A previous commit [1] removed the glance data container. Although this
worked at the time (as evident by it passing the gate) the drop root
patches merged after the gate patch causing the glance service to
not have the proper permissions to create this needed directory
[1] I7f2f5979b01807275908699d1243756cb97d3588
Change-Id: I5044de8d348e401a50970fd77671a79d35d2d595
This change ensures commands run in the magnum containers are done as the
'magnum' user rather than root.
Change-Id: I18e2febae98aae6d6fc6c61cc2817442f408cb75
Partially-Implements: blueprint drop-root
The drop root change for Glance highlighted the fact that we were
binding volumes from glance_data into the wrong container - it was
glance_registry whereas it should be glance_api. This would result in
all images being lost if the glance_api container happens to restart.
Also, we need a sudoers file to chown the file backend dir to the glance
user.
Change-Id: If04337045bb94b3126e48d1f5bf0ea29e20373ae
Closes-Bug: #1516729
Due the to way network namespaces work, they will not survive a
container restart. This is not an issue related to Kolla or Neutron
but rather an issue with how network namespaces work.
This is putting back into place a workaround that was in correctly
removed in the past. We simply cleanup the namespace cruft when the
neutron-agents container restarts thus avoiding this issue.
Change-Id: Ic16f2f766b4fa46347ea14a1ece5a4653c69d779
Closes-Bug: #1511216
This patch add the USER directive to the memcached container.
It also removes the -u from the command line to launch
memcached, since it will already be run as that use.
Change-Id: I87d782a424df99fe1b5694debafa3c0c4a9aba27
Partially-Implements: blueprint drop-root
In kolla-mesos, ZK will be used for storing information about
actions done in bootstrap.
Change-Id: Id7067a493b457cf7b73eb007852df7b13f4363b3
Partially-Implements: blueprint zookeeper
This reverts commit f9ccb1c8829cef551b875c7c387530e7980414a7.
There are many issues with this patch that prevents it from working
under numerous circumstances. The implementation is entirely busted
on Ubuntu. Additionally, best practice for apache is to run as root.
Apache itself does the privlege dropping.
Change-Id: I4395debb7d32223fb3752a6d3e7c4d7672d29916
Drop root privileges for rabbitmq. Only the rabbitmq user
will be able to execute chown of /var/lib/rabbitmq.
Change-Id: I546e6b475a8462bfbc75972854e1fee64f96d9cb
Partially-Implements: blueprint drop-root
The USER operation affects all docker commands after it. This causes a
problem with our {{ include_footer }} implementation since commands in
that footer may require elevated permissions to perform.
In the current implementation I can no longer remove my proxy settings
once the USER has been changed.
Change-Id: I9b2bab5a15f595f6d52a46c64ddf59ba5608b938
Partially-Implements: blueprint drop-root
Drop root privileges for mariadb. This isn't perfect. If somemone
breaks out of the container and can run sudo within the contianer,
it would be possible to replace the root credentials of the database.
Any container that uses sudo suffers from some extra attack vector
related to the sudo command. That said, the sudo commands are
locked down to minimize harm.
Change-Id: I4b3573725d940bb8aa90d43a6235d8cf7d30fc64
Partially-Implements: blueprint drop-root
Atleast in a script, sudo can be made to only allow the script to
run from the mysql process in the future, versus all the proceesses
being able to be executed as root presently.
Change-Id: I030b57086e37e4dc8f668f98c04335d94ab9d2b0
Partially-Implements: blueprint drop-root
Drop root privileges for Horizon service. It is necesssary to set
a capability on the filesystem to allow binding to port 80 as a
non-root user. I have tested this works correctly from a registry
on both CentOS and Ubuntu.
Change-Id: I4c26f28bb28b6633784e6842f3423a2425332c27
Partially-Implements: blueprint drop-root
the openstack-heat-common package installs the Heat UID/GID.
This is necessary pre-work for drop-root for heat services.
Change-Id: I247b0209248de144d20f5245973833be5cd8f14f
Partially-Implements: blueprint drop-root
This change ensures commands run in the kolla-ansible container are done
as the 'ansible' user rather than root.
By default Ansible tries to write it's temporary files to $HOME/.ansible
on the target, which in most cases won't exist when run as the new user.
Hence we now supply the kolla-ansible container with an ansible.cfg, to
tweak the remote_dir option to /tmp.
Change-Id: I838a8c8cd0c7dc1aeca4d12e38c346f252170e7c
Partially-Implements: blueprint drop-root
(apply same fix that we did for keystone, to horizon)
In some cases we're seeing httpd not cleaning up properly after itself,
which results in the horizon container failing to restart. This is
confirmed to happen on rpm based distros, but have not had any reports
on Ubuntu.
Change-Id: I8ece6da1a8a1180730d68be0d129a656ddcede07
Closes-Bug: #1515214
backport: liberty
This uses the grouping feature of sudo to limit the amount of times
the base sudo file has to be modified to only once. The container
contents always runs as the user root, except the software which is
controlled by Kolla. This software may run as root, but it has
undergone a security audit and preserves permissions of the correct
files and does not permit the glance user to write any of the
set_config.py control files.
Change-Id: Ie3cd23edcde5b408a8f66970456279a1b15028e0
Partially-Implements: blueprint drop-root
The reason we are doing drop root is so that a network exposed
software component (i.e. glance) cannot be used to affect the
immutability of the container which it runs in. I have tried
several different approaches and this is the only approach which
puts glance in PID=1 while ensuring no files may be written by
the glance process in the container image except for the log files.
Change-Id: Ifd3c8c361b78d0e4791dade3afa6435290407c41
Partially-Implements: blueprint drop-root
RDO does not yet provide a CI tested Mitaka repository.
As such, the current-passed-ci repository is the last tested
repository before the stable/liberty branch was cut.
To be able to test against the latest packages, we need to
use the untested repositories until the CI tested repository
is in place.
TrivialFix
Change-Id: I4a125eb3c84fa790746a9a8eca19e4fb2d9ecf38
This was conflicting with Percona-Server-devel-55 and broke centos
source build for openstack-base image.
Backport: Liberty
Change-Id: Ia2bb2106038e8e2eadb6668f4ae1ad1d95710c09
Closes-Bug: #1513711
