From 357c2de681c698915ea062de72cd1863067c080b Mon Sep 17 00:00:00 2001 From: Chris Jones Date: Fri, 2 Aug 2013 11:34:56 +0100 Subject: [PATCH] Remove explicit sudoers requirement. Most of our build process runs as root and the overhead of explicitly tracking sudo commands in the shipped sudoers.d file, plus the operational overhead of keeping the sudoers.d file updated on build hosts over time, is now considered to be unnecessary. Instead, we now document that the build process will expect sudo commands to work and the operator must make this happen (either by running as root, via sudo -E, or allowing passwordless sudo for the build user). Change-Id: If2628e7d0c7efde0fb99c84a217523ba29b1b38d --- MANIFEST.in | 1 - README.md | 7 ++-- lib/common-functions | 1 - sudoers.d/img-build-sudoers | 65 ------------------------------------- 4 files changed, 3 insertions(+), 71 deletions(-) delete mode 100644 sudoers.d/img-build-sudoers diff --git a/MANIFEST.in b/MANIFEST.in index 52606d29..780e8c9b 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -6,5 +6,4 @@ graft lib graft elements graft docs graft scripts -graft sudoers.d include README.md diff --git a/README.md b/README.md index 3eb6850c..f6dcd4ce 100644 --- a/README.md +++ b/README.md @@ -49,10 +49,6 @@ Installation * Clone the repository locally, then add bin to your path. -* Copy sudoers.d/\* into your /etc/sudoers.d/. (Warning, use visudo -c -f - {filename} to check that each one parses successfully on your machine, so you - don't break your machine). - * Make sure you have qemu-img (qemu-utils package on Ubuntu/Debian, qemu on Fedora/RHEL) and kpartx installed. @@ -62,6 +58,9 @@ Invocation The scripts can generally just be run. Options can be set on the command line or by exporting variables to override those present in lib/img-defaults. -h to get help. +The image building scripts expect to be able to invoke commands with sudo, so if you +want them to run non-interactively, you should either run them as root, with +sudo -E, or allow your build user to run any sudo command without password. Using the variable ELEMENTS\_PATH will allow to specify multiple elements locations. It's a colon (:) separated path list, and it will work in a first path/element found, diff --git a/lib/common-functions b/lib/common-functions index 22a2de11..013274ee 100644 --- a/lib/common-functions +++ b/lib/common-functions @@ -185,7 +185,6 @@ function arg_to_elements() { IMAGE_ELEMENT="ramdisk $IMAGE_ELEMENT" fi echo "Building elements: $IMAGE_ELEMENT" - echo "If prompted for sudo, install sudoers.d/img-build-sudoers into /etc/sudoers.d and restart the build." IMAGE_ELEMENT=$($SCRIPT_HOME/element-info --expand-dependencies $IMAGE_ELEMENT) diff --git a/sudoers.d/img-build-sudoers b/sudoers.d/img-build-sudoers deleted file mode 100644 index 6264aa7a..00000000 --- a/sudoers.d/img-build-sudoers +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright 2012 Hewlett-Packard Development Company, L.P. