From 7595dfce783f76f09dd71c50da795a7fadea0142 Mon Sep 17 00:00:00 2001
From: "Swapnil Kulkarni (coolsvap)" <me@coolsvap.net>
Date: Fri, 4 Mar 2016 09:17:46 +0530
Subject: [PATCH] Drop root for swift

Updates to ensure commands run in the swift containers
are done as the 'swift' user rather than root.

Change-Id: I8c5a12e24b9940200241dbe09d6bde8f1cc1cf05
Closes-Bug: #1553895
Co-Authored-By: Serguei Bezverkhi <sbezverk@cisco.com>
---
 docker/swift/swift-account/Dockerfile.j2      |  2 ++
 docker/swift/swift-base/Dockerfile.j2         | 14 ++++++++
 docker/swift/swift-base/rootwrap.conf         | 34 +++++++++++++++++++
 docker/swift/swift-base/swift-rootwrap        | 10 ++++++
 docker/swift/swift-base/swift_sudoers         |  1 +
 docker/swift/swift-container/Dockerfile.j2    |  2 ++
 docker/swift/swift-object/Dockerfile.j2       |  2 ++
 docker/swift/swift-proxy-server/Dockerfile.j2 |  2 ++
 docker/swift/swift-rsyncd/Dockerfile.j2       |  3 ++
 9 files changed, 70 insertions(+)
 create mode 100644 docker/swift/swift-base/rootwrap.conf
 create mode 100644 docker/swift/swift-base/swift-rootwrap
 create mode 100644 docker/swift/swift-base/swift_sudoers

diff --git a/docker/swift/swift-account/Dockerfile.j2 b/docker/swift/swift-account/Dockerfile.j2
index e17cf72a2a..470be372e2 100644
--- a/docker/swift/swift-account/Dockerfile.j2
+++ b/docker/swift/swift-account/Dockerfile.j2
@@ -17,3 +17,5 @@ RUN apt-get install -y --no-install-recommends \
 {% endif %}
 
 {{ include_footer }}
+
+USER swift
diff --git a/docker/swift/swift-base/Dockerfile.j2 b/docker/swift/swift-base/Dockerfile.j2
index 639b997bc8..ac4c94e185 100644
--- a/docker/swift/swift-base/Dockerfile.j2
+++ b/docker/swift/swift-base/Dockerfile.j2
@@ -39,5 +39,19 @@ RUN ln -s swift-base-source/* swift \
 
 {% endif %}
 
+RUN pip install oslo.rootwrap
+
+COPY swift-rootwrap /var/lib/kolla/venv/bin/swift-rootwrap
+COPY rootwrap.conf /etc/swift/rootwrap.conf
+RUN chmod 755 /var/lib/kolla/venv/bin/swift-rootwrap \
+    && chmod 644 /etc/swift/rootwrap.conf \
+    && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/swift/rootwrap.conf
+
+COPY swift_sudoers /etc/sudoers.d/swift_sudoers
+RUN chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/swift_sudoers
+
 COPY build-swift-ring.py /usr/local/bin/kolla_build_swift_ring
 RUN mkdir -p /opt/swift
+
+RUN usermod -a -G kolla swift
diff --git a/docker/swift/swift-base/rootwrap.conf b/docker/swift/swift-base/rootwrap.conf
new file mode 100644
index 0000000000..270dcc974a
--- /dev/null
+++ b/docker/swift/swift-base/rootwrap.conf
@@ -0,0 +1,34 @@
+# Configuration for swift-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/swift/rootwrap.d,/usr/share/swift/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, local0, local1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR
+
+[xenapi]
+# XenAPI configuration is only required by the L2 agent if it is to
+# target a XenServer/XCP compute host's dom0.
+xenapi_connection_url=<None>
+xenapi_connection_username=root
+xenapi_connection_password=<None>
diff --git a/docker/swift/swift-base/swift-rootwrap b/docker/swift/swift-base/swift-rootwrap
new file mode 100644
index 0000000000..3839c9a8dc
--- /dev/null
+++ b/docker/swift/swift-base/swift-rootwrap
@@ -0,0 +1,10 @@
+#!/usr/bin/python2
+# PBR Generated from u'console_scripts'
+
+import sys
+
+from oslo_rootwrap.cmd import main
+
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/docker/swift/swift-base/swift_sudoers b/docker/swift/swift-base/swift_sudoers
new file mode 100644
index 0000000000..b20ac15fb8
--- /dev/null
+++ b/docker/swift/swift-base/swift_sudoers
@@ -0,0 +1 @@
+swift ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/swift-rootwrap /etc/swift/rootwrap.conf *
diff --git a/docker/swift/swift-container/Dockerfile.j2 b/docker/swift/swift-container/Dockerfile.j2
index 0f0a847815..23226626eb 100644
--- a/docker/swift/swift-container/Dockerfile.j2
+++ b/docker/swift/swift-container/Dockerfile.j2
@@ -17,3 +17,5 @@ RUN apt-get install -y --no-install-recommends \
 {% endif %}
 
 {{ include_footer }}
+
+USER swift
diff --git a/docker/swift/swift-object/Dockerfile.j2 b/docker/swift/swift-object/Dockerfile.j2
index 20bac715ca..57d36044ba 100644
--- a/docker/swift/swift-object/Dockerfile.j2
+++ b/docker/swift/swift-object/Dockerfile.j2
@@ -17,3 +17,5 @@ RUN apt-get install -y --no-install-recommends \
 {% endif %}
 
 {{ include_footer }}
+
+USER swift
diff --git a/docker/swift/swift-proxy-server/Dockerfile.j2 b/docker/swift/swift-proxy-server/Dockerfile.j2
index 298bcf598b..80977961a2 100644
--- a/docker/swift/swift-proxy-server/Dockerfile.j2
+++ b/docker/swift/swift-proxy-server/Dockerfile.j2
@@ -17,3 +17,5 @@ RUN apt-get install -y --no-install-recommends \
 {% endif %}
 
 {{ include_footer }}
+
+USER swift
diff --git a/docker/swift/swift-rsyncd/Dockerfile.j2 b/docker/swift/swift-rsyncd/Dockerfile.j2
index 7afd4f8c2d..cba6fbc368 100644
--- a/docker/swift/swift-rsyncd/Dockerfile.j2
+++ b/docker/swift/swift-rsyncd/Dockerfile.j2
@@ -13,7 +13,10 @@ RUN apt-get install -y --no-install-recommends rsync \
 
 {% endif %}
 
+RUN setcap 'cap_net_bind_service=+ep' /usr/bin/rsync
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {{ include_footer }}
+
+USER swift