diff options
author | Jenkins <jenkins@review.openstack.org> | 2017-06-30 13:44:59 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2017-06-30 13:44:59 +0000 |
commit | 711bb776198ab076f38eca04b69f08cefd15048b (patch) | |
tree | 865fec4a73c8150c220c929b88f2f22c5e55ead3 | |
parent | 12377bc7d0899d6e39244275972e6ad25f324d03 (diff) | |
parent | 425c9d4e47898221832f01287ad165833ceab3cd (diff) |
Merge "Ensure boostrap_host_exec runs as root"
-rw-r--r-- | docker/services/keystone.yaml | 2 | ||||
-rw-r--r-- | docker/services/sahara-api.yaml | 1 | ||||
-rwxr-xr-x | tools/yaml-validate.py | 17 |
3 files changed, 20 insertions, 0 deletions
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index 011ffaaa..b6cfa21e 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -113,6 +113,7 @@ outputs: keystone_db_sync: image: *keystone_image net: host + user: root privileged: false detach: false volumes: &keystone_volumes @@ -152,6 +153,7 @@ outputs: keystone_bootstrap: start_order: 3 action: exec + user: root command: [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ] docker_puppet_tasks: diff --git a/docker/services/sahara-api.yaml b/docker/services/sahara-api.yaml index 55c42abd..32d64583 100644 --- a/docker/services/sahara-api.yaml +++ b/docker/services/sahara-api.yaml @@ -92,6 +92,7 @@ outputs: net: host privileged: false detach: false + user: root volumes: &sahara_volumes list_concat: - {get_attr: [ContainersCommon, volumes]} diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 233ec185..674449f5 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -200,6 +200,23 @@ def validate_docker_service(filename, tpl): % (expected_config_image_parameter, config_volume)) return 1 + if 'docker_config' in role_data: + docker_config = role_data['docker_config'] + for _, step in docker_config.items(): + for _, container in step.items(): + if not isinstance(container, dict): + # NOTE(mandre) this skips everything that is not a dict + # so we may ignore some containers definitions if they + # are in a map_merge for example + continue + command = container.get('command', '') + if isinstance(command, list): + command = ' '.join(map(str, command)) + if 'bootstrap_host_exec' in command \ + and container.get('user') != 'root': + print('ERROR: bootstrap_host_exec needs to run as the root user.') + return 1 + if 'parameters' in tpl: for param in required_params: if param not in tpl['parameters']: |