Drop root privileges for rabbitmq
Drop root privileges for rabbitmq. Only the rabbitmq user will be able to execute chown of /var/lib/rabbitmq. Change-Id: I546e6b475a8462bfbc75972854e1fee64f96d9cb Partially-Implements: blueprint drop-root
This commit is contained in:
parent
55e4b54e23
commit
22def41d37
@ -1,5 +1,5 @@
|
|||||||
{
|
{
|
||||||
"command": "sudo -H -u rabbitmq /usr/sbin/rabbitmq-server",
|
"command": "/usr/sbin/rabbitmq-server",
|
||||||
"config_files": [
|
"config_files": [
|
||||||
{
|
{
|
||||||
"source": "{{ container_config_directory }}/rabbitmq-env.conf",
|
"source": "{{ container_config_directory }}/rabbitmq-env.conf",
|
||||||
|
@ -28,6 +28,12 @@ RUN /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \
|
|||||||
&& /bin/true
|
&& /bin/true
|
||||||
|
|
||||||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||||
RUN chmod 755 /usr/local/bin/kolla_extend_start
|
COPY rabbitmq_sudoers /etc/sudoers.d/rabbitmq_sudoers
|
||||||
|
RUN chmod 755 /usr/local/bin/kolla_extend_start \
|
||||||
|
&& chmod 750 /etc/sudoers.d \
|
||||||
|
&& chmod 440 /etc/sudoers.d/rabbitmq_sudoers \
|
||||||
|
&& usermod -a -G kolla rabbitmq
|
||||||
|
|
||||||
{{ include_footer }}
|
{{ include_footer }}
|
||||||
|
|
||||||
|
USER rabbitmq
|
@ -3,8 +3,8 @@
|
|||||||
# Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
|
# Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
|
||||||
# of the KOLLA_BOOTSTRAP variable being set, including empty.
|
# of the KOLLA_BOOTSTRAP variable being set, including empty.
|
||||||
if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
|
if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
|
||||||
|
sudo chown -R rabbitmq: /var/lib/rabbitmq
|
||||||
echo "${RABBITMQ_CLUSTER_COOKIE}" > /var/lib/rabbitmq/.erlang.cookie
|
echo "${RABBITMQ_CLUSTER_COOKIE}" > /var/lib/rabbitmq/.erlang.cookie
|
||||||
chown -R rabbitmq: /var/lib/rabbitmq
|
|
||||||
chmod 400 /var/lib/rabbitmq/.erlang.cookie
|
chmod 400 /var/lib/rabbitmq/.erlang.cookie
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
1
docker/rabbitmq/rabbitmq_sudoers
Normal file
1
docker/rabbitmq/rabbitmq_sudoers
Normal file
@ -0,0 +1 @@
|
|||||||
|
%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R rabbitmq\: /var/lib/rabbitmq, /bin/chown -R rabbitmq\: /var/lib/rabbitmq
|
Loading…
Reference in New Issue
Block a user