Give nodepool user sudo access for dib

Disk image builder requires root permissions to chroot and mount images. Update the puppet manifest for nodepool to optionally enable passwordless sudo access for the nodepool user. This defaults to being allowed but can be toggled if this is deemed an unnecessary security risk. Change-Id: If0bf5f182d88c848cd2a64c5c75cc64cc0b42c58
2014-09-23 09:40:26 -07:00 · 2014-09-23 09:40:26 -07:00 · 397faa1559
commit 397faa1559
parent e6718fc6d5
2 changed files with 17 additions and 0 deletions
--- a/files/nodepool-sudo.sudo
+++ b/files/nodepool-sudo.sudo
@ -0,0 +1 @@
+nodepool ALL=(ALL) NOPASSWD:ALL
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -28,6 +28,8 @@ class nodepool (
  $image_log_document_root = '/var/log/nodepool/image',
  $enable_image_log_via_http = false,
  $environment = {},
+  # enable sudo for nodepool user. Useful for using dib with nodepool
+  $sudo = true,
 ) {

  # needed by python-keystoneclient, has system bindings
@ -220,4 +222,18 @@ class nodepool (
      }
    }
  }
+
+  if $sudo == true {
+    $sudo_file_ensure = present
+  }
+  else {
+    $sudo_file_ensure = absent
+  }
+  file { '/etc/sudoers.d/nodepool-sudo':
+    ensure => $sudo_file_ensure,
+    source => 'puppet:///modules/nodepool/nodepool-sudo.sudo',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0440',
+  }
 }