From bd9e8c22d79f28d1bc74eeaa4f7f8563a8e9da6d Mon Sep 17 00:00:00 2001
From: Steven Dake <stdake@cisco.com>
Date: Sun, 8 Nov 2015 16:37:41 -0500
Subject: [PATCH] drop root for glance

This uses the grouping feature of sudo to limit the amount of times
the base sudo file has to be modified to only once.  The container
contents always runs as the user root, except the software which is
controlled by Kolla.  This software may run as root, but it has
undergone a security audit and preserves permissions of the correct
files and does not permit the glance user to write any of the
set_config.py control files.

Change-Id: Ie3cd23edcde5b408a8f66970456279a1b15028e0
Partially-Implements: blueprint drop-root
---
 docker/glance/glance-api/Dockerfile.j2      | 2 ++
 docker/glance/glance-api/extend_start.sh    | 2 +-
 docker/glance/glance-base/Dockerfile.j2     | 2 ++
 docker/glance/glance-registry/Dockerfile.j2 | 2 ++
 4 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/docker/glance/glance-api/Dockerfile.j2 b/docker/glance/glance-api/Dockerfile.j2
index 2e1aec4cd9..bde6d4bed9 100644
--- a/docker/glance/glance-api/Dockerfile.j2
+++ b/docker/glance/glance-api/Dockerfile.j2
@@ -4,4 +4,6 @@ MAINTAINER Kolla Project (https://launchpad.net/kolla)
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start
 
+USER glance
+
 {{ include_footer }}
diff --git a/docker/glance/glance-api/extend_start.sh b/docker/glance/glance-api/extend_start.sh
index fd70962ebd..6f3cab8307 100644
--- a/docker/glance/glance-api/extend_start.sh
+++ b/docker/glance/glance-api/extend_start.sh
@@ -3,6 +3,6 @@
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
-    sudo -H -u glance glance-manage db_sync
+    glance-manage db_sync
     exit 0
 fi
diff --git a/docker/glance/glance-base/Dockerfile.j2 b/docker/glance/glance-base/Dockerfile.j2
index 5ce5397bc8..447c2d5b9f 100644
--- a/docker/glance/glance-base/Dockerfile.j2
+++ b/docker/glance/glance-base/Dockerfile.j2
@@ -43,3 +43,5 @@ RUN ln -s glance-base-source/* glance \
     && chown -R glance: /etc/glance /var/log/glance /home/glance
 
 {% endif %}
+
+RUN usermod -a -G kolla glance
diff --git a/docker/glance/glance-registry/Dockerfile.j2 b/docker/glance/glance-registry/Dockerfile.j2
index 54710da06f..c3bdef8d80 100644
--- a/docker/glance/glance-registry/Dockerfile.j2
+++ b/docker/glance/glance-registry/Dockerfile.j2
@@ -1,4 +1,6 @@
 FROM {{ namespace }}/{{ image_prefix }}glance-base:{{ tag }}
 MAINTAINER Kolla Project (https://launchpad.net/kolla)
 
+USER glance
+
 {{ include_footer }}