I also prefer a dedicated user ("kolla" seems the best choice) as same as
other projects in OpenStack.Cheers, Tuan On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke <[email protected]> wrote: > In my experience operators prefer a dedicated user (kolla:kolla), though I > can't see any major problem with your root:kolla approach. > > > On 23/08/16 14:40, Steven Dake (stdake) wrote: > >> >> >> >> >> >> On 8/23/16, 1:04 AM, "[email protected]" <[email protected]> >> wrote: >> >> Hi S.Dake, >>> >>> Hello Kollish, >>>>> >>>>> I am working on bp ansible-specific-task-become so I need community >>>>> opinion about Kolla configuration files owner and permissions. >>>>> >>>>> For files in "/var/lib/kolla", it's quite clear that the owner should >>>>> be 'root' as currently. >>>>> >>>>> For files in "/etc/kolla": After discussion with S.Dake on IRC, he >>>>> recommends /etc/kolla is owned by root and all files in it is 660 >>>>> (writable >>>>> by a group). >>>>> >>>> >>>> Just to add a bit of clarity, the rationale for this idea is that a >>>> group of operators could add themselves to the kolla group on all of the >>>> nodes and use their specific ssh keys to operate OpenStack. > This is why >>>> the group concept in unix was invented 50 odd years ago ;) >>>> >>> >>> I just notice that if the directory has 660, so non-root user cannot >>> access file in this folder. It seems conflict with group purpose. >>> Should it be 770 for folders? >>> >> >> Yes 770 for folders 660 for files seeded by the user ids and their ssh >> keys in the host playbook that is in the review queue. Changes to the host >> playbook in the review queue should come later for this group based model. >> >> The real question is what do operators prefer? Single user (non-root), >> Multi-user (non-root), or Single user (root). >> >> Regards >> -steve >> >>> >>> Regards >>>> -steve >>>> >>> >>> >>> Best regards, >>> >>> duonghq >>> PODC - Fujitsu Vietnam Ltd. >>> >>> >>> >>> ____________________________________________________________ >>> ______________ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: [email protected] >>> enstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: [email protected]?subject:unsubscrib >> e >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
