2daf4331a6
Fixes a hypothetical security issue related to privilege escalation via rootwrap/privsep. A potential vulnerable service could previously allow writes to its rootwrap/privsep config and thus allow for more commands to be run with root privileges via rootwrap/privsep. For a succesful attack, this would also require the service to allow to run arbitrary commands via rootwrap/privsep. Thus far, no such vulnerabilities have been reported and thus this fix is simply strengthening the container images against such an issue in the future. Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a Closes-Bug: #1874298
38 lines
1.2 KiB
Django/Jinja
38 lines
1.2 KiB
Django/Jinja
FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
|
|
{% block labels %}
|
|
LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
|
|
{% endblock %}
|
|
|
|
{% block aodh_base_header %}{% endblock %}
|
|
|
|
{% import "macros.j2" as macros with context %}
|
|
|
|
{{ macros.configure_user(name='aodh') }}
|
|
|
|
{% set aodh_base_packages = [
|
|
] %}
|
|
|
|
{{ macros.install_packages(aodh_base_packages | customizable("packages")) }}
|
|
RUN mkdir -p /var/www/cgi-bin/aodh
|
|
|
|
ADD aodh-base-archive /aodh-base-source
|
|
|
|
{% set aodh_base_pip_packages = [
|
|
'/aodh',
|
|
] %}
|
|
|
|
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
|
COPY aodh_sudoers /etc/sudoers.d/kolla_aodh_sudoers
|
|
|
|
RUN ln -s aodh-base-source/* aodh \
|
|
&& {{ macros.install_pip(aodh_base_pip_packages | customizable("pip_packages")) }} \
|
|
&& mkdir -p /etc/aodh /var/www/cgi-bin/aodh \
|
|
&& cp /aodh/aodh/api/app.wsgi /var/www/cgi-bin/aodh \
|
|
&& chmod 750 /etc/sudoers.d \
|
|
&& chmod 640 /etc/sudoers.d/kolla_aodh_sudoers \
|
|
&& chmod 755 /var/www/cgi-bin/aodh \
|
|
&& touch /usr/local/bin/kolla_aodh_extend_start \
|
|
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_aodh_extend_start
|
|
|
|
{% block aodh_base_footer %}{% endblock %}
|