Drop root for swift
Updates to ensure commands run in the swift containers are done as the 'swift' user rather than root. Change-Id: I8c5a12e24b9940200241dbe09d6bde8f1cc1cf05 Closes-Bug: #1553895 Co-Authored-By: Serguei Bezverkhi <sbezverk@cisco.com>
This commit is contained in:
Swapnil Kulkarni (coolsvap)
Serguei Bezverkhi
parent
05e92db2ad
commit
7595dfce78
|
|
@ -17,3 +17,5 @@ RUN apt-get install -y --no-install-recommends \
|
|||
{% endif %}
|
||||
|
||||
{{ include_footer }}
|
||||
|
||||
USER swift
|
||||
|
|
|
|||
|
|
@ -39,5 +39,19 @@ RUN ln -s swift-base-source/* swift \
|
|||
|
||||
{% endif %}
|
||||
|
||||
RUN pip install oslo.rootwrap
|
||||
|
||||
COPY swift-rootwrap /var/lib/kolla/venv/bin/swift-rootwrap
|
||||
COPY rootwrap.conf /etc/swift/rootwrap.conf
|
||||
RUN chmod 755 /var/lib/kolla/venv/bin/swift-rootwrap \
|
||||
&& chmod 644 /etc/swift/rootwrap.conf \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/swift/rootwrap.conf
|
||||
|
||||
COPY swift_sudoers /etc/sudoers.d/swift_sudoers
|
||||
RUN chmod 750 /etc/sudoers.d \
|
||||
&& chmod 440 /etc/sudoers.d/swift_sudoers
|
||||
|
||||
COPY build-swift-ring.py /usr/local/bin/kolla_build_swift_ring
|
||||
RUN mkdir -p /opt/swift
|
||||
|
||||
RUN usermod -a -G kolla swift
|
||||
|
|
|
|||
|
|
@ -0,0 +1,34 @@
|
|||
# Configuration for swift-rootwrap
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/swift/rootwrap.d,/usr/share/swift/rootwrap
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
||||
|
||||
[xenapi]
|
||||
# XenAPI configuration is only required by the L2 agent if it is to
|
||||
# target a XenServer/XCP compute host's dom0.
|
||||
xenapi_connection_url=<None>
|
||||
xenapi_connection_username=root
|
||||
xenapi_connection_password=<None>
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
#!/usr/bin/python2
|
||||
# PBR Generated from u'console_scripts'
|
||||
|
||||
import sys
|
||||
|
||||
from oslo_rootwrap.cmd import main
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main())
|
||||
|
|
@ -0,0 +1 @@
|
|||
swift ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/swift-rootwrap /etc/swift/rootwrap.conf *
|
||||
|
|
@ -17,3 +17,5 @@ RUN apt-get install -y --no-install-recommends \
|
|||
{% endif %}
|
||||
|
||||
{{ include_footer }}
|
||||
|
||||
USER swift
|
||||
|
|
|
|||
|
|
@ -17,3 +17,5 @@ RUN apt-get install -y --no-install-recommends \
|
|||
{% endif %}
|
||||
|
||||
{{ include_footer }}
|
||||
|
||||
USER swift
|
||||
|
|
|
|||
|
|
@ -17,3 +17,5 @@ RUN apt-get install -y --no-install-recommends \
|
|||
{% endif %}
|
||||
|
||||
{{ include_footer }}
|
||||
|
||||
USER swift
|
||||
|
|
|
|||
|
|
@ -13,7 +13,10 @@ RUN apt-get install -y --no-install-recommends rsync \
|
|||
|
||||
{% endif %}
|
||||
|
||||
RUN setcap 'cap_net_bind_service=+ep' /usr/bin/rsync
|
||||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||
RUN chmod 755 /usr/local/bin/kolla_extend_start
|
||||
|
||||
{{ include_footer }}
|
||||
|
||||
USER swift
|
||||
|
|
|
|||
Loading…
Reference in New Issue