openstack/kolla-ansible
Code Issues Proposed changes

Merge "hardening horizon: don't mount hosts /tmp"

Browse Source
This commit is contained in:
Zuul 2024-08-28 18:25:32 +00:00 committed by Gerrit Code Review
commit a5cf4a253a
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/roles/horizon/defaults/main.yml
View File

@ -127,7 +127,6 @@ horizon_default_volumes:
- "/etc/localtime:/etc/localtime:ro" - "/etc/localtime:/etc/localtime:ro"
- "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
- "kolla_logs:/var/log/kolla/" - "kolla_logs:/var/log/kolla/"
- "/tmp:/tmp"
horizon_extra_volumes: "{{ default_extra_volumes }}" horizon_extra_volumes: "{{ default_extra_volumes }}"

6
releasenotes/notes/harden_horizon_tmp_usage-0d690e49645b99a8.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
Removes the default `/tmp/` mountpoint from the horizon container. This
change is made to harden the container and prevent potential security
issues. For more information, see the Bug Report: `LP#2068126 <https://bugs.launchpad.net/kolla-ansible/+bug/2068126>`__.