)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"e89d3916872ed18c52d49b0f792d89fc84cdaeb2","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"31eaea93_5cf97e34","updated":"2026-01-24 11:04:22.000000000","message":"Isn\u0027t Dropbear better as a lightweight alternative to run in the containers?","commit_id":"caaacd845b8834db71f14165afeea0034c1b7f28"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"e97a4fcd7e386d256763d2934212e9c85f6bf581","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"c72613fc_fe86c68e","in_reply_to":"31eaea93_5cf97e34","updated":"2026-01-26 17:16:24.000000000","message":"Sure - but this makes it no fun: https://github.com/mkj/dropbear?tab\u003dreadme-ov-file#client-public-key-auth (and other things probably as well). It\u0027s just easier to use opensshd here.","commit_id":"caaacd845b8834db71f14165afeea0034c1b7f28"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"c916696d4912981bfac64fad3ab5e226f7231160","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"f47cb41c_9d654204","in_reply_to":"c72613fc_fe86c68e","updated":"2026-01-26 17:47:40.000000000","message":"oh, really","commit_id":"caaacd845b8834db71f14165afeea0034c1b7f28"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"84ef649c2c87f9467db86b540a1aec087b93a24f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"d0805e70_68278b88","updated":"2026-01-29 11:11:29.000000000","message":"recheck depends-on changed","commit_id":"1f83f94a266e5308bef02e01c48e7845c4c890b5"}],"docker/kolla-toolbox/ansible_sudoers":[{"author":{"_account_id":37306,"name":"Piotr Milewski","display_name":"Piotr Milewski","email":"vurmil@gmail.com","username":"vurmil"},"change_message_id":"720ea8cd955fc5d96f3302971f0454a4aa2db75c","unresolved":true,"context_lines":[{"line_number":1,"context_line":"Defaults secure_path\u003d\"/opt/ansible/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"ansible ALL\u003d(ALL) NOPASSWD: ALL"}],"source_content_type":"application/octet-stream","patch_set":7,"id":"7a32110f_4cca709e","line":3,"updated":"2026-01-28 11:10:47.000000000","message":"Using ansible ALL\u003d(ALL) NOPASSWD: ALL feels a bit like overkill. It’d be better to lock sudo down to just the specific commands the Ansible modules actually need in the toolbox, instead of giving anyone who jumps in via SSH full passwordless root","commit_id":"ce48b5075a52078c89c5114e81a2d1163da0fc6f"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"38e52d71fc0d87eb7ce1be86da89db3c9d21a51d","unresolved":true,"context_lines":[{"line_number":1,"context_line":"Defaults secure_path\u003d\"/opt/ansible/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"ansible ALL\u003d(ALL) NOPASSWD: ALL"}],"source_content_type":"application/octet-stream","patch_set":7,"id":"390fc26d_863404cc","line":3,"in_reply_to":"13b10c42_e1ddb716","updated":"2026-01-28 11:30:12.000000000","message":"Not even mentioning we don\u0027t store any data in the toolbox container - so what can you use it for? connecting to the internal API network? You\u0027re already in if you can access the kolla_toolbox ssh port","commit_id":"ce48b5075a52078c89c5114e81a2d1163da0fc6f"},{"author":{"_account_id":37306,"name":"Piotr Milewski","display_name":"Piotr Milewski","email":"vurmil@gmail.com","username":"vurmil"},"change_message_id":"2437191f664799b183719058efd38ad4b9c3776f","unresolved":true,"context_lines":[{"line_number":1,"context_line":"Defaults secure_path\u003d\"/opt/ansible/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"ansible ALL\u003d(ALL) NOPASSWD: ALL"}],"source_content_type":"application/octet-stream","patch_set":7,"id":"4c563d84_e5e77488","line":3,"in_reply_to":"390fc26d_863404cc","updated":"2026-01-28 11:39:35.000000000","message":"I get that Ansible is a bit of a special case and usually wants broad sudo rights to play nice. Still, going full ALL\u003d(ALL) feels like we\u0027re leaving the front door wide open.