Remove explicit sudoers requirement.

Most of our build process runs as root and the overhead of explicitly
tracking sudo commands in the shipped sudoers.d file, plus the
operational overhead of keeping the sudoers.d file updated on build
hosts over time, is now considered to be unnecessary.
Instead, we now document that the build process will expect sudo
commands to work and the operator must make this happen (either by
running as root, via sudo -E, or allowing passwordless sudo for the
build user).

Change-Id: If2628e7d0c7efde0fb99c84a217523ba29b1b38d
This commit is contained in:
Chris Jones 2013-08-02 11:34:56 +01:00 committed by Robert Collins
parent 7795c7b108
commit 357c2de681
4 changed files with 3 additions and 71 deletions

View File

@ -6,5 +6,4 @@ graft lib
graft elements graft elements
graft docs graft docs
graft scripts graft scripts
graft sudoers.d
include README.md include README.md

View File

@ -49,10 +49,6 @@ Installation
* Clone the repository locally, then add bin to your path. * Clone the repository locally, then add bin to your path.
* Copy sudoers.d/\* into your /etc/sudoers.d/. (Warning, use visudo -c -f
{filename} to check that each one parses successfully on your machine, so you
don't break your machine).
* Make sure you have qemu-img (qemu-utils package on Ubuntu/Debian, * Make sure you have qemu-img (qemu-utils package on Ubuntu/Debian,
qemu on Fedora/RHEL) and kpartx installed. qemu on Fedora/RHEL) and kpartx installed.
@ -62,6 +58,9 @@ Invocation
The scripts can generally just be run. Options can be set on the command line The scripts can generally just be run. Options can be set on the command line
or by exporting variables to override those present in lib/img-defaults. -h to or by exporting variables to override those present in lib/img-defaults. -h to
get help. get help.
The image building scripts expect to be able to invoke commands with sudo, so if you
want them to run non-interactively, you should either run them as root, with
sudo -E, or allow your build user to run any sudo command without password.
Using the variable ELEMENTS\_PATH will allow to specify multiple elements locations. Using the variable ELEMENTS\_PATH will allow to specify multiple elements locations.
It's a colon (:) separated path list, and it will work in a first path/element found, It's a colon (:) separated path list, and it will work in a first path/element found,

View File

@ -185,7 +185,6 @@ function arg_to_elements() {
IMAGE_ELEMENT="ramdisk $IMAGE_ELEMENT" IMAGE_ELEMENT="ramdisk $IMAGE_ELEMENT"
fi fi
echo "Building elements: $IMAGE_ELEMENT" echo "Building elements: $IMAGE_ELEMENT"
echo "If prompted for sudo, install sudoers.d/img-build-sudoers into /etc/sudoers.d and restart the build."
IMAGE_ELEMENT=$($SCRIPT_HOME/element-info --expand-dependencies $IMAGE_ELEMENT) IMAGE_ELEMENT=$($SCRIPT_HOME/element-info --expand-dependencies $IMAGE_ELEMENT)

