openstack
/
kolla
Code Issues Proposed changes

Configure sudoers for zun containers 

Zun processes were run as user 'root' in before. This is undesirable
for several reasons (i.e. security, privsep). This patch make the
Zun processes run as 'zun' user, which aligns with the practice of
other containers.

Change-Id: I0d3111f0ca6301d6f22410fe5fd5a2dbf586e691
Closes-Bug: #1787760
This commit is contained in:
Hongbin Lu 2018-08-18 21:52:26 +00:00
parent 8d44e3b5a4
commit 0b2682e489
5 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker/zun/zun-api/Dockerfile.j2
View File

@ -15,3 +15,5 @@ RUN chmod 755 /usr/local/bin/kolla_zun_extend_start
{% block zun_api_footer %}{% endblock %}
{% block footer %}{% endblock %}
USER zun

5
docker/zun/zun-base/Dockerfile.j2
View File

@ -56,9 +56,12 @@ RUN ln -s zun-base-source/* zun \
{% endif %}
COPY zun_sudoers /etc/sudoers.d/kolla_zun_sudoers
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN touch /usr/local/bin/kolla_zun_extend_start \
RUN chmod 750 /etc/sudoers.d \
&& chmod 640 /etc/sudoers.d/kolla_zun_sudoers \
&& touch /usr/local/bin/kolla_zun_extend_start \
&& chmod 755 /var/www/cgi-bin/zun \
&& chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_zun_extend_start

1
docker/zun/zun-base/zun_sudoers Normal file
View File

@ -0,0 +1 @@
zun ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/zun-rootwrap /etc/zun/rootwrap.conf *

2
docker/zun/zun-compute/Dockerfile.j2
View File

@ -12,3 +12,5 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
{% block zun_compute_footer %}{% endblock %}
{% block footer %}{% endblock %}
USER zun

2
docker/zun/zun-wsproxy/Dockerfile.j2
View File

@ -12,3 +12,5 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
{% block zun_wsproxy_footer %}{% endblock %}
{% block footer %}{% endblock %}
USER zun