Configure sudoers for zun containers
Zun processes were run as user 'root' in before. This is undesirable for several reasons (i.e. security, privsep). This patch make the Zun processes run as 'zun' user, which aligns with the practice of other containers. Change-Id: I0d3111f0ca6301d6f22410fe5fd5a2dbf586e691 Closes-Bug: #1787760
This commit is contained in:
parent
8d44e3b5a4
commit
0b2682e489
@ -15,3 +15,5 @@ RUN chmod 755 /usr/local/bin/kolla_zun_extend_start
|
||||
|
||||
{% block zun_api_footer %}{% endblock %}
|
||||
{% block footer %}{% endblock %}
|
||||
|
||||
USER zun
|
||||
|
@ -56,9 +56,12 @@ RUN ln -s zun-base-source/* zun \
|
||||
|
||||
{% endif %}
|
||||
|
||||
COPY zun_sudoers /etc/sudoers.d/kolla_zun_sudoers
|
||||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||
|
||||
RUN touch /usr/local/bin/kolla_zun_extend_start \
|
||||
RUN chmod 750 /etc/sudoers.d \
|
||||
&& chmod 640 /etc/sudoers.d/kolla_zun_sudoers \
|
||||
&& touch /usr/local/bin/kolla_zun_extend_start \
|
||||
&& chmod 755 /var/www/cgi-bin/zun \
|
||||
&& chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_zun_extend_start
|
||||
|
||||
|
1
docker/zun/zun-base/zun_sudoers
Normal file
1
docker/zun/zun-base/zun_sudoers
Normal file
@ -0,0 +1 @@
|
||||
zun ALL=(root) NOPASSWD: /var/lib/kolla/venv/bin/zun-rootwrap /etc/zun/rootwrap.conf *
|
@ -12,3 +12,5 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
|
||||
|
||||
{% block zun_compute_footer %}{% endblock %}
|
||||
{% block footer %}{% endblock %}
|
||||
|
||||
USER zun
|
||||
|
@ -12,3 +12,5 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
|
||||
|
||||
{% block zun_wsproxy_footer %}{% endblock %}
|
||||
{% block footer %}{% endblock %}
|
||||
|
||||
USER zun
|
||||
|
Loading…
Reference in New Issue
Block a user