[security] Make Ironic tftpd run as nobody

This avoids root privileges in tftpd's unprivileged container.

Change-Id: I50366205c9cefe2af26c27580c02368f029b7605
This commit is contained in:
Radosław Piliszek 2022-08-26 21:48:54 +02:00
parent 8b35f2738b
commit f1d27f7ddb
2 changed files with 7 additions and 1 deletions

View File

@ -2,7 +2,7 @@
{% set pxe_cfg = 'grub.cfg' if enable_ironic_pxe_uefi | bool else 'default' %}
{
"command": "/usr/sbin/in.tftpd --verbose --foreground --user root --address 0.0.0.0:69 --map-file /map-file /var/lib/ironic/tftpboot",
"command": "/usr/sbin/in.tftpd --verbose --foreground --user nobody --address 0.0.0.0:69 --map-file /map-file /var/lib/ironic/tftpboot",
"config_files": [
{% if not ironic_dnsmasq_serve_ipxe | bool and groups['ironic-inspector'] | length > 0 %}
{% if not enable_ironic_pxe_uefi | bool %}

View File

@ -0,0 +1,6 @@
---
security:
- |
Kolla Ansible used to run Ironic's tftpd as an (unprivileged) root
user.
Now, it will explicitly use the nobody user.