Merge "Drop root for swift"
This commit is contained in:
commit
765e40de02
@ -18,3 +18,5 @@ RUN apt-get install -y --no-install-recommends \
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{{ include_footer }}
|
{{ include_footer }}
|
||||||
|
|
||||||
|
USER swift
|
||||||
|
@ -40,5 +40,19 @@ RUN ln -s swift-base-source/* swift \
|
|||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
RUN pip install oslo.rootwrap
|
||||||
|
|
||||||
|
COPY swift-rootwrap /var/lib/kolla/venv/bin/swift-rootwrap
|
||||||
|
COPY rootwrap.conf /etc/swift/rootwrap.conf
|
||||||
|
RUN chmod 755 /var/lib/kolla/venv/bin/swift-rootwrap \
|
||||||
|
&& chmod 644 /etc/swift/rootwrap.conf \
|
||||||
|
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/swift/rootwrap.conf
|
||||||
|
|
||||||
|
COPY swift_sudoers /etc/sudoers.d/swift_sudoers
|
||||||
|
RUN chmod 750 /etc/sudoers.d \
|
||||||
|
&& chmod 440 /etc/sudoers.d/swift_sudoers
|
||||||
|
|
||||||
COPY build-swift-ring.py /usr/local/bin/kolla_build_swift_ring
|
COPY build-swift-ring.py /usr/local/bin/kolla_build_swift_ring
|
||||||
RUN mkdir -p /opt/swift
|
RUN mkdir -p /opt/swift
|
||||||
|
|
||||||
|
RUN usermod -a -G kolla swift
|
||||||
|
34
docker/swift/swift-base/rootwrap.conf
Normal file
34
docker/swift/swift-base/rootwrap.conf
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
# Configuration for swift-rootwrap
|
||||||
|
# This file should be owned by (and only-writeable by) the root user
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
# List of directories to load filter definitions from (separated by ',').
|
||||||
|
# These directories MUST all be only writeable by root !
|
||||||
|
filters_path=/etc/swift/rootwrap.d,/usr/share/swift/rootwrap
|
||||||
|
|
||||||
|
# List of directories to search executables in, in case filters do not
|
||||||
|
# explicitely specify a full path (separated by ',')
|
||||||
|
# If not specified, defaults to system PATH environment variable.
|
||||||
|
# These directories MUST all be only writeable by root !
|
||||||
|
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
|
||||||
|
|
||||||
|
# Enable logging to syslog
|
||||||
|
# Default value is False
|
||||||
|
use_syslog=False
|
||||||
|
|
||||||
|
# Which syslog facility to use.
|
||||||
|
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||||
|
# Default value is 'syslog'
|
||||||
|
syslog_log_facility=syslog
|
||||||
|
|
||||||
|
# Which messages to log.
|
||||||
|
# INFO means log all usage
|
||||||
|
# ERROR means only log unsuccessful attempts
|
||||||
|
syslog_log_level=ERROR
|
||||||
|
|
||||||
|
[xenapi]
|
||||||
|
# XenAPI configuration is only required by the L2 agent if it is to
|
||||||
|
# target a XenServer/XCP compute host's dom0.
|
||||||
|
xenapi_connection_url=<None>
|
||||||
|
xenapi_connection_username=root
|
||||||
|
xenapi_connection_password=<None>
|
10
docker/swift/swift-base/swift-rootwrap
Normal file
10
docker/swift/swift-base/swift-rootwrap
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
#!/usr/bin/python2
|
||||||
|
# PBR Generated from u'console_scripts'
|
||||||
|
|
||||||
|
import sys
|
||||||
|
|
||||||
|
from oslo_rootwrap.cmd import main
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
sys.exit(main())
|
1
docker/swift/swift-base/swift_sudoers
Normal file
1
docker/swift/swift-base/swift_sudoers
Normal file
@ -0,0 +1 @@
|
|||||||
|
swift ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/swift-rootwrap /etc/swift/rootwrap.conf *
|
@ -18,3 +18,5 @@ RUN apt-get install -y --no-install-recommends \
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{{ include_footer }}
|
{{ include_footer }}
|
||||||
|
|
||||||
|
USER swift
|
||||||
|
@ -18,3 +18,5 @@ RUN apt-get install -y --no-install-recommends \
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{{ include_footer }}
|
{{ include_footer }}
|
||||||
|
|
||||||
|
USER swift
|
||||||
|
@ -18,3 +18,5 @@ RUN apt-get install -y --no-install-recommends \
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{{ include_footer }}
|
{{ include_footer }}
|
||||||
|
|
||||||
|
USER swift
|
||||||
|
@ -15,7 +15,10 @@ RUN apt-get install -y --no-install-recommends \
|
|||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
RUN setcap 'cap_net_bind_service=+ep' /usr/bin/rsync
|
||||||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||||
RUN chmod 755 /usr/local/bin/kolla_extend_start
|
RUN chmod 755 /usr/local/bin/kolla_extend_start
|
||||||
|
|
||||||
{{ include_footer }}
|
{{ include_footer }}
|
||||||
|
|
||||||
|
USER swift
|
||||||
|
Loading…
Reference in New Issue
Block a user