Backport "docker group is no longer used"
Restrict docker api access to only the root user. This is so that someone with access to the docker api cannot access arbitrary files on the host and modify the host networking and kill/inspect host processes. Change-Id: I9b5cb3cf3e0470ce58f72bd9952b6b3856ebf94d heat-coe-templates: I0eee1222e06d6c34761feb24b517972892dc8bbc
This commit is contained in:
parent
fae8609262
commit
e3b6ae71d5
|
@ -1,14 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Under atomic, we need to make sure the 'dockerroot' group exists in
|
||||
# /etc/group (because /lib/group cannot be modified by usermod).
|
||||
echo "making 'dockerroot' group editable"
|
||||
if ! grep -q dockerroot /etc/group; then
|
||||
grep dockerroot /lib/group >> /etc/group
|
||||
fi
|
||||
|
||||
# make 'minion' user a member of the dockerroot group
|
||||
# (so you can run docker commands as the 'minion' user)
|
||||
echo "adding 'minion' user to 'dockerroot' group"
|
||||
usermod -G dockerroot minion
|
||||
|
|
@ -93,12 +93,6 @@ resources:
|
|||
$KUBE_MASTER_IP: {get_param: kube_master_ip}
|
||||
$DOCKER_VOLUME: {get_resource: docker_volume}
|
||||
|
||||
add_to_docker_group:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config: {get_file: fragments/add-to-docker-group.sh}
|
||||
|
||||
configure_docker_storage:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
|
@ -167,7 +161,6 @@ resources:
|
|||
- config: {get_resource: write_heat_params}
|
||||
- config: {get_resource: kube_user}
|
||||
- config: {get_resource: kube_examples}
|
||||
- config: {get_resource: add_to_docker_group}
|
||||
- config: {get_resource: configure_docker_storage}
|
||||
- config: {get_resource: kube_register}
|
||||
- config: {get_resource: configure_kubernetes_minion}
|
||||
|
|
Loading…
Reference in New Issue