Merge "Drop root privileges for mariadb"

55e4b54e · Jenkins · Gerrit Code Review · 336074a6 · 4c9e15b9 · 55e4b54e
Commit 55e4b54e authored 9 years ago by Jenkins Committed by Gerrit Code Review 9 years ago
--- a/docker/base/sudoers
+++ b/docker/base/sudoers
@@ -14,3 +14,5 @@ root ALL=(ALL) ALL
 # anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
 # root user via sudo without password confirmation
 %kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
+
+#includedir /etc/sudoers.d
--- a/docker/mariadb/Dockerfile.j2
+++ b/docker/mariadb/Dockerfile.j2
@@ -28,9 +28,16 @@ RUN apt-get install -y --no-install-recommends \

 {% endif %}

+COPY mariadb_sudoers /etc/sudoers.d/mariadb_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 COPY security_reset.expect /usr/local/bin/kolla_security_reset
 RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && chmod 755 /usr/local/bin/kolla_security_reset
+    && chmod 755 /usr/local/bin/kolla_security_reset \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/mariadb_sudoers \
+    && usermod -a -G kolla mysql
+
+
+USER mysql

 {{ include_footer }}
--- a/docker/mariadb/extend_start.sh
+++ b/docker/mariadb/extend_start.sh
@@ -5,19 +5,19 @@ function bootstrap_db {

    # Waiting for deamon
    sleep 10
-    kolla_security_reset
+    sudo -E kolla_security_reset

    mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
    mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
-    mysqladmin -p"${DB_ROOT_PASSWORD}" shutdown
+    mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown
 }

-chown mysql: /var/lib/mysql
+sudo chown mysql: /var/lib/mysql

 # This catches all cases of the BOOTSTRAP variable being set, including empty
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]] && [[ ! -e /var/lib/mysql/cluster.exists ]]; then
    ARGS="--wsrep-new-cluster"
    touch /var/lib/mysql/cluster.exists
-    mysql_install_db --user=mysql
+    mysql_install_db
    bootstrap_db
 fi
--- a/docker/mariadb/mariadb_sudoers
+++ b/docker/mariadb/mariadb_sudoers
+%kolla ALL=(root) NOPASSWD: /bin/chown mysql\: /var/lib/mysql, /usr/bin/chown mysql\: /var/lib/mysql, /usr/local/bin/kolla_security_reset