Drop root privileges for rabbitmq

Drop root privileges for rabbitmq. Only the rabbitmq user will be able to execute chown of /var/lib/rabbitmq. Change-Id: I546e6b475a8462bfbc75972854e1fee64f96d9cb Partially-Implements: blueprint drop-root

Drop root privileges for rabbitmq
22def41d · Ryan Hallisey · 55e4b54e · 22def41d · 22def41d · 22def41d
Commit 22def41d authored 9 years ago by Ryan Hallisey
--- a/ansible/roles/rabbitmq/templates/rabbitmq.json.j2
+++ b/ansible/roles/rabbitmq/templates/rabbitmq.json.j2
 {
-    "command": "sudo -H -u rabbitmq /usr/sbin/rabbitmq-server",
+    "command": "/usr/sbin/rabbitmq-server",
    "config_files": [
        {
            "source": "{{ container_config_directory }}/rabbitmq-env.conf",

--- a/docker/rabbitmq/Dockerfile.j2
+++ b/docker/rabbitmq/Dockerfile.j2
@@ -28,6 +28,12 @@ RUN /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \
    && /bin/true

 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start
+COPY rabbitmq_sudoers /etc/sudoers.d/rabbitmq_sudoers
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/rabbitmq_sudoers \
+    && usermod -a -G kolla rabbitmq

 {{ include_footer }}
+
+USER rabbitmq
\ No newline at end of file
--- a/docker/rabbitmq/extend_start.sh
+++ b/docker/rabbitmq/extend_start.sh
@@ -3,8 +3,8 @@
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
+    sudo chown -R rabbitmq: /var/lib/rabbitmq
    echo "${RABBITMQ_CLUSTER_COOKIE}" > /var/lib/rabbitmq/.erlang.cookie
-    chown -R rabbitmq: /var/lib/rabbitmq
    chmod 400 /var/lib/rabbitmq/.erlang.cookie
    exit 0
 fi
--- a/docker/rabbitmq/rabbitmq_sudoers
+++ b/docker/rabbitmq/rabbitmq_sudoers
+%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R rabbitmq\: /var/lib/rabbitmq, /bin/chown -R rabbitmq\: /var/lib/rabbitmq