From 6cf5928ff1ee2f9d21662d74057f3a8331ddedfb Mon Sep 17 00:00:00 2001 From: Steven Dake Date: Sun, 8 Nov 2015 16:34:32 -0500 Subject: [PATCH] Base image changes for drop-root The reason we are doing drop root is so that a network exposed software component (i.e. glance) cannot be used to affect the immutability of the container which it runs in. I have tried several different approaches and this is the only approach which puts glance in PID=1 while ensuring no files may be written by the glance process in the container image except for the log files. Change-Id: Ifd3c8c361b78d0e4791dade3afa6435290407c41 Partially-Implements: blueprint drop-root --- docker/base/Dockerfile.j2 | 5 ++++- docker/base/start.sh | 6 ++++-- docker/base/sudoers | 16 ++++++++++++++++ 3 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 docker/base/sudoers diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 76e74bbd9c..52ff28edb0 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -167,7 +167,10 @@ RUN apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com 199369E5404BD COPY set_configs.py /usr/local/bin/kolla_set_configs COPY start.sh /usr/local/bin/kolla_start +COPY sudoers /etc/sudoers RUN touch /usr/local/bin/kolla_extend_start \ - && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs + && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs \ + && chmod 440 /etc/sudoers \ + && groupadd kolla CMD ["kolla_start"] diff --git a/docker/base/start.sh b/docker/base/start.sh index bbe321a808..a39380f7ea 100644 --- a/docker/base/start.sh +++ b/docker/base/start.sh @@ -1,8 +1,10 @@ #!/bin/bash set -o errexit -# Processing /opt/kolla/config_files/config.json -python /usr/local/bin/kolla_set_configs +# Processing /opt/kolla/config_files/config.json as root. This is necessary +# to permit certain files to be controlled by the root user which should +# not be writable by the dropped-privileged user, especially /run_command +sudo -E kolla_set_configs CMD=$(cat /run_command) ARGS="" diff --git a/docker/base/sudoers b/docker/base/sudoers new file mode 100644 index 0000000000..0205b920f8 --- /dev/null +++ b/docker/base/sudoers @@ -0,0 +1,16 @@ +# The idea here is a container service adds their UID to the kolla group +# via usermod -a -G kolla . Then the kolla_start may run +# kolla_set_configs via sudo as the root user which is necessary to protect +# the immutability of the container + +# anyone in the kolla group may sudo -E (set the environment) +Defaults: %kolla setenv + +# root may run any commands via sudo as the network seervice user. This is +# neededfor database migrations of existing services which have not been +# converted to run as a non-root user, but instead do that via sudo -E glance +root ALL=(ALL) ALL + +# anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the +# root user via sudo without password confirmation +%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs