Remove login shell and unneeded openstack users from the host
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Andy |
Bug Description
Brief Description
-----------------
This bug tracks some cleanup required related to openstack login shells and users:
- Update containerized rabbitmq user to use /usr/sbin/nologin
- Update host keystone user to use /usr/sbin/nologin
- Remove heat/rabbitmq/
Although there is currently no functional impact to the current config, the recommended changes promote better security practices.
Severity
--------
Minor - no system impact. This is just a security precaution
Steps to Reproduce
------------------
- Check the login shell set for the openstack users, both containerized and on the host. The shell should be set to nologin
- Check that no unneeded openstack users are configured on the host
Expected Behavior
------------------
- The shell for all openstack users is set to /usr/sbin/nologin
- The openstack users defined on the host are: keystone and horizon as these are the only openstack services running outside of containers
Actual Behavior
----------------
- The shell for containerized rabbitmq is set to /bin/sh instead of /usr/sbin/nologin
- The shell for host keystone is set to /bin/sh instead of /usr/sbin/nologin
- There are openstack users defined on the host which are unneeded: heat, rabbitmq, ceilometer
Reproducibility
---------------
Reproducible
System Configuration
-------
Any
Branch/Pull Time/Commit
-------
Any recent stx load
Last Pass
---------
N/A
Timestamp/Logs
--------------
N/A
Test Activity
-------------
Other - opened based on discussion with Andy Ning
tags: | added: stx.config stx.distro.openstack stx.security |
tags: | removed: stx.security |
Changed in starlingx: | |
assignee: | nobody → Andy (andy.wrs) |
importance: | Undecided → Low |
status: | New → Triaged |
Changed in starlingx: | |
status: | Triaged → In Progress |
After some investigation and tests, the following service users are considered safe to be removed:
murano
rabbitmq
glance
cinder
nfv
heat
panko
gnocchi
aodh
magnum
And the following host users' login shell can be disabled with "/sbin/nologin":
ceilometer
keystone
Some of openstack services have privileged containers (ceilometer, ironic, libvirt, neutron and nova) that have almost the same privilege as processes running on bare metal, and have access and can manipulate host resources (including users and groups). Their service users on host are risky to remove. One example is "neutron" where neutron- ovs-agent- init container has reference to host user "neotron" as following:
controller- 0:/scratch/ apps/stx- openstack/ 1.0-17- centos- stable- versioned/ charts/ # docker logs k8s_neutron- ovs-agent- init_neutron- ovs-agent- controller- 0-dec13249- jpmt9_openstack _61d1de52- afc9-11e9- b90c-90e2ba508e 90_35 h/db.sock
+ chown neutron: /run/openvswitc
chown: invalid spec: 'neutron:'
If host user "neutron" doesn't exist, neutron- ovs-agent- init will fail and cause all pods depend on it to also fail.
So the following service users (group) will be kept:
neutron
ceilometer
ironic
nova
libvirt (it's a group not a user)