f306e9ca88
consider this a security hardening as it would be possible to write to host owned private tmp files e.g. of systemd-logind when you are able to highjack the apache2 process inside the horizon container, which runs as root. see the bug report for a demonstration of this. I checked the horizon code, it only facilitates python tempfiles module for temp file usage. I also checked the horizon container we build via `kolla-build -b ubuntu horizon`, which has a /tmp/ directory. So no mountpoint should be needed. Closes-Bug: #2068126 Signed-off-by: Sven Kieske <kieske@osism.tech> Change-Id: I7ae1db8d42c83b773047bb01e846d4abee02710a
7 lines
293 B
YAML
7 lines
293 B
YAML
---
|
|
fixes:
|
|
- |
|
|
Removes the default `/tmp/` mountpoint from the horizon container. This
|
|
change is made to harden the container and prevent potential security
|
|
issues. For more information, see the Bug Report: `LP#2068126 <https://bugs.launchpad.net/kolla-ansible/+bug/2068126>`__.
|