It currently has auth_url typoed which results in auth_url being
specified twice
Change-Id: Ia5b6385f8d28a23fc05908ceec75a7e8528894d9
Closes-Bug: #1517141
The drop root change for Glance highlighted the fact that we were
binding volumes from glance_data into the wrong container - it was
glance_registry whereas it should be glance_api. This would result in
all images being lost if the glance_api container happens to restart.
Also, we need a sudoers file to chown the file backend dir to the glance
user.
Change-Id: If04337045bb94b3126e48d1f5bf0ea29e20373ae
Closes-Bug: #1516729
This patch add the USER directive to the memcached container.
It also removes the -u from the command line to launch
memcached, since it will already be run as that use.
Change-Id: I87d782a424df99fe1b5694debafa3c0c4a9aba27
Partially-Implements: blueprint drop-root
In kolla-mesos, ZK will be used for storing information about
actions done in bootstrap.
Change-Id: Id7067a493b457cf7b73eb007852df7b13f4363b3
Partially-Implements: blueprint zookeeper
This playbook runs on hosts before deployment to be sure we don't
have any conflicting services running and systems are in expected
state.
DocImpact
Change-Id: If5f288b7fbdf269697ca834da4eb969b61683ca0
Partially-implements: blueprint precheck-tasks
The gates have been renamed. We can remove these jobs now.
Change-Id: I4f140301d0b0a04ca4196a755625f32569fe4b32
Partially-Implements: blueprint multinode-gate
This reverts commit f9ccb1c8829cef551b875c7c387530e7980414a7.
There are many issues with this patch that prevents it from working
under numerous circumstances. The implementation is entirely busted
on Ubuntu. Additionally, best practice for apache is to run as root.
Apache itself does the privlege dropping.
Change-Id: I4395debb7d32223fb3752a6d3e7c4d7672d29916
Drop root privileges for rabbitmq. Only the rabbitmq user
will be able to execute chown of /var/lib/rabbitmq.
Change-Id: I546e6b475a8462bfbc75972854e1fee64f96d9cb
Partially-Implements: blueprint drop-root
The USER operation affects all docker commands after it. This causes a
problem with our {{ include_footer }} implementation since commands in
that footer may require elevated permissions to perform.
In the current implementation I can no longer remove my proxy settings
once the USER has been changed.
Change-Id: I9b2bab5a15f595f6d52a46c64ddf59ba5608b938
Partially-Implements: blueprint drop-root
Drop root privileges for mariadb. This isn't perfect. If somemone
breaks out of the container and can run sudo within the contianer,
it would be possible to replace the root credentials of the database.
Any container that uses sudo suffers from some extra attack vector
related to the sudo command. That said, the sudo commands are
locked down to minimize harm.
Change-Id: I4b3573725d940bb8aa90d43a6235d8cf7d30fc64
Partially-Implements: blueprint drop-root
Atleast in a script, sudo can be made to only allow the script to
run from the mysql process in the future, versus all the proceesses
being able to be executed as root presently.
Change-Id: I030b57086e37e4dc8f668f98c04335d94ab9d2b0
Partially-Implements: blueprint drop-root
Drop root privileges for Horizon service. It is necesssary to set
a capability on the filesystem to allow binding to port 80 as a
non-root user. I have tested this works correctly from a registry
on both CentOS and Ubuntu.
Change-Id: I4c26f28bb28b6633784e6842f3423a2425332c27
Partially-Implements: blueprint drop-root
the openstack-heat-common package installs the Heat UID/GID.
This is necessary pre-work for drop-root for heat services.
Change-Id: I247b0209248de144d20f5245973833be5cd8f14f
Partially-Implements: blueprint drop-root
This change ensures commands run in the kolla-ansible container are done
as the 'ansible' user rather than root.
By default Ansible tries to write it's temporary files to $HOME/.ansible
on the target, which in most cases won't exist when run as the new user.
Hence we now supply the kolla-ansible container with an ansible.cfg, to
tweak the remote_dir option to /tmp.
Change-Id: I838a8c8cd0c7dc1aeca4d12e38c346f252170e7c
Partially-Implements: blueprint drop-root
