nfs: run dbus-daemon sidecar as dbus user instead of root

When the dbus-daemon in the sidecar is started as "root" user, it fails with the following log entry: Failed to start message bus: Failed to drop capabilities: Operation not permitted By starting the sidecar as "dbus" user (uid=81), the executable does not try to drop capabilities, and starts successfully. Signed-off-by: Niels de Vos <[email protected]> (cherry picked from commit 320b112) (cherry picked from commit 6afe22a)
red-hat-storage · Aug 11, 2023 · 869976e · 869976e
1 parent ff81035
commit 869976e
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/pkg/operator/ceph/nfs/spec.go b/pkg/operator/ceph/nfs/spec.go
@@ -252,6 +252,9 @@ func (r *ReconcileCephNFS) daemonContainer(nfs *cephv1.CephNFS, cfg daemonConfig
 func (r *ReconcileCephNFS) dbusContainer(nfs *cephv1.CephNFS) v1.Container {
 	_, dbusMount := dbusVolumeAndMount()
 
+	// uid of the "dbus" user in most (all?) Linux distributions
+	dbusUID := int64(81)
+
 	return v1.Container{
 		Name: "dbus-daemon",
 		Command: []string{
@@ -270,6 +273,9 @@ func (r *ReconcileCephNFS) dbusContainer(nfs *cephv1.CephNFS) v1.Container {
 		},
 		Env:       k8sutil.ClusterDaemonEnvVars(r.cephClusterSpec.CephVersion.Image), // do not need access to Ceph env vars b/c not a Ceph daemon
 		Resources: nfs.Spec.Server.Resources,
+		SecurityContext: &v1.SecurityContext{
+			RunAsUser: &dbusUID,
+		},
 	}
 }