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -ALL ALL=(root) NOPASSWD: /bin/chmod * /tmp/*/mnt/* -ALL ALL=(root) NOPASSWD: /bin/dd of=/tmp/*/mnt/* -ALL ALL=(root) NOPASSWD: /bin/ln -sf * /tmp/*/mnt/* -ALL ALL=(root) NOPASSWD: /bin/mkdir -p /tmp/*/mnt/* -ALL ALL=(root) NOPASSWD: /bin/mkdir /tmp/*/mnt/* -ALL ALL=(root) NOPASSWD: /bin/mount --bind /dev /tmp/*/mnt/dev -ALL ALL=(root) NOPASSWD: /bin/mount --bind /tmp/*/hooks /tmp/*/mnt/tmp/in_target.d -ALL ALL=(root) NOPASSWD: /bin/mount --bind */.cache/image-create/ccache /tmp/*/mnt/tmp/ccache -ALL ALL=(root) NOPASSWD: /bin/mount -o remount\,ro\,bind /tmp/*/hooks /tmp/*/mnt/tmp/in_target.d -ALL ALL=(root) NOPASSWD: /bin/mount -t proc none /tmp/*/mnt/proc -ALL ALL=(root) NOPASSWD: /bin/mount -t sysfs none /tmp/*/mnt/sys -ALL ALL=(root) NOPASSWD: /bin/mount /dev/nbd0* /tmp/*/mnt -ALL ALL=(root) NOPASSWD: /bin/mount /dev/loop* /tmp/*/mnt -ALL ALL=(root) NOPASSWD: /bin/mount /dev/mapper/loop* /tmp/*/mnt -ALL ALL=(root) NOPASSWD: /bin/mv /tmp/*/mnt/* /tmp/*/mnt/* -ALL ALL=(root) NOPASSWD: /bin/mv -t /tmp/*/mnt /tmp/*/built/* -ALL ALL=(root) NOPASSWD: /bin/rm -* /tmp/*/mnt -ALL ALL=(root) NOPASSWD: /bin/rm -* /tmp/*/mnt/* -ALL ALL=(root) NOPASSWD: /bin/rm -* /tmp/*/built -ALL ALL=(root) NOPASSWD: /bin/rmdir /tmp/*/mnt/* -ALL ALL=(root) NOPASSWD: /bin/tar -C /tmp/*/mnt -xzf /*/.cache/image-create/* -ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt -ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/dev -ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/proc -ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/sys -ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/tmp/in_target.d -ALL ALL=(root) NOPASSWD: /sbin/mkfs -E resize=274877906944 -t ext4 -L cloudimg-rootfs /dev/loop* -ALL ALL=(root) NOPASSWD: /sbin/mkfs -i 4096 -E resize=274877906944 -t ext4 -L cloudimg-rootfs /dev/loop* -ALL ALL=(root) NOPASSWD: /sbin/modprobe nbd max_part=16 -ALL ALL=(root) NOPASSWD: /sbin/sfdisk /dev/nbd* -ALL ALL=(root) NOPASSWD: /sbin/sfdisk /dev/loop* -ALL ALL=(root) NOPASSWD: /usr/bin/qemu-nbd -c /dev/nbd0 --cache=writeback /tmp/*/image -ALL ALL=(root) NOPASSWD: /usr/bin/qemu-nbd -d /dev/nbd0 -ALL ALL=(root) NOPASSWD: /usr/bin/touch /tmp/*/mnt/* -ALL ALL=(root) NOPASSWD: /usr/bin/unlink /tmp/*/mnt/* -ALL ALL=(root) NOPASSWD: /bin/cp -t /tmp/*/mnt/etc/ -a /tmp/*/hooks/first-boot.d -ALL ALL=(root) NOPASSWD: /usr/bin/install -m 0755 -o root -g root -D */dib-run-parts /tmp/*/mnt/usr/local/bin/dib-run-parts -ALL ALL=(root) SETENV: NOPASSWD: /usr/sbin/chroot /tmp/*/mnt * -ALL ALL=(root) NOPASSWD: /sbin/losetup --show -r -f /tmp/*/*.raw -ALL ALL=(root) NOPASSWD: /sbin/losetup --show -f /tmp/*/*.raw -ALL ALL=(root) NOPASSWD: /sbin/losetup -d /dev/loop* -ALL ALL=(root) NOPASSWD: /sbin/partprobe /dev/loop* -ALL ALL=(root) NOPASSWD: /sbin/kpartx -avr /tmp/*/*.raw -ALL ALL=(root) NOPASSWD: /sbin/kpartx -d /tmp/*/*.raw -ALL ALL=(root) NOPASSWD: /usr/bin/du --block-size=* -x -s /tmp/*/built -ALL ALL=(root) NOPASSWD: /bin/mount -t tmpfs tmpfs /tmp/image.* -ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/image.* -ALL ALL=(root) NOPASSWD: /bin/chown *\:* /tmp/image.* -ALL ALL=(root) NOPASSWD: /bin/git clone * /tmp/image.* -ALL ALL=(root) NOPASSWD: /bin/git reset --hard *