[one-users] sudo setup on hosts using LVM

[Jaime Melis]

Hi,

that was a matter of debate during the development of LVM support in
OpenNebula. We finally concluded that the best option was to use
/sbin/<command name> directly, that way sysadmins can choose to permit to
the oneadmin user sudo access only to a certain subset of LVM commands
instead of all of them.

We listed in the sudoers file only the commands we used in the TM scripts:
oneadmin ALL=NOPASSWD: /sbin/lvcreate, /sbin/lvremove, /sbin/lvs, /bin/dd

If you are thinking of extending the TM scripts and require more lvm
commands the alternative you suggest should work very nicely. You would need
to modify the TM scripts to call lvm <command> instead of <command>
directly, but that shouldn't be a problem.

regards,
Jaime



On Thu, Nov 5, 2009 at 5:52 PM, Shi Jin <jinzishuai at gmail.com> wrote:

> Hi there,
>
> I think we have to enable the oneadmin user to run the lvm commands on
> the host using LVM, right?
> Currently, this works for me in the /etc/sudoer
> oneadmin ALL=(ALL) NOPASSWD: /sbin/lv* *
> However, this is not a very general case since there are other lvm
> commands such as vgdisplay.
> The fact that all those commands are aliases to the /sbin/lvm command
> make it easy.
> If we have
> oneadmin ALL=(ALL) NOPASSWD: /sbin/lvm *
> then we can run sudo lvm vgdisplay or any lvm command without password
> as oneadmin.
> However, this requires all the lvm commands executed in the format of
> /sbin/lvm <command name> instead of the /sbin/<command name> directly.
>
> Do you think this is a good way to setup the OpenNebula LVM code?
> Thanks.
> --
> Shi Jin, Ph.D.
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20091105/ba7ebd2a/attachment-0003.htm>