View File

@ -1,65 +0,0 @@
# Copyright 2012 Hewlett-Packard Development Company, L.P.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
ALL ALL=(root) NOPASSWD: /bin/chmod * /tmp/*/mnt/*
ALL ALL=(root) NOPASSWD: /bin/dd of=/tmp/*/mnt/*
ALL ALL=(root) NOPASSWD: /bin/ln -sf * /tmp/*/mnt/*
ALL ALL=(root) NOPASSWD: /bin/mkdir -p /tmp/*/mnt/*
ALL ALL=(root) NOPASSWD: /bin/mkdir /tmp/*/mnt/*
ALL ALL=(root) NOPASSWD: /bin/mount --bind /dev /tmp/*/mnt/dev
ALL ALL=(root) NOPASSWD: /bin/mount --bind /tmp/*/hooks /tmp/*/mnt/tmp/in_target.d
ALL ALL=(root) NOPASSWD: /bin/mount --bind */.cache/image-create/ccache /tmp/*/mnt/tmp/ccache
ALL ALL=(root) NOPASSWD: /bin/mount -o remount\,ro\,bind /tmp/*/hooks /tmp/*/mnt/tmp/in_target.d
ALL ALL=(root) NOPASSWD: /bin/mount -t proc none /tmp/*/mnt/proc
ALL ALL=(root) NOPASSWD: /bin/mount -t sysfs none /tmp/*/mnt/sys
ALL ALL=(root) NOPASSWD: /bin/mount /dev/nbd0* /tmp/*/mnt
ALL ALL=(root) NOPASSWD: /bin/mount /dev/loop* /tmp/*/mnt
ALL ALL=(root) NOPASSWD: /bin/mount /dev/mapper/loop* /tmp/*/mnt
ALL ALL=(root) NOPASSWD: /bin/mv /tmp/*/mnt/* /tmp/*/mnt/*
ALL ALL=(root) NOPASSWD: /bin/mv -t /tmp/*/mnt /tmp/*/built/*
ALL ALL=(root) NOPASSWD: /bin/rm -* /tmp/*/mnt
ALL ALL=(root) NOPASSWD: /bin/rm -* /tmp/*/mnt/*
ALL ALL=(root) NOPASSWD: /bin/rm -* /tmp/*/built
ALL ALL=(root) NOPASSWD: /bin/rmdir /tmp/*/mnt/*
ALL ALL=(root) NOPASSWD: /bin/tar -C /tmp/*/mnt -xzf /*/.cache/image-create/*
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/dev
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/proc
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/sys
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/tmp/in_target.d
ALL ALL=(root) NOPASSWD: /sbin/mkfs -E resize=274877906944 -t ext4 -L cloudimg-rootfs /dev/loop*
ALL ALL=(root) NOPASSWD: /sbin/mkfs -i 4096 -E resize=274877906944 -t ext4 -L cloudimg-rootfs /dev/loop*
ALL ALL=(root) NOPASSWD: /sbin/modprobe nbd max_part=16
ALL ALL=(root) NOPASSWD: /sbin/sfdisk /dev/nbd*
ALL ALL=(root) NOPASSWD: /sbin/sfdisk /dev/loop*
ALL ALL=(root) NOPASSWD: /usr/bin/qemu-nbd -c /dev/nbd0 --cache=writeback /tmp/*/image
ALL ALL=(root) NOPASSWD: /usr/bin/qemu-nbd -d /dev/nbd0
ALL ALL=(root) NOPASSWD: /usr/bin/touch /tmp/*/mnt/*
ALL ALL=(root) NOPASSWD: /usr/bin/unlink /tmp/*/mnt/*
ALL ALL=(root) NOPASSWD: /bin/cp -t /tmp/*/mnt/etc/ -a /tmp/*/hooks/first-boot.d
ALL ALL=(root) NOPASSWD: /usr/bin/install -m 0755 -o root -g root -D */dib-run-parts /tmp/*/mnt/usr/local/bin/dib-run-parts
ALL ALL=(root) SETENV: NOPASSWD: /usr/sbin/chroot /tmp/*/mnt *
ALL ALL=(root) NOPASSWD: /sbin/losetup --show -r -f /tmp/*/*.raw
ALL ALL=(root) NOPASSWD: /sbin/losetup --show -f /tmp/*/*.raw
ALL ALL=(root) NOPASSWD: /sbin/losetup -d /dev/loop*
ALL ALL=(root) NOPASSWD: /sbin/partprobe /dev/loop*
ALL ALL=(root) NOPASSWD: /sbin/kpartx -avr /tmp/*/*.raw
ALL ALL=(root) NOPASSWD: /sbin/kpartx -d /tmp/*/*.raw
ALL ALL=(root) NOPASSWD: /usr/bin/du --block-size=* -x -s /tmp/*/built
ALL ALL=(root) NOPASSWD: /bin/mount -t tmpfs tmpfs /tmp/image.*
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/image.*
ALL ALL=(root) NOPASSWD: /bin/chown *\:* /tmp/image.*
ALL ALL=(root) NOPASSWD: /bin/git clone * /tmp/image.*
ALL ALL=(root) NOPASSWD: /bin/git reset --hard *