hardening horizon: don't mount hosts /tmp

consider this a security hardening as it would be possible to write to host owned private tmp files e.g. of systemd-logind when you are able to highjack the apache2 process inside the horizon container, which runs as root. see the bug report for a demonstration of this. I checked the horizon code, it only facilitates python tempfiles module for temp file usage. I also checked the horizon container we build via `kolla-build -b ubuntu horizon`, which has a /tmp/ directory. So no mountpoint should be needed. Closes-Bug: #2068126 Signed-off-by: Sven Kieske <kieske@osism.tech> Change-Id: I7ae1db8d42c83b773047bb01e846d4abee02710a

hardening horizon: don't mount hosts /tmp
f306e9ca · Sven Kieske · cbf51486 · f306e9ca · f306e9ca
Unverified Commit f306e9ca authored 9 months ago by Sven Kieske
--- a/ansible/roles/horizon/defaults/main.yml
+++ b/ansible/roles/horizon/defaults/main.yml
@@ -127,7 +127,6 @@ horizon_default_volumes:
  - "/etc/localtime:/etc/localtime:ro"
  - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
  - "kolla_logs:/var/log/kolla/"
-  - "/tmp:/tmp"

 horizon_extra_volumes: "{{ default_extra_volumes }}"


--- a/releasenotes/notes/harden_horizon_tmp_usage-0d690e49645b99a8.yaml
+++ b/releasenotes/notes/harden_horizon_tmp_usage-0d690e49645b99a8.yaml
+---
+fixes:
+  - |
+    Removes the default `/tmp/` mountpoint from the horizon container. This
+    change is made to harden the container and prevent potential security
+    issues. For more information, see the Bug Report: `LP#2068126 <https://bugs.launchpad.net/kolla-ansible/+bug/2068126>`__.