Oh, my bad for the write permission of nova user. That should not be like
this. Thanks Jeffrey.
Cheers,
T
On Wed, Aug 24, 2016 at 2:39 PM, Jeffrey Zhang
wrote:
> On Wed, Aug 24, 2016 at 5:24 PM, lương hữu tuấn
> wrote:
> > However, with config file as nova.conf or in this case e.g. kolla.conf
On Wed, Aug 24, 2016 at 5:24 PM, lương hữu tuấn wrote:
> However, with config file as nova.conf or in this case e.g. kolla.conf, it
> should be kolla:kolla and only owner can write as well, it means 644 since
> the kolla service is run under the name of kolla user, it is the same with
> other serv
Hi Jeffrey,
You are right with the rootwrap file since it is the root wrapper of the
specific service, e.g. nova. Then we should permit it as root:root and only
the owner can write.
However, with config file as nova.conf or in this case e.g. kolla.conf, it
should be kolla:kolla and only owner can
Using the same user for running service and the configuration files is
danger. i.e. the service running user shouldn't be change the
configuration files.
a simple attack like:
* a hacker hacked into nova-api container with nova user
* he can change the /etc/nova/rootwrap.conf file and
/etc/nova/ro
On 8/23/16, 7:05 AM, "Gerard Braad" wrote:
>On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn wrote:
>> I also prefer a dedicated user ("kolla" seems the best choice) as same > On
>> Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke wrote:
>>> In my experience operators prefer a dedicated user (kol
On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn wrote:
> I also prefer a dedicated user ("kolla" seems the best choice) as same > On
> Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke wrote:
>> In my experience operators prefer a dedicated user (kolla:kolla), though I
kolla:kolla seems more logical an
I also prefer a dedicated user ("kolla" seems the best choice) as same as
other projects in OpenStack.
Cheers,
Tuan
On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke wrote:
> In my experience operators prefer a dedicated user (kolla:kolla), though I
> can't see any major problem with your root:koll
In my experience operators prefer a dedicated user (kolla:kolla), though
I can't see any major problem with your root:kolla approach.
On 23/08/16 14:40, Steven Dake (stdake) wrote:
On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com" wrote:
Hi S.Dake,
Hello Kollish,
I am working on bp ansib
On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com" wrote:
>Hi S.Dake,
>
>>> Hello Kollish,
>>>
>>> I am working on bp ansible-specific-task-become so I need community opinion
>>> about Kolla configuration files owner and permissions.
>>>
>>> For files in "/var/lib/kolla", it's quite clear that t
Hi S.Dake,
>> Hello Kollish,
>>
>> I am working on bp ansible-specific-task-become so I need community opinion
>> about Kolla configuration files owner and permissions.
>>
>> For files in "/var/lib/kolla", it's quite clear that the owner should be
>> 'root' as currently.
>>
>> For files in "/etc
It indeed makes me frightened when i just stopped at the part of
"writable by a group" of configuration files and tried myself to figure
out what you guys discussing on IRC.
Thanks Steve for making clear about "group of operators".
Cheers,
Tuan
On 08/23/2016 07:29 AM, Steven Dake (stdake) wr
On 8/22/16, 7:24 PM, "duon...@vn.fujitsu.com" wrote:
>Hello Kollish,
>
>I am working on bp ansible-specific-task-become so I need community opinion
>about Kolla configuration files owner and permissions.
>
>For files in "/var/lib/kolla", it's quite clear that the owner should be
>'root' as
Hello Kollish,
I am working on bp ansible-specific-task-become so I need community opinion
about Kolla configuration files owner and permissions.
For files in "/var/lib/kolla", it's quite clear that the owner should be 'root'
as currently.
For files in "/etc/kolla": After discussion with S.Da
13 matches
Mail list logo