Commit Graph

5 Commits

Author SHA1 Message Date
Éric Lemoine
0417844b8d Remove Rsyslog entirely
Partially implements: blueprint heka

Change-Id: I1322d2dc870e6f8fe052926995d993e8a08a25db
2016-02-23 01:45:23 -08:00
SamYaple
690e6853de Move socket binding to named_volume
The extend_start.sh script for rsyslog is removed as it is no longer
needed. Docker no longer binds to /dev/log or /run/kolla/log

Closes-Bug: #1544545
Change-Id: Ic0a323a26ee4e9e15baf4598285844a8a4955f23
2016-02-16 14:42:41 +00:00
Angus Salkeld
27c0ae0624 Add support for copying files from a "zk://" source
Co-Authored-By: Michal Rostecki <mrostecki@mirantis.com>
Implements: blueprint zookeeper

Change-Id: I176f063d3802716846b921e210c1569d28bd90d8
2015-12-02 10:25:43 +01:00
Steven Dake
4c9e15b94e Drop root privileges for mariadb
Drop root privileges for mariadb.  This isn't perfect.  If somemone
breaks out of the container and can run sudo within the contianer,
it would be possible to replace the root credentials of the database.

Any container that uses sudo suffers from some extra attack vector
related to the sudo command.  That said, the sudo commands are
locked down to minimize harm.

Change-Id: I4b3573725d940bb8aa90d43a6235d8cf7d30fc64
Partially-Implements: blueprint drop-root
2015-11-12 03:12:40 -05:00
Steven Dake
6cf5928ff1 Base image changes for drop-root
The reason we are doing drop root is so that a network exposed
software component (i.e. glance) cannot be used to affect the
immutability of the container which it runs in.  I have tried
several different approaches and this is the only approach which
puts glance in PID=1 while ensuring no files may be written by
the glance process in the container image except for the log files.

Change-Id: Ifd3c8c361b78d0e4791dade3afa6435290407c41
Partially-Implements: blueprint drop-root
2015-11-09 11:00:26 -05:00