kolla/docker/blazar/blazar-base/Dockerfile.j2
Radosław Piliszek 2daf4331a6 Fix writable rootwrap/privsep config
Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.

Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
2022-10-10 15:06:05 +00:00

28 lines
888 B
Django/Jinja

FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
{% block labels %}
LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
{% endblock %}
{% block blazar_base_header %}{% endblock %}
{% import "macros.j2" as macros with context %}
{{ macros.configure_user(name='blazar') }}
ADD blazar-base-archive /blazar-base-source
{% set blazar_base_pip_packages = [
'/blazar'
] %}
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN ln -s blazar-base-source/* blazar \
&& {{ macros.install_pip(blazar_base_pip_packages | customizable("pip_packages")) }} \
&& mkdir -p /etc/blazar \
&& cp -r /blazar/etc/blazar/* /etc/blazar \
&& touch /usr/local/bin/kolla_blazar_extend_start \
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_blazar_extend_start
{% block blazar_base_footer %}{% endblock %}