Drop root privileges for mariadb
Drop root privileges for mariadb. This isn't perfect. If somemone breaks out of the container and can run sudo within the contianer, it would be possible to replace the root credentials of the database. Any container that uses sudo suffers from some extra attack vector related to the sudo command. That said, the sudo commands are locked down to minimize harm. Change-Id: I4b3573725d940bb8aa90d43a6235d8cf7d30fc64 Partially-Implements: blueprint drop-root
This commit is contained in:
parent
09e9b1be33
commit
4c9e15b94e
@ -14,3 +14,5 @@ root ALL=(ALL) ALL
|
|||||||
# anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
|
# anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
|
||||||
# root user via sudo without password confirmation
|
# root user via sudo without password confirmation
|
||||||
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
|
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
|
||||||
|
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
|
@ -28,9 +28,16 @@ RUN apt-get install -y --no-install-recommends \
|
|||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
COPY mariadb_sudoers /etc/sudoers.d/mariadb_sudoers
|
||||||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||||
COPY security_reset.expect /usr/local/bin/kolla_security_reset
|
COPY security_reset.expect /usr/local/bin/kolla_security_reset
|
||||||
RUN chmod 755 /usr/local/bin/kolla_extend_start \
|
RUN chmod 755 /usr/local/bin/kolla_extend_start \
|
||||||
&& chmod 755 /usr/local/bin/kolla_security_reset
|
&& chmod 755 /usr/local/bin/kolla_security_reset \
|
||||||
|
&& chmod 750 /etc/sudoers.d \
|
||||||
|
&& chmod 440 /etc/sudoers.d/mariadb_sudoers \
|
||||||
|
&& usermod -a -G kolla mysql
|
||||||
|
|
||||||
|
|
||||||
|
USER mysql
|
||||||
|
|
||||||
{{ include_footer }}
|
{{ include_footer }}
|
||||||
|
@ -5,19 +5,19 @@ function bootstrap_db {
|
|||||||
|
|
||||||
# Waiting for deamon
|
# Waiting for deamon
|
||||||
sleep 10
|
sleep 10
|
||||||
kolla_security_reset
|
sudo -E kolla_security_reset
|
||||||
|
|
||||||
mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
|
mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
|
||||||
mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
|
mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
|
||||||
mysqladmin -p"${DB_ROOT_PASSWORD}" shutdown
|
mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown
|
||||||
}
|
}
|
||||||
|
|
||||||
chown mysql: /var/lib/mysql
|
sudo chown mysql: /var/lib/mysql
|
||||||
|
|
||||||
# This catches all cases of the BOOTSTRAP variable being set, including empty
|
# This catches all cases of the BOOTSTRAP variable being set, including empty
|
||||||
if [[ "${!KOLLA_BOOTSTRAP[@]}" ]] && [[ ! -e /var/lib/mysql/cluster.exists ]]; then
|
if [[ "${!KOLLA_BOOTSTRAP[@]}" ]] && [[ ! -e /var/lib/mysql/cluster.exists ]]; then
|
||||||
ARGS="--wsrep-new-cluster"
|
ARGS="--wsrep-new-cluster"
|
||||||
touch /var/lib/mysql/cluster.exists
|
touch /var/lib/mysql/cluster.exists
|
||||||
mysql_install_db --user=mysql
|
mysql_install_db
|
||||||
bootstrap_db
|
bootstrap_db
|
||||||
fi
|
fi
|
||||||
|
1
docker/mariadb/mariadb_sudoers
Normal file
1
docker/mariadb/mariadb_sudoers
Normal file
@ -0,0 +1 @@
|
|||||||
|
%kolla ALL=(root) NOPASSWD: /bin/chown mysql\: /var/lib/mysql, /usr/bin/chown mysql\: /var/lib/mysql, /usr/local/bin/kolla_security_reset
|
Loading…
Reference in New Issue
Block a user