[security] Make Ironic tftpd run as nobody
This avoids root privileges in tftpd's unprivileged container. Change-Id: I50366205c9cefe2af26c27580c02368f029b7605
This commit is contained in:
parent
8b35f2738b
commit
f1d27f7ddb
@ -2,7 +2,7 @@
|
||||
{% set pxe_cfg = 'grub.cfg' if enable_ironic_pxe_uefi | bool else 'default' %}
|
||||
|
||||
{
|
||||
"command": "/usr/sbin/in.tftpd --verbose --foreground --user root --address 0.0.0.0:69 --map-file /map-file /var/lib/ironic/tftpboot",
|
||||
"command": "/usr/sbin/in.tftpd --verbose --foreground --user nobody --address 0.0.0.0:69 --map-file /map-file /var/lib/ironic/tftpboot",
|
||||
"config_files": [
|
||||
{% if not ironic_dnsmasq_serve_ipxe | bool and groups['ironic-inspector'] | length > 0 %}
|
||||
{% if not enable_ironic_pxe_uefi | bool %}
|
||||
|
@ -0,0 +1,6 @@
|
||||
---
|
||||
security:
|
||||
- |
|
||||
Kolla Ansible used to run Ironic's tftpd as an (unprivileged) root
|
||||
user.
|
||||
Now, it will explicitly use the nobody user.
|
Loading…
Reference in New Issue
Block a user