tools for building cloud images in the buildsystem
Kevin Fenzi
kevin at scrye.com
Tue Nov 13 04:20:03 UTC 2012
On Mon, 12 Nov 2012 21:41:59 -0500
Matthew Miller <mattdm at fedoraproject.org> wrote:
> On Mon, Nov 12, 2012 at 08:22:17PM -0600, Nick Bebout wrote:
> > > this criteria may be tricky... There's just not that many of us.
> > Plus a lot of the releng people like kevin and dgilmore are in
> > sysadmin-main which has admin access everywhere.
>
> Worrying about this kind of thing is officially outside my scope, but
> I really think it's good practice. Even when we have awesome people
> we really know we can trust.
Sure. Problem is we need some people to maintain the system, so they
need some level of access to do that, apply updates, etc.
That said, things like updates or sudo calls or the like are logged and
watched (at least I do look at all the sudo's and logins)
I think we are getting a bit in the weeds here tho...
> That said, it is probably reasonable to have different access
> methods, so that users *could* theoretically access the backend
> system, they'd at the very least do so through different channels and
> when intentionally wearing a different (mental) hat.
Right.
Ideally the process logs and saves off everything it does, and if there
needs to be a backend change thats logged and audited as well.
Trust, but verify.
Really the things koji has going for it in this is that it has a
database thats a easy place to store and view audit logs for things
like this. So you can say "hey, the f18 beta image, how was it made"
and can easily find the logs and look thought them. We could easily
setup something that does something similar with a cloud instance, just
needs more tooling.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20121112/c8b77653/attachment.sig>
More information about the infrastructure
mailing list