From 8d0a04d670851b9706b8187481042649ae4cb315 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Thu, 24 Sep 2015 11:22:29 +0200 Subject: [PATCH] Fix rootwrap configuration documentation Mention rootwrap.d and modifying rootwrap.conf in case of different main configuration directory. Change-Id: I02e8faaaf213af34f094e4ac8726ebf2abb2208a --- README.rst | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/README.rst b/README.rst index b05ef8898..3cd99f839 100644 --- a/README.rst +++ b/README.rst @@ -162,15 +162,24 @@ for the other possible configuration options. and should have access rights like ``0600``. **ironic-inspector** requires root rights for managing iptables. It gets them -by running ``ironic-inspector-rootwrap`` utility with ``sudo``. To allow it, -copy ``rootwrap.conf`` to the configuration directory (e.g. as -``/etc/ironic-inspector/rootwrap.conf`` and create file +by running ``ironic-inspector-rootwrap`` utility with ``sudo``. +To allow it, copy file ``rootwrap.conf`` and directory ``rootwrap.d`` to the +configuration directory (e.g. ``/etc/ironic-inspector/``) and create file ``/etc/sudoers.d/ironic-inspector-rootwrap`` with the following content:: stack ALL=(root) NOPASSWD: /usr/bin/ironic-inspector-rootwrap /etc/ironic-inspector/rootwrap.conf * .. note:: - ``rootwrap.conf`` must be writeable only by root. + ``rootwrap.conf`` and all files in ``rootwrap.d`` must be writeable + only by root. + +.. note:: + If you store ``rootwrap.d`` in a different location, make sure to update + the *filters_path* option in ``rootwrap.conf`` to reflect the change. + + If your ``rootwrap.conf`` is in a different location, then you need + to update the *rootwrap_config* option in ``ironic-inspector.conf`` + to point to that location. Replace ``stack`` with whatever user you'll be using to run **ironic-inspector**.