Remove explicit sudoers requirement.
Most of our build process runs as root and the overhead of explicitly tracking sudo commands in the shipped sudoers.d file, plus the operational overhead of keeping the sudoers.d file updated on build hosts over time, is now considered to be unnecessary. Instead, we now document that the build process will expect sudo commands to work and the operator must make this happen (either by running as root, via sudo -E, or allowing passwordless sudo for the build user). Change-Id: If2628e7d0c7efde0fb99c84a217523ba29b1b38d
This commit is contained in:
parent
7795c7b108
commit
357c2de681
@ -6,5 +6,4 @@ graft lib
|
|||||||
graft elements
|
graft elements
|
||||||
graft docs
|
graft docs
|
||||||
graft scripts
|
graft scripts
|
||||||
graft sudoers.d
|
|
||||||
include README.md
|
include README.md
|
||||||
|
@ -49,10 +49,6 @@ Installation
|
|||||||
|
|
||||||
* Clone the repository locally, then add bin to your path.
|
* Clone the repository locally, then add bin to your path.
|
||||||
|
|
||||||
* Copy sudoers.d/\* into your /etc/sudoers.d/. (Warning, use visudo -c -f
|
|
||||||
{filename} to check that each one parses successfully on your machine, so you
|
|
||||||
don't break your machine).
|
|
||||||
|
|
||||||
* Make sure you have qemu-img (qemu-utils package on Ubuntu/Debian,
|
* Make sure you have qemu-img (qemu-utils package on Ubuntu/Debian,
|
||||||
qemu on Fedora/RHEL) and kpartx installed.
|
qemu on Fedora/RHEL) and kpartx installed.
|
||||||
|
|
||||||
@ -62,6 +58,9 @@ Invocation
|
|||||||
The scripts can generally just be run. Options can be set on the command line
|
The scripts can generally just be run. Options can be set on the command line
|
||||||
or by exporting variables to override those present in lib/img-defaults. -h to
|
or by exporting variables to override those present in lib/img-defaults. -h to
|
||||||
get help.
|
get help.
|
||||||
|
The image building scripts expect to be able to invoke commands with sudo, so if you
|
||||||
|
want them to run non-interactively, you should either run them as root, with
|
||||||
|
sudo -E, or allow your build user to run any sudo command without password.
|
||||||
|
|
||||||
Using the variable ELEMENTS\_PATH will allow to specify multiple elements locations.
|
Using the variable ELEMENTS\_PATH will allow to specify multiple elements locations.
|
||||||
It's a colon (:) separated path list, and it will work in a first path/element found,
|
It's a colon (:) separated path list, and it will work in a first path/element found,
|
||||||
|
@ -185,7 +185,6 @@ function arg_to_elements() {
|
|||||||
IMAGE_ELEMENT="ramdisk $IMAGE_ELEMENT"
|
IMAGE_ELEMENT="ramdisk $IMAGE_ELEMENT"
|
||||||
fi
|
fi
|
||||||
echo "Building elements: $IMAGE_ELEMENT"
|
echo "Building elements: $IMAGE_ELEMENT"
|
||||||
echo "If prompted for sudo, install sudoers.d/img-build-sudoers into /etc/sudoers.d and restart the build."
|
|
||||||
|
|
||||||
IMAGE_ELEMENT=$($SCRIPT_HOME/element-info --expand-dependencies $IMAGE_ELEMENT)
|
IMAGE_ELEMENT=$($SCRIPT_HOME/element-info --expand-dependencies $IMAGE_ELEMENT)
