sudo permissions for jenkins
I have a task that is currently not allowed due to the current sudo rules. I need to be able to run the edit-node tool to generate ovirt-node isos containing vdsm. This tool requires root or sudo access. The problem is that I'm extracting the tool from it's rpm since it's generated in a different jenkins job. The execution is done with a command like this: sudo ${WORKSPACE}/edit-node <options> AFAIK, this can't be handled in the sudoers file in any easy way. Any suggestions? Or maybe simply enable universal passwordless sudo? Thanks Mike
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --uRuoaJ31D8xvbXMgMa6srEsrFIlsHLTx8 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 07/23/2013 01:27 PM, Mike Burns wrote:
I have a task that is currently not allowed due to the current sudo rules. I need to be able to run the edit-node tool to generate ovirt-node isos containing vdsm. This tool requires root or sudo acces= s. =20 The problem is that I'm extracting the tool from it's rpm since it's generated in a different jenkins job. The execution is done with a command like this: =20 sudo ${WORKSPACE}/edit-node <options> =20 AFAIK, this can't be handled in the sudoers file in any easy way. =20 Any suggestions? Or maybe simply enable universal passwordless sudo?
With us already using sshkey-only for access, do we need passwords on sud= o? - Karsten --=20 Karsten 'quaid' Wade http://TheOpenSourceWay.org .^\ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41 --uRuoaJ31D8xvbXMgMa6srEsrFIlsHLTx8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iD8DBQFR7ugd2ZIOBq0ODEERAndJAJsFaQusPL85N1N34mmrcM+0vVE/6QCgvwSw Iw88qdJ3P8/pWOaCocmgu6U= =RIVO -----END PGP SIGNATURE----- --uRuoaJ31D8xvbXMgMa6srEsrFIlsHLTx8--
On Tue, Jul 23, 2013 at 04:27:08PM -0400, Mike Burns wrote:
I have a task that is currently not allowed due to the current sudo rules. I need to be able to run the edit-node tool to generate ovirt-node isos containing vdsm. This tool requires root or sudo access.
The problem is that I'm extracting the tool from it's rpm since it's generated in a different jenkins job. The execution is done with a command like this:
sudo ${WORKSPACE}/edit-node <options>
AFAIK, this can't be handled in the sudoers file in any easy way.
Any suggestions? Or maybe simply enable universal passwordless sudo?
I was wondering the same thing in http://gerrit.ovirt.org/17261. Since we already give permission to yum and cp to /etc/yum.repos.d, it's not hard to get some package to install extra sudo rules for yourself and have full sudo.
On Tue 23 Jul 2013 10:48:46 PM CEST, Ewoud Kohl van Wijngaarden wrote:
On Tue, Jul 23, 2013 at 04:27:08PM -0400, Mike Burns wrote:
I have a task that is currently not allowed due to the current sudo rules. I need to be able to run the edit-node tool to generate ovirt-node isos containing vdsm. This tool requires root or sudo access.
The problem is that I'm extracting the tool from it's rpm since it's generated in a different jenkins job. The execution is done with a command like this:
sudo ${WORKSPACE}/edit-node <options>
AFAIK, this can't be handled in the sudoers file in any easy way.
Any suggestions? Or maybe simply enable universal passwordless sudo?
I was wondering the same thing in http://gerrit.ovirt.org/17261. Since we already give permission to yum and cp to /etc/yum.repos.d, it's not hard to get some package to install extra sudo rules for yourself and have full sudo. _______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
Yep, but we need it in order to be able to run the jobs, if we don't want to setup a complicated permission system. I agree with quaid, we can just add ssh access for us and give full sudo acces to the jenkins user and our users, afaik the only sensible information that is there is the hashed password for admin users in the shadowfile, but if we allow passwordless sudo to our users too we do not need to setup any password in the system (that means changes in the users class too btw). -- David Caro Red Hat Czech s.r.o. Continuous Integration Engineer - EMEA ENG Virtualization R&D Tel.: +420 532 294 605 Email: dcaro@redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic RHT Global #: 82-62605
participants (4)
-
David Caro -
Ewoud Kohl van Wijngaarden -
Karsten 'quaid' Wade -
Mike Burns