Configure sudoers for zun containers

Zun processes were run as user 'root' in before. This is undesirable
for several reasons (i.e. security, privsep). This patch make the
Zun processes run as 'zun' user, which aligns with the practice of
other containers.

Change-Id: I0d3111f0ca6301d6f22410fe5fd5a2dbf586e691
Closes-Bug: #1787760
This commit is contained in:
Hongbin Lu 2018-08-18 21:52:26 +00:00
parent 8d44e3b5a4
commit 0b2682e489
5 changed files with 11 additions and 1 deletions

View File

@ -15,3 +15,5 @@ RUN chmod 755 /usr/local/bin/kolla_zun_extend_start
{% block zun_api_footer %}{% endblock %}
{% block footer %}{% endblock %}
USER zun

View File

@ -56,9 +56,12 @@ RUN ln -s zun-base-source/* zun \
{% endif %}
COPY zun_sudoers /etc/sudoers.d/kolla_zun_sudoers
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN touch /usr/local/bin/kolla_zun_extend_start \
RUN chmod 750 /etc/sudoers.d \
&& chmod 640 /etc/sudoers.d/kolla_zun_sudoers \
&& touch /usr/local/bin/kolla_zun_extend_start \
&& chmod 755 /var/www/cgi-bin/zun \
&& chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_zun_extend_start

View File

@ -0,0 +1 @@
zun ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/zun-rootwrap /etc/zun/rootwrap.conf *

View File

@ -12,3 +12,5 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
{% block zun_compute_footer %}{% endblock %}
{% block footer %}{% endblock %}
USER zun

View File

@ -12,3 +12,5 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
{% block zun_wsproxy_footer %}{% endblock %}
{% block footer %}{% endblock %}
USER zun