Merge "Drop root privileges for rabbitmq"

ansible/roles/rabbitmq/templates/rabbitmq.json.j2

@@ -1,5 +1,5 @@
 {
-    "command": "sudo -H -u rabbitmq /usr/sbin/rabbitmq-server",
+    "command": "/usr/sbin/rabbitmq-server",
     "config_files": [
         {
             "source": "{{ container_config_directory }}/rabbitmq-env.conf",

docker/rabbitmq/Dockerfile.j2

@@ -28,6 +28,12 @@ RUN /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \
     && /bin/true
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start
+COPY rabbitmq_sudoers /etc/sudoers.d/rabbitmq_sudoers
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/rabbitmq_sudoers \
+    && usermod -a -G kolla rabbitmq
 
 {{ include_footer }}
+
+USER rabbitmq

docker/rabbitmq/extend_start.sh

@@ -3,8 +3,8 @@
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
+    sudo chown -R rabbitmq: /var/lib/rabbitmq
     echo "${RABBITMQ_CLUSTER_COOKIE}" > /var/lib/rabbitmq/.erlang.cookie
-    chown -R rabbitmq: /var/lib/rabbitmq
     chmod 400 /var/lib/rabbitmq/.erlang.cookie
     exit 0
 fi

docker/rabbitmq/rabbitmq_sudoers

@@ -0,0 +1 @@
+%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R rabbitmq\: /var/lib/rabbitmq, /bin/chown -R rabbitmq\: /var/lib/rabbitmq