|
||||||
|
|
||||||
|
@ -1,65 +0,0 @@
|
|||||||
# Copyright 2012 Hewlett-Packard Development Company, L.P.
|
|
||||||
# All Rights Reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/chmod * /tmp/*/mnt/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/dd of=/tmp/*/mnt/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/ln -sf * /tmp/*/mnt/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mkdir -p /tmp/*/mnt/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mkdir /tmp/*/mnt/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mount --bind /dev /tmp/*/mnt/dev
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mount --bind /tmp/*/hooks /tmp/*/mnt/tmp/in_target.d
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mount --bind */.cache/image-create/ccache /tmp/*/mnt/tmp/ccache
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mount -o remount\,ro\,bind /tmp/*/hooks /tmp/*/mnt/tmp/in_target.d
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mount -t proc none /tmp/*/mnt/proc
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mount -t sysfs none /tmp/*/mnt/sys
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mount /dev/nbd0* /tmp/*/mnt
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mount /dev/loop* /tmp/*/mnt
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mount /dev/mapper/loop* /tmp/*/mnt
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mv /tmp/*/mnt/* /tmp/*/mnt/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mv -t /tmp/*/mnt /tmp/*/built/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/rm -* /tmp/*/mnt
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/rm -* /tmp/*/mnt/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/rm -* /tmp/*/built
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/rmdir /tmp/*/mnt/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/tar -C /tmp/*/mnt -xzf /*/.cache/image-create/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/dev
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/proc
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/sys
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/*/mnt/tmp/in_target.d
|
|
||||||
ALL ALL=(root) NOPASSWD: /sbin/mkfs -E resize=274877906944 -t ext4 -L cloudimg-rootfs /dev/loop*
|
|
||||||
ALL ALL=(root) NOPASSWD: /sbin/mkfs -i 4096 -E resize=274877906944 -t ext4 -L cloudimg-rootfs /dev/loop*
|
|
||||||
ALL ALL=(root) NOPASSWD: /sbin/modprobe nbd max_part=16
|
|
||||||
ALL ALL=(root) NOPASSWD: /sbin/sfdisk /dev/nbd*
|
|
||||||
ALL ALL=(root) NOPASSWD: /sbin/sfdisk /dev/loop*
|
|
||||||
ALL ALL=(root) NOPASSWD: /usr/bin/qemu-nbd -c /dev/nbd0 --cache=writeback /tmp/*/image
|
|
||||||
ALL ALL=(root) NOPASSWD: /usr/bin/qemu-nbd -d /dev/nbd0
|
|
||||||
ALL ALL=(root) NOPASSWD: /usr/bin/touch /tmp/*/mnt/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /usr/bin/unlink /tmp/*/mnt/*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/cp -t /tmp/*/mnt/etc/ -a /tmp/*/hooks/first-boot.d
|
|
||||||
ALL ALL=(root) NOPASSWD: /usr/bin/install -m 0755 -o root -g root -D */dib-run-parts /tmp/*/mnt/usr/local/bin/dib-run-parts
|
|
||||||
ALL ALL=(root) SETENV: NOPASSWD: /usr/sbin/chroot /tmp/*/mnt *
|
|
||||||
ALL ALL=(root) NOPASSWD: /sbin/losetup --show -r -f /tmp/*/*.raw
|
|
||||||
ALL ALL=(root) NOPASSWD: /sbin/losetup --show -f /tmp/*/*.raw
|
|
||||||
ALL ALL=(root) NOPASSWD: /sbin/losetup -d /dev/loop*
|
|
||||||
ALL ALL=(root) NOPASSWD: /sbin/partprobe /dev/loop*
|
|
||||||
ALL ALL=(root) NOPASSWD: /sbin/kpartx -avr /tmp/*/*.raw
|
|
||||||
ALL ALL=(root) NOPASSWD: /sbin/kpartx -d /tmp/*/*.raw
|
|
||||||
ALL ALL=(root) NOPASSWD: /usr/bin/du --block-size=* -x -s /tmp/*/built
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/mount -t tmpfs tmpfs /tmp/image.*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/umount -f /tmp/image.*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/chown *\:* /tmp/image.*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/git clone * /tmp/image.*
|
|
||||||
ALL ALL=(root) NOPASSWD: /bin/git reset --hard *
|
|
Loading…
Reference in New Issue
Block a user