Drop root privileges to the container's application PID/GID

Registered by Steven Dake on 2015-11-06

Use the USER flag to set the UID for each container to the specific service that should be running.

Example:
https://github.com/SamYaple/yaodu/blob/master/ansible/roles/docker_build/templates/ubuntu/glance/Dockerfile.j2#L20

Blueprint information

Status:
Complete
Approver:
Steven Dake
Priority:
Essential
Drafter:
Steven Dake
Direction:
Approved
Assignee:
Steven Dake
Definition:
Approved
Series goal:
Accepted for mitaka
Implementation:
Implemented
Milestone target:
milestone icon mitaka-3
Started by
Steven Dake on 2015-11-06
Completed by
Steven Dake on 2016-03-05

Related branches

Sprints

Whiteboard

base is a dependency of all other containers. Please wait for base and glance to hit the repo before beginning work. Thanks! --sdake

The implementation should be thought about more here. With yaodu there was no chance of a compromised user to execute arbitrary code on a container restart. That is not the case with the implementation that has started in Kolla. The current patches up for this would allow for a compromised user to change the command executed on container restart. --SamYaple

I'm open to suggestions to solve this problem. ATM the container when run with USER runs the set_configs.py code as the user, not root. This file is responsible for writing the run_command. The only way I see to achieve what you want is to drop privileges inside run_command. --sdake

Looks like we found a proper solution to this problem. The services are ready to be securified now. I expect nova/neutron/horizon/keystone will be special snowflakes requiring additional work. --sdake

The horizon patch was a bit of a special snowflake and has an interesting example of how to obtain a root capability on a binary - if you don't mind the binary permanently having the capability. --sdake

I think we should postpone logging drop-root until the heka + elk solutions are sorted out. --steak

I unassigned work items that didn't complete prior to mitaka-2. Please feel free to reassign yourself if you plan to do that work in the next few weeks. --steak

Gerrit topic: https://review.openstack.org/#q,topic:bp/drop-root,n,z

Addressed by: https://review.openstack.org/242732
    Prepare base images for USER operation

Addressed by: https://review.openstack.org/242735
    Drop root privileges for glance services

Addressed by: https://review.openstack.org/242740
    Drop root privileges for heat services

Addressed by: https://review.openstack.org/242778
    Take two of root drop

Addressed by: https://review.openstack.org/242876
    Base image changes for drop-root

Addressed by: https://review.openstack.org/242877
    drop root for glance

Addressed by: https://review.openstack.org/243350
    Drop root for heat

Addressed by: https://review.openstack.org/243400
    Drop root for Horizon service

Addressed by: https://review.openstack.org/243479
    Move the mariadb expect code to a script

Addressed by: https://review.openstack.org/243480
    Drop root privileges for mariadb

Addressed by: https://review.openstack.org/243494
    Drop root for designate

Addressed by: https://review.openstack.org/243495
    install openstack-heat-common in heat-base

Addressed by: https://review.openstack.org/244255
    Drop root for kolla-ansible

Addressed by: https://review.openstack.org/244684
    Move USER operation after footer

Containers not needing update:
    Keystone - apache does its own drop root, and sudo as PID 1 is not desirable
    Keepalive - keepalived needs root privs and sudo as PID 1 is not desirable
Horizon - apache does its own drop root, and sudo as PID 1 is not desireable

Addressed by: https://review.openstack.org/245733
    Drop root for rsyslog

Addressed by: https://review.openstack.org/245366
    [WIP} Drop root privileges for openvswitch

Addressed by: https://review.openstack.org/246437
    Add new gates for oraclelinux

Gerrit topic: https://review.openstack.org/#q,topic:bp/functional-testing-gate,n,z

Addressed by: https://review.openstack.org/246529
    Drop root for Magnum

Addressed by: https://review.openstack.org/248518
    Drop root for ceilometer

Addressed by: https://review.openstack.org/248519
    Drop root for gnocchi

Addressed by: https://review.openstack.org/248521
    Drop root for neutron

Addressed by: https://review.openstack.org/248830
    Update ceilometer dockerfiles

Addressed by: https://review.openstack.org/249272
    Drop root for ironic

Addressed by: https://review.openstack.org/249289
    Added ironic-common to ironic base container

Addressed by: https://review.openstack.org/249378
    Update ceilometer dockerfiles

Addressed by: https://review.openstack.org/249381
    install openstack-heat-common in heat-base

Addressed by: https://review.openstack.org/249501
    Added ironic-common to ironic base container

Addressed by: https://review.openstack.org/251628
    Drop root for murano

Addressed by: https://review.openstack.org/251629
    Drop root for cinder

Addressed by: https://review.openstack.org/251630
    Drop root for nova

Addressed by: https://review.openstack.org/251765
    Add support for Aodh

Addressed by: https://review.openstack.org/259329
    Drop root for libvirt

Addressed by: https://review.openstack.org/259374
    Drop root for swift

Addressed by: https://review.openstack.org/260352
    drop root for libvirt and change sock grp to nova

Addressed by: https://review.openstack.org/261842
    Fix broken nova-compute/nova-libvirt

Addressed by: https://review.openstack.org/261887
    [WIP] Allow nova user to access libvirt

Addressed by: https://review.openstack.org/273893
    Make nova configuration files immutable

Gerrit topic: https://review.openstack.org/#q,topic:thin-neutron,n,z

Addressed by: https://review.openstack.org/275504
    Correct issue with virtualenv rootwrap

Gerrit topic: https://review.openstack.org/#q,topic:bp/upgrade-neutron,n,z

(?)

Work Items

Work items:
(sdake): base: DONE
(coolsvap) ceilometer: DONE
(unassigned) ceph: TODO
(coolsvap) cinder: DONE
(nihilifer) designate: DONE
(unassigned) dind: POSTPONED
(akwasnie)elasticsearch: DONE
(sdake) glance: DONE
(coolsvap) gnocchi: DONE
(unassigned) haproxy: TODO
(sdake) heat: DONE
(unassigned) heka: TODO
(sdake) horizon: DONE
(coolsvap) ironic: DONE
(akwasnie) kibana: DONE
(britthouser) keepalived: DONE
(britthouser) keystone: DONE
(pbourke) kolla-ansible: DONE
(pbourke) magnum: DONE
(unassigned) manila: DONE
(sdake) mariadb: DONE
(britthouser) memcached: DONE
(unassigned) mongodb: POSTPONED
(coolsvap) murano: DONE
(unassigned) neutron: DONE
(coolsvap) nova: DONE
(rhallise) rabbitmq: DONE
(coolsvap) swift: DONE
(jlothian) zaqar: DONE

This blueprint contains Public information 
Everyone can see this information.