aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-06-30 13:44:59 +0000
committerGerrit Code Review <review@openstack.org>2017-06-30 13:44:59 +0000
commit711bb776198ab076f38eca04b69f08cefd15048b (patch)
tree865fec4a73c8150c220c929b88f2f22c5e55ead3
parent12377bc7d0899d6e39244275972e6ad25f324d03 (diff)
parent425c9d4e47898221832f01287ad165833ceab3cd (diff)
Merge "Ensure boostrap_host_exec runs as root"
-rw-r--r--docker/services/keystone.yaml2
-rw-r--r--docker/services/sahara-api.yaml1
-rwxr-xr-xtools/yaml-validate.py17
3 files changed, 20 insertions, 0 deletions
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 011ffaaa..b6cfa21e 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -113,6 +113,7 @@ outputs:
keystone_db_sync:
image: *keystone_image
net: host
+ user: root
privileged: false
detach: false
volumes: &keystone_volumes
@@ -152,6 +153,7 @@ outputs:
keystone_bootstrap:
start_order: 3
action: exec
+ user: root
command:
[ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
docker_puppet_tasks:
diff --git a/docker/services/sahara-api.yaml b/docker/services/sahara-api.yaml
index 55c42abd..32d64583 100644
--- a/docker/services/sahara-api.yaml
+++ b/docker/services/sahara-api.yaml
@@ -92,6 +92,7 @@ outputs:
net: host
privileged: false
detach: false
+ user: root
volumes: &sahara_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py
index 233ec185..674449f5 100755
--- a/tools/yaml-validate.py
+++ b/tools/yaml-validate.py
@@ -200,6 +200,23 @@ def validate_docker_service(filename, tpl):
% (expected_config_image_parameter, config_volume))
return 1
+ if 'docker_config' in role_data:
+ docker_config = role_data['docker_config']
+ for _, step in docker_config.items():
+ for _, container in step.items():
+ if not isinstance(container, dict):
+ # NOTE(mandre) this skips everything that is not a dict
+ # so we may ignore some containers definitions if they
+ # are in a map_merge for example
+ continue
+ command = container.get('command', '')
+ if isinstance(command, list):
+ command = ' '.join(map(str, command))
+ if 'bootstrap_host_exec' in command \
+ and container.get('user') != 'root':
+ print('ERROR: bootstrap_host_exec needs to run as the root user.')
+ return 1
+
if 'parameters' in tpl:
for param in required_params:
if param not in tpl['parameters']: