drop root for glance

This uses the grouping feature of sudo to limit the amount of times
the base sudo file has to be modified to only once.  The container
contents always runs as the user root, except the software which is
controlled by Kolla.  This software may run as root, but it has
undergone a security audit and preserves permissions of the correct
files and does not permit the glance user to write any of the
set_config.py control files.

Change-Id: Ie3cd23edcde5b408a8f66970456279a1b15028e0
Partially-Implements: blueprint drop-root

docker/glance/glance-api/Dockerfile.j2

@@ -4,4 +4,6 @@ MAINTAINER Kolla Project (https://launchpad.net/kolla)
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start
 
+USER glance
+
 {{ include_footer }}

docker/glance/glance-api/extend_start.sh

@@ -3,6 +3,6 @@
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
-    sudo -H -u glance glance-manage db_sync
+    glance-manage db_sync
     exit 0
 fi

docker/glance/glance-base/Dockerfile.j2

@@ -43,3 +43,5 @@ RUN ln -s glance-base-source/* glance \
     && chown -R glance: /etc/glance /var/log/glance /home/glance
 
 {% endif %}
+
+RUN usermod -a -G kolla glance

docker/glance/glance-registry/Dockerfile.j2

@@ -1,4 +1,6 @@
 FROM {{ namespace }}/{{ image_prefix }}glance-base:{{ tag }}
 MAINTAINER Kolla Project (https://launchpad.net/kolla)
 
+USER glance
+
 {{ include_footer }}