4c9e15b94e
Drop root privileges for mariadb. This isn't perfect. If somemone breaks out of the container and can run sudo within the contianer, it would be possible to replace the root credentials of the database. Any container that uses sudo suffers from some extra attack vector related to the sudo command. That said, the sudo commands are locked down to minimize harm. Change-Id: I4b3573725d940bb8aa90d43a6235d8cf7d30fc64 Partially-Implements: blueprint drop-root
19 lines
799 B
Plaintext
19 lines
799 B
Plaintext
# The idea here is a container service adds their UID to the kolla group
|
|
# via usermod -a -G kolla <uid>. Then the kolla_start may run
|
|
# kolla_set_configs via sudo as the root user which is necessary to protect
|
|
# the immutability of the container
|
|
|
|
# anyone in the kolla group may sudo -E (set the environment)
|
|
Defaults: %kolla setenv
|
|
|
|
# root may run any commands via sudo as the network seervice user. This is
|
|
# neededfor database migrations of existing services which have not been
|
|
# converted to run as a non-root user, but instead do that via sudo -E glance
|
|
root ALL=(ALL) ALL
|
|
|
|
# anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
|
|
# root user via sudo without password confirmation
|
|
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
|
|
|
|
#includedir /etc/sudoers.d
|