Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.
Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
As we have one type of images now some RUN calls could be merged so we
will have less layers in resulting images.
Change-Id: I5178c58fbd8c65efe825dc249c0f1368ef0fe8e0
Explicitly set the permissions on the kolla-toolbox kolla_extend_start
file. Also, since all extend_start files are sourced rather than
executed, the executable bits are now cleared throughout the project.
Change-Id: I5c2deb4a2e33575d57c852089f856a9acc6818d0
Big patch drops all mentions of binary images support. Suggestions are
welcome how to split it into parts or handle better.
Change-Id: I5d5a46c6ce7734ceb8b844e17b43e359d7cac6e3
This patch reverts changes to the Dockerfile and configuration script
that were made to support running the service using wsgi. Ironic
Inspector does not currently support running with wsgi.
Change-Id: Idc816f25c85ef7d5cd14182fe01b652876cb181a
This patch modifies the Dockerfile for both the Ironic API and
Inspector so that the 'root' user executes the container setup scripts.
This enables the container httpd configuration script to execute.
Change-Id: I02b58ac571cd4eb3b9d4a814fe0cb907a3564e23
We are splitting the ironic-inspector package into RDO into
ironic-inspector itself and its dnsmasq service. This change
updates kolla to install both packages to avoid breakages when
RDO removes mutual dependency between them.
Change-Id: I2acb070f725aa563781dfe5d325834e1e2675edf
If you run with enable_ironic set to true and
ironic_inspector_pxe_filter set to dnsmasq (the default in stein),
ironic inspector can fail with the following in the logs:
Permission denied: u'/var/lib/ironic-inspector/dhcp-hostsdir/<MAC address>'
A node must be registered with a port for this to happen.
Weirdly this happens on centos/source, ubuntu/source, and ubuntu/binary,
but not centos/binary.
This change changes the ownership of
/var/lib/ironic-inspector/dhcp-hostsdir to ironic-inspector user to make
it writeable.
Change-Id: I19447727f19dbd9c0a3e17d218b48ddc4c253587
Closes-Bug: #1832026
This change updates the docker files to use base_package_type instead
of doing specific distro checks for the rhel/deb generic cases. The
base_distro is still available and is used when a specific distro needs
a customization but if the differences are purely rpm vs deb, then the
base_package_type can be used.
Change-Id: I8d720bb185df65a0178061ccf20b1ab2265da2c5
centos based images have wrong label info,
these changes fix own image's name and build-date.
Change-Id: I1d13f8f386c8db12b5fbe5f8ecbbf9e3fbb4ba1c
Closes-Bug: #1680341
Use LABEL instruction instead of MAINTAINER (deprecated) instruc-
tion as suggested by Docker's official dockerfile guide.
docs.docker.com/engine/reference/builder/#maintainer-deprecated
Closes-Bug: #1683652
Change-Id: Ie87a1ddf31aefcd0b623fd2837d78de420e76898
This change updates the ironic-inspector image to use the
ironic-inspector user rather than the ironic user to execute the
ironic inspector service as this more closely aligns with what is
typically done by downstream packagers (specifically, Ubuntu and
RDO).
This change rebases the ironic-inspector image onto the openstack-base
image instead of the ironic-base image. We configure an
ironic-inspector user and use this to execute the ironic-inspector
service. We also configure ironic-inspector to log to
/var/log/kolla/ironic-inspector instead of the previous ironic
location.
Following this change we no longer need the workaround of a
sudoers file for the binary install type that was added in change
I8ecd0b658b8df8f38ddf717fa9443d4dc2896984.
Change-Id: Ibdc5ba35db61f4974d4282aff34bcb5ccd952d45
Closes-Bug: #1624457
Radosław Piliszek