Ensure boostrap_host_exec runs as root

This is necessary for accessing the bind mounted hieradata in the container in order to determine if the node is the primary node. With the new validation added to yaml-validate.py, we could spot potential issues in sahara-api and keystone bootstrap tasks. The keystone one is a false positive, as the image defaults to the root user in order to be able to run apache. Still, it is better to be consistent here and specify the root user nonetheless. Change-Id: Ib0ff9748d5406f507261e506c19b96750b10e846 Closes-Bug: #1697917
author: Martin André <m.andre@redhat.com> 2017-06-28 17:10:27 +0200
committer: Martin André <m.andre@redhat.com> 2017-06-30 08:34:42 +0200
commit: 425c9d4e47898221832f01287ad165833ceab3cd (patch)
tree: 8a46ff5c30225176afffead7075e3b07dea482d0
parent: a396ac325af8950acb18227f1a6a487159776020 (diff)
3 files changed, 20 insertions, 0 deletions
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 011ffaaa..b6cfa21e 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -113,6 +113,7 @@ outputs:
           keystone_db_sync:
             image: *keystone_image
             net: host
+            user: root
             privileged: false
             detach: false
             volumes: &keystone_volumes
@@ -152,6 +153,7 @@ outputs:
           keystone_bootstrap:
             start_order: 3
             action: exec
+            user: root
             command:
               [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
       docker_puppet_tasks:
diff --git a/docker/services/sahara-api.yaml b/docker/services/sahara-api.yaml
index 55c42abd..32d64583 100644
--- a/docker/services/sahara-api.yaml
+++ b/docker/services/sahara-api.yaml
@@ -92,6 +92,7 @@ outputs:
             net: host
             privileged: false
             detach: false
+            user: root
             volumes: &sahara_volumes
               list_concat:
                 - {get_attr: [ContainersCommon, volumes]}
diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py
index 233ec185..674449f5 100755
--- a/tools/yaml-validate.py
+++ b/tools/yaml-validate.py
@@ -200,6 +200,23 @@ def validate_docker_service(filename, tpl):
                       % (expected_config_image_parameter, config_volume))
                 return 1
 
+        if 'docker_config' in role_data:
+            docker_config = role_data['docker_config']
+            for _, step in docker_config.items():
+                for _, container in step.items():
+                    if not isinstance(container, dict):
+                        # NOTE(mandre) this skips everything that is not a dict
+                        # so we may ignore some containers definitions if they
+                        # are in a map_merge for example
+                        continue
+                    command = container.get('command', '')
+                    if isinstance(command, list):
+                        command = ' '.join(map(str, command))
+                    if 'bootstrap_host_exec' in command \
+                            and container.get('user') != 'root':
+                      print('ERROR: bootstrap_host_exec needs to run as the root user.')
+                      return 1
+
     if 'parameters' in tpl:
         for param in required_params:
             if param not in tpl['parameters']:
author	Martin André <m.andre@redhat.com>	2017-06-28 17:10:27 +0200
committer	Martin André <m.andre@redhat.com>	2017-06-30 08:34:42 +0200
commit	425c9d4e47898221832f01287ad165833ceab3cd (patch)
tree	8a46ff5c30225176afffead7075e3b07dea482d0
parent	a396ac325af8950acb18227f1a6a487159776020 (diff)