From 44251da0c606a087daf19daafe2aa5144cd20045 Mon Sep 17 00:00:00 2001
From: "Swapnil Kulkarni (coolsvap)" <me@coolsvap.net>
Date: Tue, 24 Nov 2015 20:52:01 +0530
Subject: [PATCH] Drop root for ironic

Updates to ensure commands run in the ironic containers
are done as the 'ironic' user rather than root.

Change-Id: I491041ce02fb5dd3eb60c6ae9169f26d8a8919dd
Partially-Implements: blueprint drop-root
---
 docker/ironic/ironic-api/Dockerfile.j2       | 2 ++
 docker/ironic/ironic-api/extend_start.sh     | 2 +-
 docker/ironic/ironic-base/Dockerfile.j2      | 2 ++
 docker/ironic/ironic-conductor/Dockerfile.j2 | 2 ++
 docker/ironic/ironic-discoverd/Dockerfile.j2 | 2 ++
 docker/ironic/ironic-pxe/Dockerfile.j2       | 2 ++
 6 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/docker/ironic/ironic-api/Dockerfile.j2 b/docker/ironic/ironic-api/Dockerfile.j2
index 1e39d847d8..211b42f579 100644
--- a/docker/ironic/ironic-api/Dockerfile.j2
+++ b/docker/ironic/ironic-api/Dockerfile.j2
@@ -14,3 +14,5 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {{ include_footer }}
+
+USER ironic
diff --git a/docker/ironic/ironic-api/extend_start.sh b/docker/ironic/ironic-api/extend_start.sh
index b7ef2b242b..cd9c95a126 100644
--- a/docker/ironic/ironic-api/extend_start.sh
+++ b/docker/ironic/ironic-api/extend_start.sh
@@ -3,6 +3,6 @@
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
-    sudo -H -u ironic ironic-dbsync upgrade
+    ironic-dbsync upgrade
     exit 0
 fi
diff --git a/docker/ironic/ironic-base/Dockerfile.j2 b/docker/ironic/ironic-base/Dockerfile.j2
index a0fb01d607..109afed564 100644
--- a/docker/ironic/ironic-base/Dockerfile.j2
+++ b/docker/ironic/ironic-base/Dockerfile.j2
@@ -26,3 +26,5 @@ RUN ln -s ironic-base-source/* ironic \
     && chown -R ironic: /etc/ironic /var/log/ironic /home/ironic
 
 {% endif %}
+
+RUN usermod -a -G kolla ironic
diff --git a/docker/ironic/ironic-conductor/Dockerfile.j2 b/docker/ironic/ironic-conductor/Dockerfile.j2
index 7b56f5d352..340a13000b 100644
--- a/docker/ironic/ironic-conductor/Dockerfile.j2
+++ b/docker/ironic/ironic-conductor/Dockerfile.j2
@@ -11,3 +11,5 @@ RUN yum -y install openstack-ironic-conductor \
 {% endif %}
 
 {{ include_footer }}
+
+USER ironic
diff --git a/docker/ironic/ironic-discoverd/Dockerfile.j2 b/docker/ironic/ironic-discoverd/Dockerfile.j2
index 8bde9d89b9..536d2b878b 100644
--- a/docker/ironic/ironic-discoverd/Dockerfile.j2
+++ b/docker/ironic/ironic-discoverd/Dockerfile.j2
@@ -14,3 +14,5 @@ RUN pip install ironic-discoverd
 {% endif %}
 
 {{ include_footer }}
+
+USER ironic
diff --git a/docker/ironic/ironic-pxe/Dockerfile.j2 b/docker/ironic/ironic-pxe/Dockerfile.j2
index b550be051f..fd19748bf5 100644
--- a/docker/ironic/ironic-pxe/Dockerfile.j2
+++ b/docker/ironic/ironic-pxe/Dockerfile.j2
@@ -25,3 +25,5 @@ RUN apt-get install -y --no-install-recommends \
 COPY tftp-map-file /tftpboot/map-file
 
 {{ include_footer }}
+
+USER ironic