© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Devstack-gate runs as the jenkins user, which itself has sudo permissions on the devstack jenkins slaves. Those are needed before and after the script to do things like reset and collect syslog files. Because devstack-gate runs devstack as jenkins, with sudo, devstack does _not_ create a 'stack' user and install the 50_stack_sh file.
Instead, I think we could do the following:
Have devstack-gate run devstack as root to allow it to set up the stack user and sudoers file. Then run devstack as 'stack' ("sudo -u devstack ./stack.sh"). Then remove the 50_stack_sh. Then run tests as stack.
That still may not close all the holes. For each service, devstack runs a lot of commands that require sudo before launching the service. That means that the initial startup of each service is able to run with full sudo capability, even if we remove the sudo file later on. The configuration and starting of services is interleaved, so it wouldn't even be straightforward to find a place in devstack to remove the sudoers file. Further fun: it looks like the quantum agent is started with sudo.
But I don't know if you're concerned about nova having sudo access during startup vs. just ongoing operation.