From d11b8f260b2f557302ee6c4b69921d5b9c1c6f57 Mon Sep 17 00:00:00 2001
From: Steven Dake <stdake@cisco.com>
Date: Mon, 9 Nov 2015 18:24:06 -0500
Subject: [PATCH] Drop root for heat

Drop root user for heat containers.

Change-Id: Ib07c0193f97bb18cc6154b4015b4056fd983f6c1
Partially-Implements: blueprint drop-root
---
 docker/heat/heat-api-cfn/Dockerfile.j2 | 2 ++
 docker/heat/heat-api/Dockerfile.j2     | 2 ++
 docker/heat/heat-api/extend_start.sh   | 2 +-
 docker/heat/heat-base/Dockerfile.j2    | 2 ++
 docker/heat/heat-engine/Dockerfile.j2  | 2 ++
 5 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/docker/heat/heat-api-cfn/Dockerfile.j2 b/docker/heat/heat-api-cfn/Dockerfile.j2
index 1146ee326c..658b6aa283 100644
--- a/docker/heat/heat-api-cfn/Dockerfile.j2
+++ b/docker/heat/heat-api-cfn/Dockerfile.j2
@@ -10,4 +10,6 @@ RUN yum -y install openstack-heat-api-cfn \
     {% endif %}
 {% endif %}
 
+USER heat
+
 {{ include_footer }}
diff --git a/docker/heat/heat-api/Dockerfile.j2 b/docker/heat/heat-api/Dockerfile.j2
index e425e4ebce..026d8fc597 100644
--- a/docker/heat/heat-api/Dockerfile.j2
+++ b/docker/heat/heat-api/Dockerfile.j2
@@ -13,4 +13,6 @@ RUN yum -y install openstack-heat-api \
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start
 
+USER heat
+
 {{ include_footer }}
diff --git a/docker/heat/heat-api/extend_start.sh b/docker/heat/heat-api/extend_start.sh
index f04438a789..6c4fc431f6 100644
--- a/docker/heat/heat-api/extend_start.sh
+++ b/docker/heat/heat-api/extend_start.sh
@@ -3,7 +3,7 @@
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
-    sudo -H -u heat heat-manage db_sync
+    heat-manage db_sync
     openstack domain create heat_user_domain
     openstack user create --domain heat_user_domain heat_domain_admin --password ${HEAT_DOMAIN_ADMIN_PASSWORD}
     openstack role add --domain heat_user_domain --user heat_domain_admin admin
diff --git a/docker/heat/heat-base/Dockerfile.j2 b/docker/heat/heat-base/Dockerfile.j2
index c9ab54efc2..9d47d3b3db 100644
--- a/docker/heat/heat-base/Dockerfile.j2
+++ b/docker/heat/heat-base/Dockerfile.j2
@@ -20,3 +20,5 @@ RUN ln -s heat-base-source/* heat \
     && chown -R heat: /etc/heat /var/log/heat /home/heat
 
 {% endif %}
+
+RUN usermod -a -G kolla heat
diff --git a/docker/heat/heat-engine/Dockerfile.j2 b/docker/heat/heat-engine/Dockerfile.j2
index 1a0b9b1dc9..7dcf0735ca 100644
--- a/docker/heat/heat-engine/Dockerfile.j2
+++ b/docker/heat/heat-engine/Dockerfile.j2
@@ -15,4 +15,6 @@ RUN yum -y install \
     {% endif %}
 {% endif %}
 
+USER heat
+
 {{ include_footer }}