-
Bug
-
Resolution: Done
-
Highest
-
Frankfurt Release
-
Frankfurt M3
Some AAF pods are still run as root, which is a critical security issue.
POD: onap-aaf-cass-69d9bb7496-8ftb7 container: aaf-cass uid: 0(root)
POD: onap-aaf-cm-5dc6f6bd85-dfhs4 container: aaf-cm uid: 0(root)
POD: onap-aaf-fs-6d97bb9d4-c6t8q container: aaf-fs uid: 0(root)
POD: onap-aaf-gui-cc58f8cfb-d6wws container: aaf-gui uid: 0(root)
POD: onap-aaf-locate-5cf45bc57d-42b9j container: aaf-locate uid: 0(root)
POD: onap-aaf-oauth-56795d58c9-f2nfz container: aaf-oauth uid: 0(root)
POD: onap-aaf-service-cfb5ff7d8-8jqq5 container: aaf-service uid: 0(root)
POD: onap-aaf-sms-85f4649668-8ssdg container: aaf-sms uid: 0(root)
POD: onap-aaf-sms-quorumclient-0 container: aaf-sms-quorumclient uid: 0(root)
POD: onap-aaf-sms-quorumclient-1 container: aaf-sms-quorumclient uid: 0(root)
POD: onap-aaf-sms-quorumclient-2 container: aaf-sms-quorumclient uid: 0(root)
POD: onap-aaf-sms-vault-0 container: aaf-sms-vault-backend uid: 0(root)
POD: onap-aaf-sms-vault-0 container: aaf-sms-vault uid: 0(root)
They must be run using a non root user.
It has been discussed during the PTL meetings.
It can be fixed by modifying the docker you generated. The VID can be used as an illustration. The fix is light and shall be applied as soon as possible.
- blocks
-
AAF-1104 Wrong permissions when trying to retrieve certificates for NBI
- Closed
-
AAF-1081 DCAE Reports issue with Certman views of Artifacts
- Closed
- is blocked by
-
AAF-1112 aaf_agent fails to download certificate artifact when O/S User is non root
- Closed
- relates to
-
DMAAP-1420 [DR] dr-node falis to get CN from new AAF p12 cert
- Closed