openstack
/
kolla
Code Issues Proposed changes

Drop root privileges for mariadb 

Drop root privileges for mariadb.  This isn't perfect.  If somemone
breaks out of the container and can run sudo within the contianer,
it would be possible to replace the root credentials of the database.

Any container that uses sudo suffers from some extra attack vector
related to the sudo command.  That said, the sudo commands are
locked down to minimize harm.

Change-Id: I4b3573725d940bb8aa90d43a6235d8cf7d30fc64
Partially-Implements: blueprint drop-root
This commit is contained in:
Steven Dake 2015-11-10 04:11:20 -05:00
parent 09e9b1be33
commit 4c9e15b94e
4 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker/base/sudoers
View File

@ -14,3 +14,5 @@ root ALL=(ALL) ALL
# anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the # anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
# root user via sudo without password confirmation # root user via sudo without password confirmation
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs %kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
#includedir /etc/sudoers.d

9
docker/mariadb/Dockerfile.j2
View File

@ -28,9 +28,16 @@ RUN apt-get install -y --no-install-recommends \
{% endif %} {% endif %}
COPY mariadb_sudoers /etc/sudoers.d/mariadb_sudoers
COPY extend_start.sh /usr/local/bin/kolla_extend_start COPY extend_start.sh /usr/local/bin/kolla_extend_start
COPY security_reset.expect /usr/local/bin/kolla_security_reset COPY security_reset.expect /usr/local/bin/kolla_security_reset
RUN chmod 755 /usr/local/bin/kolla_extend_start \ RUN chmod 755 /usr/local/bin/kolla_extend_start \
&& chmod 755 /usr/local/bin/kolla_security_reset && chmod 755 /usr/local/bin/kolla_security_reset \
&& chmod 750 /etc/sudoers.d \
&& chmod 440 /etc/sudoers.d/mariadb_sudoers \
&& usermod -a -G kolla mysql
USER mysql
{{ include_footer }} {{ include_footer }}

8
docker/mariadb/extend_start.sh
View File

@ -5,19 +5,19 @@ function bootstrap_db {
# Waiting for deamon # Waiting for deamon
sleep 10 sleep 10
kolla_security_reset sudo -E kolla_security_reset
mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;" mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;" mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
mysqladmin -p"${DB_ROOT_PASSWORD}" shutdown mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown
} }
chown mysql: /var/lib/mysql sudo chown mysql: /var/lib/mysql
# This catches all cases of the BOOTSTRAP variable being set, including empty # This catches all cases of the BOOTSTRAP variable being set, including empty
if [[ "${!KOLLA_BOOTSTRAP[@]}" ]] && [[ ! -e /var/lib/mysql/cluster.exists ]]; then if [[ "${!KOLLA_BOOTSTRAP[@]}" ]] && [[ ! -e /var/lib/mysql/cluster.exists ]]; then
ARGS="--wsrep-new-cluster" ARGS="--wsrep-new-cluster"
touch /var/lib/mysql/cluster.exists touch /var/lib/mysql/cluster.exists
mysql_install_db --user=mysql mysql_install_db
bootstrap_db bootstrap_db
fi fi

1
docker/mariadb/mariadb_sudoers Normal file
View File

@ -0,0 +1 @@
%kolla ALL=(root) NOPASSWD: /bin/chown mysql\: /var/lib/mysql, /usr/bin/chown mysql\: /var/lib/mysql, /usr/local/bin/kolla_security_reset