6cf5928ff1
The reason we are doing drop root is so that a network exposed software component (i.e. glance) cannot be used to affect the immutability of the container which it runs in. I have tried several different approaches and this is the only approach which puts glance in PID=1 while ensuring no files may be written by the glance process in the container image except for the log files. Change-Id: Ifd3c8c361b78d0e4791dade3afa6435290407c41 Partially-Implements: blueprint drop-root |
||
|---|---|---|
| .. | ||
| ceph.yum.repo | ||
| Dockerfile.j2 | ||
| mariadb.yum.repo | ||
| set_configs.py | ||
| sources.list | ||
| start.sh | ||
| sudoers | ||