Drop root privileges to the container's application PID/GID

Registered by Steven Dake

Use the USER flag to set the UID for each container to the specific service that should be running.


Blueprint information

Steven Dake
Steven Dake
Steven Dake
Series goal:
Accepted for mitaka
Milestone target:
milestone icon mitaka-3
Started by
Steven Dake
Completed by
Steven Dake

Related branches



base is a dependency of all other containers. Please wait for base and glance to hit the repo before beginning work. Thanks! --sdake

The implementation should be thought about more here. With yaodu there was no chance of a compromised user to execute arbitrary code on a container restart. That is not the case with the implementation that has started in Kolla. The current patches up for this would allow for a compromised user to change the command executed on container restart. --SamYaple

I'm open to suggestions to solve this problem. ATM the container when run with USER runs the set_configs.py code as the user, not root. This file is responsible for writing the run_command. The only way I see to achieve what you want is to drop privileges inside run_command. --sdake

Looks like we found a proper solution to this problem. The services are ready to be securified now. I expect nova/neutron/horizon/keystone will be special snowflakes requiring additional work. --sdake

The horizon patch was a bit of a special snowflake and has an interesting example of how to obtain a root capability on a binary - if you don't mind the binary permanently having the capability. --sdake

I think we should postpone logging drop-root until the heka + elk solutions are sorted out. --steak

I unassigned work items that didn't complete prior to mitaka-2. Please feel free to reassign yourself if you plan to do that work in the next few weeks. --steak

Gerrit topic: https://review.openstack.org/#q,topic:bp/drop-root,n,z

Addressed by: https://review.openstack.org/242732
    Prepare base images for USER operation

Addressed by: https://review.openstack.org/242735
    Drop root privileges for glance services

Addressed by: https://review.openstack.org/242740
    Drop root privileges for heat services

Addressed by: https://review.openstack.org/242778
    Take two of root drop

Addressed by: https://review.openstack.org/242876
    Base image changes for drop-root

Addressed by: https://review.openstack.org/242877
    drop root for glance

Addressed by: https://review.openstack.org/243350
    Drop root for heat

Addressed by: https://review.openstack.org/243400
    Drop root for Horizon service

Addressed by: https://review.openstack.org/243479
    Move the mariadb expect code to a script

Addressed by: https://review.openstack.org/243480
    Drop root privileges for mariadb

Addressed by: https://review.openstack.org/243494
    Drop root for designate

Addressed by: https://review.openstack.org/243495
    install openstack-heat-common in heat-base

Addressed by: https://review.openstack.org/244255
    Drop root for kolla-ansible

Addressed by: https://review.openstack.org/244684
    Move USER operation after footer

Containers not needing update:
    Keystone - apache does its own drop root, and sudo as PID 1 is not desirable
    Keepalive - keepalived needs root privs and sudo as PID 1 is not desirable
Horizon - apache does its own drop root, and sudo as PID 1 is not desireable

Addressed by: https://review.openstack.org/245733
    Drop root for rsyslog

Addressed by: https://review.openstack.org/245366
    [WIP} Drop root privileges for openvswitch

Addressed by: https://review.openstack.org/246437
    Add new gates for oraclelinux

Gerrit topic: https://review.openstack.org/#q,topic:bp/functional-testing-gate,n,z

Addressed by: https://review.openstack.org/246529
    Drop root for Magnum

Addressed by: https://review.openstack.org/248518
    Drop root for ceilometer

Addressed by: https://review.openstack.org/248519
    Drop root for gnocchi

Addressed by: https://review.openstack.org/248521
    Drop root for neutron

Addressed by: https://review.openstack.org/248830
    Update ceilometer dockerfiles

Addressed by: https://review.openstack.org/249272
    Drop root for ironic

Addressed by: https://review.openstack.org/249289
    Added ironic-common to ironic base container

Addressed by: https://review.openstack.org/249378
    Update ceilometer dockerfiles

Addressed by: https://review.openstack.org/249381
    install openstack-heat-common in heat-base

Addressed by: https://review.openstack.org/249501
    Added ironic-common to ironic base container

Addressed by: https://review.openstack.org/251628
    Drop root for murano

Addressed by: https://review.openstack.org/251629
    Drop root for cinder

Addressed by: https://review.openstack.org/251630
    Drop root for nova

Addressed by: https://review.openstack.org/251765
    Add support for Aodh

Addressed by: https://review.openstack.org/259329
    Drop root for libvirt

Addressed by: https://review.openstack.org/259374
    Drop root for swift

Addressed by: https://review.openstack.org/260352
    drop root for libvirt and change sock grp to nova

Addressed by: https://review.openstack.org/261842
    Fix broken nova-compute/nova-libvirt

Addressed by: https://review.openstack.org/261887
    [WIP] Allow nova user to access libvirt

Addressed by: https://review.openstack.org/273893
    Make nova configuration files immutable

Gerrit topic: https://review.openstack.org/#q,topic:thin-neutron,n,z

Addressed by: https://review.openstack.org/275504
    Correct issue with virtualenv rootwrap

Gerrit topic: https://review.openstack.org/#q,topic:bp/upgrade-neutron,n,z


Work Items

Work items:
(sdake): base: DONE
(coolsvap) ceilometer: DONE
(unassigned) ceph: TODO
(coolsvap) cinder: DONE
(nihilifer) designate: DONE
(unassigned) dind: POSTPONED
(akwasnie)elasticsearch: DONE
(sdake) glance: DONE
(coolsvap) gnocchi: DONE
(unassigned) haproxy: TODO
(sdake) heat: DONE
(unassigned) heka: TODO
(sdake) horizon: DONE
(coolsvap) ironic: DONE
(akwasnie) kibana: DONE
(britthouser) keepalived: DONE
(britthouser) keystone: DONE
(pbourke) kolla-ansible: DONE
(pbourke) magnum: DONE
(unassigned) manila: DONE
(sdake) mariadb: DONE
(britthouser) memcached: DONE
(unassigned) mongodb: POSTPONED
(coolsvap) murano: DONE
(unassigned) neutron: DONE
(coolsvap) nova: DONE
(rhallise) rabbitmq: DONE
(coolsvap) swift: DONE
(jlothian) zaqar: DONE

This blueprint contains Public information 
Everyone can see this information.