Steven Dake f9ccb1c882 Drop root for Horizon service
Drop root privileges for Horizon service.  It is necesssary to set
a capability on the filesystem to allow binding to port 80 as a
non-root user.  I have tested this works correctly from a registry
on both CentOS and Ubuntu.

Change-Id: I4c26f28bb28b6633784e6842f3423a2425332c27
Partially-Implements: blueprint drop-root
2015-11-11 18:41:56 -05:00

81 lines
3.1 KiB

FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
MAINTAINER Kolla Project (
{% if install_type == 'binary' %}
{% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
RUN yum -y install \
openstack-dashboard \
httpd \
mod_wsgi \
&& yum clean all \
&& chown -R apache: /usr/share/openstack-dashboard/static \
&& useradd --user-group horizon \
&& sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
&& ln -s /usr/share/openstack-dashboard/openstack_dashboard /usr/lib/python2.7/site-packages/openstack_dashboard \
&& ln -s /usr/share/openstack-dashboard/static /usr/lib/python2.7/site-packages/static \
&& chown -R horizon: /etc/openstack-dashboard
RUN sed -i "s|WEBROOT = '/dashboard/'|WEBROOT = '/'|" /etc/openstack-dashboard/local_settings \
&& cp /usr/share/openstack-dashboard/ /usr/bin/ \
&& /usr/bin/python /usr/bin/ collectstatic --noinput --clear \
&& /usr/bin/python /usr/bin/ compress --force
{% endif %}
{% elif install_type == 'source' %}
{% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
RUN yum install -y \
httpd \
mod_wsgi \
&& yum clean all \
&& sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
{% elif base_distro in ['ubuntu', 'debian'] %}
RUN apt-get install -y --no-install-recommends \
apache2 \
libapache2-mod-wsgi \
&& echo > /etc/apache2/ports.conf \
&& apt-get clean
{% endif %}
ADD horizon-archive /horizon-source
RUN ln -s horizon-source/* horizon \
&& pip --no-cache-dir install -c requirements/upper-constraints.txt /horizon \
&& useradd --user-group horizon \
&& mkdir -p /etc/openstack-dashboard /home/horizon \
&& ln -s /etc/openstack-dashboard/local_settings /usr/lib/python2.7/site-packages/openstack_dashboard/local/ \
&& cp -r /horizon/openstack_dashboard/conf/* /etc/openstack-dashboard/ \
&& cp /horizon/openstack_dashboard/local/ /etc/openstack-dashboard/local_settings \
&& cp /horizon/ /usr/bin/ \
&& /usr/bin/python /usr/bin/ collectstatic --noinput --clear \
&& /usr/bin/python /usr/bin/ compress --force \
&& chown -R horizon: /etc/openstack-dashboard /home/horizon /usr/lib/python2.7/site-packages/static
{% endif %}
# Set NET_BIND_SERVICE capability to httpd/apache2 so that it may run on
# ports lower than 1024.
# Set pidfile and log directory to be writeable by # the horizon user.
{% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
RUN setcap 'cap_net_bind_service=ep' /usr/sbin/httpd \
&& chown horizon: /run/httpd /etc/httpd/logs
{% elif base_distro in ['ubuntu'] %}
RUN setcap 'cap_net_bind_service=ep' /usr/sbin/apache2 \
&& chown -R horizon: /var/run/apache2 /var/log/apache2
{% endif %}
COPY /usr/local/bin/kolla_extend_start
RUN chmod 755 /usr/local/bin/kolla_extend_start \
&& usermod -a -G kolla horizon
USER horizon
{{ include_footer }}