Bug 1725251

Summary: Manila share container runs as a privileged container
Product: Red Hat OpenStack Reporter: Goutham Pacha Ravi <gouthamr>
Component: openstack-tripleo-heat-templatesAssignee: Goutham Pacha Ravi <gouthamr>
Status: ASSIGNED --- QA Contact: vhariria
Severity: medium Docs Contact:
Priority: medium    
Version: 17.0 (Wallaby)CC: gcharot, gfidente, mburns, pasik, vhariria, vimartin
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1725254 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Goutham Pacha Ravi 2019-06-28 20:34:46 UTC
Description of problem:

manila's service architecture allows for manila processes to be controlled by unprivileged users on the system. All manila processes maintain state in the database and a "data directory" they are configured to work with. The data directory needs rwx permissions for the user running manila. Share drivers in manila may need to use some privileged commands, and they have a mechanism to request privilege escalation via "sudo" and rootwrap. 

However, the manila share container runs with a "root" user and as a privileged container in TripleO. This violates the security model that the project endorses. 


Version-Release number of selected component (if applicable): 13, 14, 15