From 3ef57a9ed68580d5185fefb2ab9a22926f26d441 Mon Sep 17 00:00:00 2001
From: "Swapnil Kulkarni (coolsvap)" <me@coolsvap.net>
Date: Mon, 30 Nov 2015 11:28:58 +0530
Subject: [PATCH] Drop root for nova

Updates to ensure commands run in the nova containers
are done as the 'nova' user rather than root.

Change-Id: I0dd0276c2848ad77d92d350dfa0f20161329ed55
Partially-Implements: blueprint drop-root
---
 docker/nova/nova-api/Dockerfile.j2             | 2 ++
 docker/nova/nova-api/extend_start.sh           | 2 +-
 docker/nova/nova-base/Dockerfile.j2            | 2 ++
 docker/nova/nova-compute/Dockerfile.j2         | 2 ++
 docker/nova/nova-conductor/Dockerfile.j2       | 2 ++
 docker/nova/nova-consoleauth/Dockerfile.j2     | 2 ++
 docker/nova/nova-libvirt/Dockerfile.j2         | 2 ++
 docker/nova/nova-network/Dockerfile.j2         | 2 ++
 docker/nova/nova-novncproxy/Dockerfile.j2      | 2 ++
 docker/nova/nova-scheduler/Dockerfile.j2       | 2 ++
 docker/nova/nova-spicehtml5proxy/Dockerfile.j2 | 2 ++
 11 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/docker/nova/nova-api/Dockerfile.j2 b/docker/nova/nova-api/Dockerfile.j2
index bd5270ac6..ef5fd1b44 100644
--- a/docker/nova/nova-api/Dockerfile.j2
+++ b/docker/nova/nova-api/Dockerfile.j2
@@ -14,3 +14,5 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {{ include_footer }}
+
+USER nova
diff --git a/docker/nova/nova-api/extend_start.sh b/docker/nova/nova-api/extend_start.sh
index 9b0e9d746..93b63d53f 100644
--- a/docker/nova/nova-api/extend_start.sh
+++ b/docker/nova/nova-api/extend_start.sh
@@ -3,6 +3,6 @@
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
-    sudo -H -u nova nova-manage db sync
+    nova-manage db sync
     exit 0
 fi
diff --git a/docker/nova/nova-base/Dockerfile.j2 b/docker/nova/nova-base/Dockerfile.j2
index 4b2fea8b4..3b48ff1fd 100644
--- a/docker/nova/nova-base/Dockerfile.j2
+++ b/docker/nova/nova-base/Dockerfile.j2
@@ -42,3 +42,5 @@ RUN ln -s nova-base-source/* nova \
     && chown -R nova: /etc/nova /var/log/nova /home/nova
 
 {% endif %}
+
+RUN usermod -a -G kolla nova
diff --git a/docker/nova/nova-compute/Dockerfile.j2 b/docker/nova/nova-compute/Dockerfile.j2
index 90dd8de2e..40dfdf862 100644
--- a/docker/nova/nova-compute/Dockerfile.j2
+++ b/docker/nova/nova-compute/Dockerfile.j2
@@ -39,3 +39,5 @@ RUN /var/lib/kolla/venv/bin/pip install --no-cache-dir libvirt-python
 {% endif %}
 
 {{ include_footer }}
+
+USER nova
diff --git a/docker/nova/nova-conductor/Dockerfile.j2 b/docker/nova/nova-conductor/Dockerfile.j2
index d1b5ddcea..effb7a120 100644
--- a/docker/nova/nova-conductor/Dockerfile.j2
+++ b/docker/nova/nova-conductor/Dockerfile.j2
@@ -11,3 +11,5 @@ RUN yum -y install openstack-nova-conductor \
 {% endif %}
 
 {{ include_footer }}
+
+USER nova
diff --git a/docker/nova/nova-consoleauth/Dockerfile.j2 b/docker/nova/nova-consoleauth/Dockerfile.j2
index f12983140..427144f01 100644
--- a/docker/nova/nova-consoleauth/Dockerfile.j2
+++ b/docker/nova/nova-consoleauth/Dockerfile.j2
@@ -11,3 +11,5 @@ RUN yum -y install openstack-nova-console \
 {% endif %}
 
 {{ include_footer }}
+
+USER nova
diff --git a/docker/nova/nova-libvirt/Dockerfile.j2 b/docker/nova/nova-libvirt/Dockerfile.j2
index de4499c65..d6eb7fd36 100644
--- a/docker/nova/nova-libvirt/Dockerfile.j2
+++ b/docker/nova/nova-libvirt/Dockerfile.j2
@@ -33,3 +33,5 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start
 
 {{ include_footer }}
+
+USER nova
diff --git a/docker/nova/nova-network/Dockerfile.j2 b/docker/nova/nova-network/Dockerfile.j2
index 5d9ec3fc7..e0624fb63 100644
--- a/docker/nova/nova-network/Dockerfile.j2
+++ b/docker/nova/nova-network/Dockerfile.j2
@@ -21,3 +21,5 @@ RUN yum -y install initscripts \
 {% endif %}
 
 {{ include_footer }}
+
+USER nova
diff --git a/docker/nova/nova-novncproxy/Dockerfile.j2 b/docker/nova/nova-novncproxy/Dockerfile.j2
index 402d68532..d216895f3 100644
--- a/docker/nova/nova-novncproxy/Dockerfile.j2
+++ b/docker/nova/nova-novncproxy/Dockerfile.j2
@@ -18,3 +18,5 @@ RUN cd /usr/share && ln -s nova-novncproxy-source/* novnc
 {% endif %}
 
 {{ include_footer }}
+
+USER nova
diff --git a/docker/nova/nova-scheduler/Dockerfile.j2 b/docker/nova/nova-scheduler/Dockerfile.j2
index cd6e9b1c6..0057a7cd9 100644
--- a/docker/nova/nova-scheduler/Dockerfile.j2
+++ b/docker/nova/nova-scheduler/Dockerfile.j2
@@ -11,3 +11,5 @@ RUN yum -y install openstack-nova-scheduler \
 {% endif %}
 
 {{ include_footer }}
+
+USER nova
diff --git a/docker/nova/nova-spicehtml5proxy/Dockerfile.j2 b/docker/nova/nova-spicehtml5proxy/Dockerfile.j2
index 6c95ddcaf..046277662 100644
--- a/docker/nova/nova-spicehtml5proxy/Dockerfile.j2
+++ b/docker/nova/nova-spicehtml5proxy/Dockerfile.j2
@@ -16,3 +16,5 @@ RUN cd /usr/share && ln -s nova-spicehtml5proxy-source/* spice-html5
 {% endif %}
 
 {{ include_footer }}
+
+USER nova
-- 
GitLab