openstack/kolla-ansible
Code Issues Proposed changes

Merge "Drop root privileges for mariadb"

Browse Source
This commit is contained in:
Jenkins 2015-11-12 13:13:50 +00:00 committed by Gerrit Code Review
commit 55e4b54e23
4 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker/base/sudoers
View File

@ -14,3 +14,5 @@ root ALL=(ALL) ALL
# anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the # anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
# root user via sudo without password confirmation # root user via sudo without password confirmation
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs %kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
#includedir /etc/sudoers.d

9
docker/mariadb/Dockerfile.j2
View File

@ -28,9 +28,16 @@ RUN apt-get install -y --no-install-recommends \
{% endif %} {% endif %}
COPY mariadb_sudoers /etc/sudoers.d/mariadb_sudoers
COPY extend_start.sh /usr/local/bin/kolla_extend_start COPY extend_start.sh /usr/local/bin/kolla_extend_start
COPY security_reset.expect /usr/local/bin/kolla_security_reset COPY security_reset.expect /usr/local/bin/kolla_security_reset
RUN chmod 755 /usr/local/bin/kolla_extend_start \ RUN chmod 755 /usr/local/bin/kolla_extend_start \
&& chmod 755 /usr/local/bin/kolla_security_reset && chmod 755 /usr/local/bin/kolla_security_reset \
&& chmod 750 /etc/sudoers.d \
&& chmod 440 /etc/sudoers.d/mariadb_sudoers \
&& usermod -a -G kolla mysql
USER mysql
{{ include_footer }} {{ include_footer }}

8
docker/mariadb/extend_start.sh
View File

@ -5,19 +5,19 @@ function bootstrap_db {
# Waiting for deamon # Waiting for deamon
sleep 10 sleep 10
kolla_security_reset sudo -E kolla_security_reset
mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;" mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;" mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
mysqladmin -p"${DB_ROOT_PASSWORD}" shutdown mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown
} }
chown mysql: /var/lib/mysql sudo chown mysql: /var/lib/mysql
# This catches all cases of the BOOTSTRAP variable being set, including empty # This catches all cases of the BOOTSTRAP variable being set, including empty
if [[ "${!KOLLA_BOOTSTRAP[@]}" ]] && [[ ! -e /var/lib/mysql/cluster.exists ]]; then if [[ "${!KOLLA_BOOTSTRAP[@]}" ]] && [[ ! -e /var/lib/mysql/cluster.exists ]]; then
ARGS="--wsrep-new-cluster" ARGS="--wsrep-new-cluster"
touch /var/lib/mysql/cluster.exists touch /var/lib/mysql/cluster.exists
mysql_install_db --user=mysql mysql_install_db
bootstrap_db bootstrap_db
fi fi

1
docker/mariadb/mariadb_sudoers Normal file
View File

@ -0,0 +1 @@
%kolla ALL=(root) NOPASSWD: /bin/chown mysql\: /var/lib/mysql, /usr/bin/chown mysql\: /var/lib/mysql, /usr/local/bin/kolla_security_reset