>> Hello Kollish, >>> >>> I am working on bp ansible-specific-task-become so I need community opinion >>> about Kolla configuration files owner and permissions. >>> >>> For files in

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread duon...@vn.fujitsu.com
Hi S.Dake, >> Hello Kollish, >> >> I am working on bp ansible-specific-task-become so I need community opinion >> about Kolla configuration files owner and permissions. >> >> For files in "/var/lib/kolla", it's quite clear that the owner should be >> 'root' as currently. >> >> For files in

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Tuan Luong
It indeed makes me frightened when i just stopped at the part of "writable by a group" of configuration files and tried myself to figure out what you guys discussing on IRC. Thanks Steve for making clear about "group of operators". Cheers, Tuan On 08/23/2016 07:29 AM, Steven Dake (stdake)

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-22 Thread Steven Dake (stdake)
On 8/22/16, 7:24 PM, "duon...@vn.fujitsu.com" wrote: >Hello Kollish, > >I am working on bp ansible-specific-task-become so I need community opinion >about Kolla configuration files owner and permissions. > >For files in "/var/lib/kolla", it's quite clear that the

[openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-22 Thread duon...@vn.fujitsu.com
Hello Kollish, I am working on bp ansible-specific-task-become so I need community opinion about Kolla configuration files owner and permissions. For files in "/var/lib/kolla", it's quite clear that the owner should be 'root' as currently. For files in "/etc/kolla": After discussion with