Drop root for Horizon service
Drop root privileges for Horizon service. It is necesssary to set a capability on the filesystem to allow binding to port 80 as a non-root user. I have tested this works correctly from a registry on both CentOS and Ubuntu. Change-Id: I4c26f28bb28b6633784e6842f3423a2425332c27 Partially-Implements: blueprint drop-root
This commit is contained in:
parent
b6212875d3
commit
f9ccb1c882
@ -56,7 +56,25 @@ RUN ln -s horizon-source/* horizon \
|
|||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
# Set NET_BIND_SERVICE capability to httpd/apache2 so that it may run on
|
||||||
|
# ports lower than 1024.
|
||||||
|
# Set pidfile and log directory to be writeable by # the horizon user.
|
||||||
|
{% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
|
||||||
|
|
||||||
|
RUN setcap 'cap_net_bind_service=ep' /usr/sbin/httpd \
|
||||||
|
&& chown horizon: /run/httpd /etc/httpd/logs
|
||||||
|
|
||||||
|
{% elif base_distro in ['ubuntu'] %}
|
||||||
|
|
||||||
|
RUN setcap 'cap_net_bind_service=ep' /usr/sbin/apache2 \
|
||||||
|
&& chown -R horizon: /var/run/apache2 /var/log/apache2
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||||
RUN chmod 755 /usr/local/bin/kolla_extend_start
|
RUN chmod 755 /usr/local/bin/kolla_extend_start \
|
||||||
|
&& usermod -a -G kolla horizon
|
||||||
|
|
||||||
|
USER horizon
|
||||||
|
|
||||||
{{ include_footer }}
|
{{ include_footer }}
|
||||||
|
Loading…
Reference in New Issue
Block a user