- Getting Started
- Building Blocks
- Application Onboarding
- Reference Architectures
- Edge Applications
- Cloud Adapters
- Development Kits
- Release history
SPDX-License-Identifier: Apache-2.0 Copyright (c) 2021 Intel Corporation
The non-root user on the OpenNESS Platform
OpenNESS provides a possibility to install all required files on a Kubernetes control plane and nodes with or without root user. From security perspective it is advised to use non-root user installation of the OpenNESS platform where all tasks are executed with non-root user’s permissions. Tasks that require root privileges use privilege escalation property “become”.
- name: Run a command as root command: whoami become: yes
NOTE: For more about privileges escalation in Ansible please refer to https://docs.ansible.com/ansible/latest/user_guide/become.html#
Steps on K8s nodes
Before Ansible installation is started a non-root user needs to be created on the machines defined in
inventory.yml . To create a user
openness execute the command:
A password for the given user is required.
As some tasks require root privileges the non-root user needs to have a possibility to become a root. For the user
openness the following command must be performed:
echo "openness ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/openness
To run Ansible as a non-root user a modification in
inventory.yml is required. Setting a user in variable
ansible_user to already created non-root user will cause an execution of all tasks as non-root user specified.
--- all: vars: cluster_name: minimal_cluster flavor: minimal single_node_deployment: false limit: controller_group: hosts: ctrl.openness.org: ansible_host: 172.16.0.1 ansible_user: openness edgenode_group: hosts: node01.openness.org: ansible_host: 172.16.0.2 ansible_user: openness
Running edge apps
When deployment is done using non root user, the edge apps should also be managed using the same non root user. To run edge apps some command (e.g. docker image push) require sudo privilages, those commands should be executed with sudo privilage.