openstack/kolla
Code Issues Proposed changes
2b0a5f684b
kolla/docker/masakari/masakari-monitors/Dockerfile.j2
Radosław Piliszek 2daf4331a6 Fix writable rootwrap/privsep config 
Fixes a hypothetical security issue related to privilege escalation via
rootwrap/privsep. A potential vulnerable service could previously allow
writes to its rootwrap/privsep config and thus allow for more commands
to be run with root privileges via rootwrap/privsep. For a succesful
attack, this would also require the service to allow to run arbitrary
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
been reported and thus this fix is simply strengthening the container
images against such an issue in the future.

Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298
2022-10-10 15:06:05 +00:00

54 lines
1.5 KiB
Django/Jinja
Raw Blame History

FROM {{ namespace }}/{{ image_prefix }}masakari-base:{{ tag }}
{% block labels %}
LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
{% endblock %}
{% block masakari_monitors_header %}{% endblock %}
{% import "macros.j2" as macros with context %}
{{ macros.enable_extra_repos(['hacluster', 'libvirt']) }}
{% if base_package_type == 'rpm' %}
{% set masakari_monitors_packages = [
'cyrus-sasl-md5',
'cyrus-sasl-scram',
'python3-libvirt',
'pacemaker-cli',
'tcpdump',
] %}
{% elif base_package_type == 'deb' %}
{% set masakari_monitors_packages = [
'libsasl2-modules-gssapi-mit',
'python3-libvirt',
'pacemaker-cli-utils',
'sasl2-bin',
'tcpdump',
] %}
{% endif %}
{{ macros.install_packages(masakari_monitors_packages | customizable("packages")) }}
ADD masakari-monitors-archive /masakari-monitors-source
{% set masakari_monitors_pip_packages = [
'/masakari-monitors'
] %}
COPY masakari_monitors_sudoers /etc/sudoers.d/kolla_masakari_monitors_sudoers
RUN ln -s masakari-monitors-source/* masakari-monitors \
&& {{ macros.install_pip(masakari_monitors_pip_packages | customizable("pip_packages")) }} \
&& mkdir -p /etc/masakari-monitors \
&& chmod 750 /etc/sudoers.d \
&& chmod 640 /etc/sudoers.d/kolla_masakari_monitors_sudoers
{% block masakari_monitors_footer %}{% endblock %}
{% block footer %}{% endblock %}
USER masakari
View Git Blame Copy Permalink