\n\nWe could easily tighten it up with something like: ansible ALL\u003d(root) NOPASSWD: /usr/bin/python3, /tmp/ansible-tmp-*\n\nThis covers the directories Ansible actually uses without handing over the keys to the entire kingdom. I’m mainly thinking long-term here-even if the toolbox is \u0027clean\u0027 now, we have no idea what might end up in this image down the road as the project grows.\n\nAlso, just because someone hits the SSH port and is \u0027in\u0027 the network doesn\u0027t mean we should make it easy for them. We\u0027ve seen plenty of bugs where people managed to escape containers once they got root inside. Keeping sudo restricted is just basic defense-in-depth to stop a simple shell access from turning into a full-blown host compromise.\n\nNot my call at the end of the day, but I figured it’s worth pointing out that we can be a bit more surgical than just using ALL.\"","commit_id":"ce48b5075a52078c89c5114e81a2d1163da0fc6f"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"91d9f3449413f3dc4e0c22e7fe3b9a22eee2b089","unresolved":true,"context_lines":[{"line_number":1,"context_line":"Defaults secure_path\u003d\"/opt/ansible/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"ansible ALL\u003d(ALL) NOPASSWD: ALL"}],"source_content_type":"application/octet-stream","patch_set":7,"id":"dd4f87f3_917123f8","line":3,"in_reply_to":"4c563d84_e5e77488","updated":"2026-01-28 12:32:35.000000000","message":"I\u0027ll try first to get rid of become totally, because that should be doable.","commit_id":"ce48b5075a52078c89c5114e81a2d1163da0fc6f"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"f726897b0efce0ba9128418665779154c69acc48","unresolved":true,"context_lines":[{"line_number":1,"context_line":"Defaults secure_path\u003d\"/opt/ansible/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"ansible ALL\u003d(ALL) NOPASSWD: ALL"}],"source_content_type":"application/octet-stream","patch_set":7,"id":"13b10c42_e1ddb716","line":3,"in_reply_to":"7a32110f_4cca709e","updated":"2026-01-28 11:17:00.000000000","message":"How? https://docs.ansible.com/projects/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#privilege-escalation-must-be-general","commit_id":"ce48b5075a52078c89c5114e81a2d1163da0fc6f"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"15a0ce1643ff6e88e4e207ae5e0fdc926a973c52","unresolved":false,"context_lines":[{"line_number":1,"context_line":"Defaults secure_path\u003d\"/opt/ansible/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"ansible ALL\u003d(ALL) NOPASSWD: ALL"}],"source_content_type":"application/octet-stream","patch_set":7,"id":"9463fa2a_85939a7e","line":3,"in_reply_to":"dd4f87f3_917123f8","updated":"2026-01-29 09:53:15.000000000","message":"Done","commit_id":"ce48b5075a52078c89c5114e81a2d1163da0fc6f"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"319549bb0173cabd4e852dc92db2a9a469e16b65","unresolved":true,"context_lines":[{"line_number":1,"context_line":"Defaults secure_path\u003d\"/opt/ansible/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"ansible ALL\u003d(rabbitmq) NOPASSWD: /opt/ansible/bin/python3, /tmp/ansible-tmp-*"}],"source_content_type":"application/octet-stream","patch_set":9,"id":"37e15cd8_4899f1f3","line":3,"updated":"2026-01-28 14:19:31.000000000","message":"That doesn\u0027t work, don\u0027t have time to investigate now - going with the flow of Ansible docs","commit_id":"ad17fa96488cdb9785e9386053019c11372d87d8"}],"docker/kolla-toolbox/extend_start.sh":[{"author":{"_account_id":37306,"name":"Piotr Milewski","display_name":"Piotr Milewski","email":"vurmil@gmail.com","username":"vurmil"},"change_message_id":"720ea8cd955fc5d96f3302971f0454a4aa2db75c","unresolved":true,"context_lines":[{"line_number":13,"context_line":"mkdir -p /var/lib/ansible/.ssh"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"if [[ $(stat -c %U:%G /var/lib/ansible/.ssh) !\u003d \"ansible:ansible\" ]]; then"},{"line_number":16,"context_line":"    sudo chown ansible:ansible /var/lib/ansible/.ssh"},{"line_number":17,"context_line":"fi"}],"source_content_type":"text/x-sh","patch_set":7,"id":"ece16979_a2662e9c","line":16,"range":{"start_line":16,"start_character":4,"end_line":16,"end_character":27},"updated":"2026-01-28 11:10:47.000000000","message":"we should probably add sudo chmod 600 /var/lib/ansible/.ssh/authorized_keys as a safeguard. I know Kolla usually handles permissions during deployment, but having it explicitly in the container\u0027s startup script is a solid \u0027insurance policy\u0027","commit_id":"ce48b5075a52078c89c5114e81a2d1163da0fc6f"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"15a0ce1643ff6e88e4e207ae5e0fdc926a973c52","unresolved":false,"context_lines":[{"line_number":13,"context_line":"mkdir -p /var/lib/ansible/.ssh"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"if [[ $(stat -c %U:%G /var/lib/ansible/.ssh) !\u003d \"ansible:ansible\" ]]; then"},{"line_number":16,"context_line":"    sudo chown ansible:ansible /var/lib/ansible/.ssh"},{"line_number":17,"context_line":"fi"}],"source_content_type":"text/x-sh","patch_set":7,"id":"f4f3d0c3_ed04f31d","line":16,"range":{"start_line":16,"start_character":4,"end_line":16,"end_character":27},"in_reply_to":"72ff2efb_6b2e1df2","updated":"2026-01-29 09:53:15.000000000","message":"Done","commit_id":"ce48b5075a52078c89c5114e81a2d1163da0fc6f"},{"author":{"_account_id":37306,"name":"Piotr Milewski","display_name":"Piotr Milewski","email":"vurmil@gmail.com","username":"vurmil"},"change_message_id":"4105ba21bc8a95094ca7e36001c146b98c026680","unresolved":true,"context_lines":[{"line_number":13,"context_line":"mkdir -p /var/lib/ansible/.ssh"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"if [[ $(stat -c %U:%G /var/lib/ansible/.ssh) !\u003d \"ansible:ansible\" ]]; then"},{"line_number":16,"context_line":"    sudo chown ansible:ansible /var/lib/ansible/.ssh"},{"line_number":17,"context_line":"fi"}],"source_content_type":"text/x-sh","patch_set":7,"id":"72ff2efb_6b2e1df2","line":16,"range":{"start_line":16,"start_character":4,"end_line":16,"end_character":27},"in_reply_to":"851a6ace_abe8aa73","updated":"2026-01-28 13:08:05.000000000","message":"Fair point that it\u0027s just a public key. However, the issue isn\u0027t really about data leakage, but about SSH being notoriously picky. If for any reason those permissions drift or get messed up during a manual intervention, SSH will simply ignore the file and block access entirely.\n\nBeyond just the templating, we have to consider that manual changes or typos in config.json can easily lead to permission mismatches during boot; having this explicitly in the script acts as a safety net against such human errors, and since it costs us nothing in terms of performance while saving us a \u0027Permission denied\u0027 headache later, it’s a solid insurance policy for keeping the environment consistent and SSH-ready.","commit_id":"ce48b5075a52078c89c5114e81a2d1163da0fc6f"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"15337a84f9ebb169d977e64eb00adaf5a5886889","unresolved":false,"context_lines":[{"line_number":13,"context_line":"mkdir -p /var/lib/ansible/.ssh"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"if [[ $(stat -c %U:%G /var/lib/ansible/.ssh) !\u003d \"ansible:ansible\" ]]; then"},{"line_number":16,"context_line":"    sudo chown ansible:ansible /var/lib/ansible/.ssh"},{"line_number":17,"context_line":"fi"}],"source_content_type":"text/x-sh","patch_set":7,"id":"851a6ace_abe8aa73","line":16,"range":{"start_line":16,"start_character":4,"end_line":16,"end_character":27},"in_reply_to":"ece16979_a2662e9c","updated":"2026-01-28 11:28:47.000000000","message":"We template it in with required rights in kolla-ansible, and it\u0027s only authorized_keys - what can you do with it? Get a public key?","commit_id":"ce48b5075a52078c89c5114e81a2d1163da0fc6f"}]}