Base image changes for drop-root

The reason we are doing drop root is so that a network exposed software component (i.e. glance) cannot be used to affect the immutability of the container which it runs in. I have tried several different approaches and this is the only approach which puts glance in PID=1 while ensuring no files may be written by the glance process in the container image except for the log files. Change-Id: Ifd3c8c361b78d0e4791dade3afa6435290407c41 Partially-Implements: blueprint drop-root
2015-11-08 16:34:32 -05:00 · 2015-11-08 16:34:32 -05:00 · 6cf5928ff1
parent 44b5a8867e
commit 6cf5928ff1
3 changed files with 24 additions and 3 deletions
--- a/docker/base/Dockerfile.j2
+++ b/docker/base/Dockerfile.j2
@ -167,7 +167,10 @@ RUN apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com 199369E5404BD

 COPY set_configs.py /usr/local/bin/kolla_set_configs
 COPY start.sh /usr/local/bin/kolla_start
+COPY sudoers /etc/sudoers
 RUN touch /usr/local/bin/kolla_extend_start \
-    && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs
+    && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs \
+    && chmod 440 /etc/sudoers \
+    && groupadd kolla

 CMD ["kolla_start"]
--- a/docker/base/start.sh
+++ b/docker/base/start.sh
@ -1,8 +1,10 @@
 #!/bin/bash
 set -o errexit

-# Processing /opt/kolla/config_files/config.json
-python /usr/local/bin/kolla_set_configs
+# Processing /opt/kolla/config_files/config.json as root.  This is necessary
+# to permit certain files to be controlled by the root user which should
+# not be writable by the dropped-privileged user, especially /run_command
+sudo -E kolla_set_configs
 CMD=$(cat /run_command)
 ARGS=""

--- a/docker/base/sudoers
+++ b/docker/base/sudoers
@ -0,0 +1,16 @@
+# The idea here is a container service adds their UID to the kolla group
+# via usermod -a -G kolla <uid>.  Then the kolla_start may run
+# kolla_set_configs via sudo as the root user which is necessary to protect
+# the immutability of the container
+
+# anyone in the kolla group may sudo -E (set the environment)
+Defaults: %kolla setenv
+
+# root may run any commands via sudo as the network seervice user.  This is
+# neededfor database migrations of existing services which have not been
+# converted to run as a non-root user, but instead do that via sudo -E glance
+root ALL=(ALL) ALL
+
+# anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
+# root user via sudo without password confirmation
+%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs