From 869976e51c8084a8e04eeb35618d54479401de10 Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@ibm.com>
Date: Thu, 10 Aug 2023 18:08:54 +0200
Subject: [PATCH] nfs: run dbus-daemon sidecar as dbus user instead of root

When the dbus-daemon in the sidecar is started as "root" user, it fails
with the following log entry:

Failed to start message bus: Failed to drop capabilities: Operation not permitted

By starting the sidecar as "dbus" user (uid=81), the executable does not
try to drop capabilities, and starts successfully.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
(cherry picked from commit 320b112cc6db5377004ed3d1b642a29bb5273cc7)
(cherry picked from commit 6afe22a2f89593d3a7e4d62ec4a95f12092b244f)
---
 pkg/operator/ceph/nfs/spec.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/operator/ceph/nfs/spec.go b/pkg/operator/ceph/nfs/spec.go
index d8d879ff4c9e..068b82ed3fc2 100644
--- a/pkg/operator/ceph/nfs/spec.go
+++ b/pkg/operator/ceph/nfs/spec.go
@@ -252,6 +252,9 @@ func (r *ReconcileCephNFS) daemonContainer(nfs *cephv1.CephNFS, cfg daemonConfig
 func (r *ReconcileCephNFS) dbusContainer(nfs *cephv1.CephNFS) v1.Container {
 	_, dbusMount := dbusVolumeAndMount()
 
+	// uid of the "dbus" user in most (all?) Linux distributions
+	dbusUID := int64(81)
+
 	return v1.Container{
 		Name: "dbus-daemon",
 		Command: []string{
@@ -270,6 +273,9 @@ func (r *ReconcileCephNFS) dbusContainer(nfs *cephv1.CephNFS) v1.Container {
 		},
 		Env:       k8sutil.ClusterDaemonEnvVars(r.cephClusterSpec.CephVersion.Image), // do not need access to Ceph env vars b/c not a Ceph daemon
 		Resources: nfs.Spec.Server.Resources,
+		SecurityContext: &v1.SecurityContext{
+			RunAsUser: &dbusUID,
+		},
 	}
 }