diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index 011ffaaa65..b6cfa21e55 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -113,6 +113,7 @@ outputs: keystone_db_sync: image: *keystone_image net: host + user: root privileged: false detach: false volumes: &keystone_volumes @@ -152,6 +153,7 @@ outputs: keystone_bootstrap: start_order: 3 action: exec + user: root command: [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ] docker_puppet_tasks: diff --git a/docker/services/sahara-api.yaml b/docker/services/sahara-api.yaml index 55c42abd47..32d64583de 100644 --- a/docker/services/sahara-api.yaml +++ b/docker/services/sahara-api.yaml @@ -92,6 +92,7 @@ outputs: net: host privileged: false detach: false + user: root volumes: &sahara_volumes list_concat: - {get_attr: [ContainersCommon, volumes]} diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 233ec18535..674449f574 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -200,6 +200,23 @@ def validate_docker_service(filename, tpl): % (expected_config_image_parameter, config_volume)) return 1 + if 'docker_config' in role_data: + docker_config = role_data['docker_config'] + for _, step in docker_config.items(): + for _, container in step.items(): + if not isinstance(container, dict): + # NOTE(mandre) this skips everything that is not a dict + # so we may ignore some containers definitions if they + # are in a map_merge for example + continue + command = container.get('command', '') + if isinstance(command, list): + command = ' '.join(map(str, command)) + if 'bootstrap_host_exec' in command \ + and container.get('user') != 'root': + print('ERROR: bootstrap_host_exec needs to run as the root user.') + return 1 + if 'parameters' in tpl: for param in required_params: if param not in tpl['parameters']: