From 0b2682e489fe67a6f43596ea61291d92107c3569 Mon Sep 17 00:00:00 2001
From: Hongbin Lu <hongbin034@gmail.com>
Date: Sat, 18 Aug 2018 21:52:26 +0000
Subject: [PATCH] Configure sudoers for zun containers

Zun processes were run as user 'root' in before. This is undesirable
for several reasons (i.e. security, privsep). This patch make the
Zun processes run as 'zun' user, which aligns with the practice of
other containers.

Change-Id: I0d3111f0ca6301d6f22410fe5fd5a2dbf586e691
Closes-Bug: #1787760
---
 docker/zun/zun-api/Dockerfile.j2     | 2 ++
 docker/zun/zun-base/Dockerfile.j2    | 5 ++++-
 docker/zun/zun-base/zun_sudoers      | 1 +
 docker/zun/zun-compute/Dockerfile.j2 | 2 ++
 docker/zun/zun-wsproxy/Dockerfile.j2 | 2 ++
 5 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 docker/zun/zun-base/zun_sudoers

diff --git a/docker/zun/zun-api/Dockerfile.j2 b/docker/zun/zun-api/Dockerfile.j2
index 19e73ffb05..01f665b43a 100644
--- a/docker/zun/zun-api/Dockerfile.j2
+++ b/docker/zun/zun-api/Dockerfile.j2
@@ -15,3 +15,5 @@ RUN chmod 755 /usr/local/bin/kolla_zun_extend_start
 
 {% block zun_api_footer %}{% endblock %}
 {% block footer %}{% endblock %}
+
+USER zun
diff --git a/docker/zun/zun-base/Dockerfile.j2 b/docker/zun/zun-base/Dockerfile.j2
index 9f502ae9c9..4e887bceef 100644
--- a/docker/zun/zun-base/Dockerfile.j2
+++ b/docker/zun/zun-base/Dockerfile.j2
@@ -56,9 +56,12 @@ RUN ln -s zun-base-source/* zun \
 
 {% endif %}
 
+COPY zun_sudoers /etc/sudoers.d/kolla_zun_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
-RUN touch /usr/local/bin/kolla_zun_extend_start \
+RUN chmod 750 /etc/sudoers.d \
+    && chmod 640 /etc/sudoers.d/kolla_zun_sudoers \
+    && touch /usr/local/bin/kolla_zun_extend_start \
     && chmod 755 /var/www/cgi-bin/zun \
     && chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_zun_extend_start
 
diff --git a/docker/zun/zun-base/zun_sudoers b/docker/zun/zun-base/zun_sudoers
new file mode 100644
index 0000000000..fd35f4cb57
--- /dev/null
+++ b/docker/zun/zun-base/zun_sudoers
@@ -0,0 +1 @@
+zun ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/zun-rootwrap /etc/zun/rootwrap.conf *
diff --git a/docker/zun/zun-compute/Dockerfile.j2 b/docker/zun/zun-compute/Dockerfile.j2
index a469598ecc..23ab689f74 100644
--- a/docker/zun/zun-compute/Dockerfile.j2
+++ b/docker/zun/zun-compute/Dockerfile.j2
@@ -12,3 +12,5 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 {% block zun_compute_footer %}{% endblock %}
 {% block footer %}{% endblock %}
+
+USER zun
diff --git a/docker/zun/zun-wsproxy/Dockerfile.j2 b/docker/zun/zun-wsproxy/Dockerfile.j2
index 67cfe1f2b9..4c14c50721 100644
--- a/docker/zun/zun-wsproxy/Dockerfile.j2
+++ b/docker/zun/zun-wsproxy/Dockerfile.j2
@@ -12,3 +12,5 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
 
 {% block zun_wsproxy_footer %}{% endblock %}
 {% block footer %}{% endblock %}
+
+USER zun