Drop root privileges for rabbitmq
Drop root privileges for rabbitmq. Only the rabbitmq user will be able to execute chown of /var/lib/rabbitmq. Change-Id: I546e6b475a8462bfbc75972854e1fee64f96d9cb Partially-Implements: blueprint drop-root
This commit is contained in:
parent
55e4b54e23
commit
22def41d37
@ -1,5 +1,5 @@
|
||||
{
|
||||
"command": "sudo -H -u rabbitmq /usr/sbin/rabbitmq-server",
|
||||
"command": "/usr/sbin/rabbitmq-server",
|
||||
"config_files": [
|
||||
{
|
||||
"source": "{{ container_config_directory }}/rabbitmq-env.conf",
|
||||
|
@ -28,6 +28,12 @@ RUN /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \
|
||||
&& /bin/true
|
||||
|
||||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||
RUN chmod 755 /usr/local/bin/kolla_extend_start
|
||||
COPY rabbitmq_sudoers /etc/sudoers.d/rabbitmq_sudoers
|
||||
RUN chmod 755 /usr/local/bin/kolla_extend_start \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 440 /etc/sudoers.d/rabbitmq_sudoers \
|
||||
&& usermod -a -G kolla rabbitmq
|
||||
|
||||
{{ include_footer }}
|
||||
|
||||
USER rabbitmq
|
@ -3,8 +3,8 @@
|
||||
# Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
|
||||
# of the KOLLA_BOOTSTRAP variable being set, including empty.
|
||||
if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
|
||||
sudo chown -R rabbitmq: /var/lib/rabbitmq
|
||||
echo "${RABBITMQ_CLUSTER_COOKIE}" > /var/lib/rabbitmq/.erlang.cookie
|
||||
chown -R rabbitmq: /var/lib/rabbitmq
|
||||
chmod 400 /var/lib/rabbitmq/.erlang.cookie
|
||||
exit 0
|
||||
fi
|
||||
|
1
docker/rabbitmq/rabbitmq_sudoers
Normal file
1
docker/rabbitmq/rabbitmq_sudoers
Normal file
@ -0,0 +1 @@
|
||||
%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R rabbitmq\: /var/lib/rabbitmq, /bin/chown -R rabbitmq\: /var/lib/rabbitmq
|
Loading…
Reference in New Issue
Block a user