From 22def41d37d8046541b25fca1fe806090bf14638 Mon Sep 17 00:00:00 2001
From: Ryan Hallisey <rhallise@redhat.com>
Date: Thu, 12 Nov 2015 10:46:10 -0500
Subject: [PATCH] Drop root privileges for rabbitmq

Drop root privileges for rabbitmq.  Only the rabbitmq user
will be able to execute chown of /var/lib/rabbitmq.

Change-Id: I546e6b475a8462bfbc75972854e1fee64f96d9cb
Partially-Implements: blueprint drop-root
---
 ansible/roles/rabbitmq/templates/rabbitmq.json.j2 | 2 +-
 docker/rabbitmq/Dockerfile.j2                     | 8 +++++++-
 docker/rabbitmq/extend_start.sh                   | 2 +-
 docker/rabbitmq/rabbitmq_sudoers                  | 1 +
 4 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 docker/rabbitmq/rabbitmq_sudoers

diff --git a/ansible/roles/rabbitmq/templates/rabbitmq.json.j2 b/ansible/roles/rabbitmq/templates/rabbitmq.json.j2
index 8eb38dc37e..82d7ad0bb7 100644
--- a/ansible/roles/rabbitmq/templates/rabbitmq.json.j2
+++ b/ansible/roles/rabbitmq/templates/rabbitmq.json.j2
@@ -1,5 +1,5 @@
 {
-    "command": "sudo -H -u rabbitmq /usr/sbin/rabbitmq-server",
+    "command": "/usr/sbin/rabbitmq-server",
     "config_files": [
         {
             "source": "{{ container_config_directory }}/rabbitmq-env.conf",
diff --git a/docker/rabbitmq/Dockerfile.j2 b/docker/rabbitmq/Dockerfile.j2
index f806f89779..fad8c4e4a7 100644
--- a/docker/rabbitmq/Dockerfile.j2
+++ b/docker/rabbitmq/Dockerfile.j2
@@ -28,6 +28,12 @@ RUN /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \
     && /bin/true
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start
+COPY rabbitmq_sudoers /etc/sudoers.d/rabbitmq_sudoers
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/rabbitmq_sudoers \
+    && usermod -a -G kolla rabbitmq
 
 {{ include_footer }}
+
+USER rabbitmq
\ No newline at end of file
diff --git a/docker/rabbitmq/extend_start.sh b/docker/rabbitmq/extend_start.sh
index e1c1007e33..06e71e810e 100644
--- a/docker/rabbitmq/extend_start.sh
+++ b/docker/rabbitmq/extend_start.sh
@@ -3,8 +3,8 @@
 # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
 # of the KOLLA_BOOTSTRAP variable being set, including empty.
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
+    sudo chown -R rabbitmq: /var/lib/rabbitmq
     echo "${RABBITMQ_CLUSTER_COOKIE}" > /var/lib/rabbitmq/.erlang.cookie
-    chown -R rabbitmq: /var/lib/rabbitmq
     chmod 400 /var/lib/rabbitmq/.erlang.cookie
     exit 0
 fi
diff --git a/docker/rabbitmq/rabbitmq_sudoers b/docker/rabbitmq/rabbitmq_sudoers
new file mode 100644
index 0000000000..7d3d091d8a
--- /dev/null
+++ b/docker/rabbitmq/rabbitmq_sudoers
@@ -0,0 +1 @@
+%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R rabbitmq\: /var/lib/rabbitmq, /bin/chown -R rabbitmq\: /var/lib/rabbitmq