Service users and permissions

During IBM® Cloud Infrastructure Center installation, several operating system user accounts are created for the services that make up IBM Cloud Infrastructure Center (for example, nova, for the OpenStack compute service). But the services are launched and run as those users rather than as root for improved security. In some cases a service might need to run a command that is restricted to root, IBM Cloud Infrastructure Center also configures filters that allow root access for specific commands through sudo.

Make sure the sudo file has #includedir /etc/sudoers.d/ so that the sudo access is not blocked. This follows the OpenStack model. These service accounts are also used to secure inter-service communication in some cases, using complex random passwords.

SQL based authentication for service users

The SQL driver is now Keystone's default identity driver for internal service users. Passwords for these service users are not set at the operating system level. Instead, service users and passwords are created in the Keystone database using the SQL driver. These credentials are used in the respective service configuration files as before.