From 75a115ea29a252bbb8a68e2f1913a52c59cee839 Mon Sep 17 00:00:00 2001 From: "Ritchie, Frank (fr801x)" Date: Wed, 20 Jan 2021 15:43:41 -0500 Subject: [PATCH] Run mon container as ceph user This PS is to address security best practices concerning running containers as a non-privileged user and disallowing privilege escalation. Change-Id: If4c0e9fe446091ba75d1a9818ffd3a0933285af4 --- ceph-mon/Chart.yaml | 2 +- ceph-mon/templates/bin/mon/_start.sh.tpl | 2 +- ceph-mon/values.yaml | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ceph-mon/Chart.yaml b/ceph-mon/Chart.yaml index df38e13c3..93822be51 100644 --- a/ceph-mon/Chart.yaml +++ b/ceph-mon/Chart.yaml @@ -15,6 +15,6 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Ceph Mon name: ceph-mon -version: 0.1.2 +version: 0.1.3 home: https://github.com/ceph/ceph ... diff --git a/ceph-mon/templates/bin/mon/_start.sh.tpl b/ceph-mon/templates/bin/mon/_start.sh.tpl index 7414abb19..b045a39e7 100644 --- a/ceph-mon/templates/bin/mon/_start.sh.tpl +++ b/ceph-mon/templates/bin/mon/_start.sh.tpl @@ -42,7 +42,7 @@ MON_DATA_DIR="/var/lib/ceph/mon/${CLUSTER}-${MON_NAME}" MONMAP="/etc/ceph/monmap-${CLUSTER}" # Make the monitor directory -su -s /bin/sh -c "mkdir -p \"${MON_DATA_DIR}\"" ceph +/bin/sh -c "mkdir -p \"${MON_DATA_DIR}\"" function get_mon_config { # Get fsid from ceph.conf diff --git a/ceph-mon/values.yaml b/ceph-mon/values.yaml index ab44a23b6..b1e23f55e 100644 --- a/ceph-mon/values.yaml +++ b/ceph-mon/values.yaml @@ -56,8 +56,9 @@ pod: runAsUser: 0 readOnlyRootFilesystem: true ceph_mon: - runAsUser: 0 + runAsUser: 64045 readOnlyRootFilesystem: true + allowPrivilegeEscalation: false moncheck: pod: runAsUser: 65534