forked from metal3-io/ironic-image
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #354 from dtantsur/sync
Merge from upstream metal3-io/ironic-image
- Loading branch information
Showing
9 changed files
with
103 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
#!/usr/bin/bash | ||
|
||
# This script changes permissions to allow Ironic container to run as non-root | ||
# user. As the same image is used to run ironic, ironic-httpd, ironic-dsnmasq, | ||
# ironic-inspector and ironic-log-watch via BMO's ironic k8s manifest, it has | ||
# to be configured to work with multiple different users and groups, while they | ||
# share files via bind mounts (/shared, /certs/*), which can only get one | ||
# group id as "fsGroup". Additionally, dnsmasq needs three capabilities to run | ||
# which we provide via "setcap", and "allowPrivilegeEscalation: true" in | ||
# manifest. | ||
|
||
set -eux | ||
|
||
# user and group are from ironic rpms (uid 997, gid 994) | ||
IRONIC_USER="ironic" | ||
IRONIC_GROUP="ironic" | ||
INSPECTOR_GROUP="ironic-inspector" | ||
|
||
# we'll bind mount shared ca and ironic/inspector certificate dirs here | ||
# that need to have correct ownership as the entire ironic in BMO | ||
# deployment shares a single fsGroup in manifest's securityContext | ||
mkdir -p /certs | ||
chown "${IRONIC_USER}":"${INSPECTOR_GROUP}" /certs | ||
chmod 2775 /certs | ||
|
||
# ironic, inspector and httpd related changes | ||
chown -R root:"${IRONIC_GROUP}" /etc/ironic /etc/httpd/conf /etc/httpd/conf.d | ||
chown -R "${IRONIC_USER}":"${INSPECTOR_GROUP}" /etc/ironic-inspector | ||
chmod 2775 /etc/ironic /etc/ironic-inspector /etc/httpd/conf /etc/httpd/conf.d | ||
chmod 664 /etc/ironic/* /etc/ironic-inspector/* /etc/httpd/conf/* /etc/httpd/conf.d/* | ||
|
||
chown -R root:"${IRONIC_GROUP}" /var/lib/ironic | ||
chown -R root:"${INSPECTOR_GROUP}" /var/lib/ironic-inspector | ||
chmod 2775 /var/lib/ironic /var/lib/ironic-inspector | ||
chmod 664 /var/lib/ironic/ironic.db /var/lib/ironic-inspector/ironic-inspector.db | ||
|
||
# dnsmasq, and the capabilities required to run it as non-root user | ||
chown -R root:"${IRONIC_GROUP}" /etc/dnsmasq.conf /var/lib/dnsmasq | ||
chmod 2775 /var/lib/dnsmasq | ||
touch /var/lib/dnsmasq/dnsmasq.leases | ||
chmod 664 /etc/dnsmasq.conf /var/lib/dnsmasq/dnsmasq.leases | ||
|
||
setcap "cap_net_raw,cap_net_admin,cap_net_bind_service=+eip" /usr/sbin/dnsmasq |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters