kolla/docker/base/start.sh
Steven Dake 6cf5928ff1 Base image changes for drop-root
The reason we are doing drop root is so that a network exposed
software component (i.e. glance) cannot be used to affect the
immutability of the container which it runs in.  I have tried
several different approaches and this is the only approach which
puts glance in PID=1 while ensuring no files may be written by
the glance process in the container image except for the log files.

Change-Id: Ifd3c8c361b78d0e4791dade3afa6435290407c41
Partially-Implements: blueprint drop-root
2015-11-09 11:00:26 -05:00

16 lines
443 B
Bash

#!/bin/bash
set -o errexit
# Processing /opt/kolla/config_files/config.json as root. This is necessary
# to permit certain files to be controlled by the root user which should
# not be writable by the dropped-privileged user, especially /run_command
sudo -E kolla_set_configs
CMD=$(cat /run_command)
ARGS=""
# Run additional commands if present
source kolla_extend_start
echo "Running command: '${CMD}${ARGS:+ $ARGS}'"
exec ${CMD} ${ARGS}