Skip to content

Commit

Permalink
Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087.
Browse files Browse the repository at this point in the history 
The cap_dac_read_search is not among default capabilities in containers,
so cap_dac_override is needed.
  • Loading branch information
@adelton
adelton committed Dec 30, 2024
1 parent 8bf127e commit 202696e
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 0 deletions.
6 changes: 6 additions & 0 deletions src/Dockerfile.client
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@ FROM registry.fedoraproject.org/fedora:41
RUN dnf install -y /usr/sbin/ipa-client-install openssh-server xauth firefox dejavu-sans-fonts dejavu-sans-mono-fonts /usr/bin/xargs python3-xvfbwrapper python3-selenium python3-legacy-cgi xorg-x11-server-Xvfb && dnf clean all
RUN curl -LO https://github.com/mozilla/geckodriver/releases/download/v0.34.0/geckodriver-v0.34.0-linux64.tar.gz
RUN tar xvzf geckodriver-v0.34.0-linux64.tar.gz && mv geckodriver /usr/local/bin/

# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087
RUN mkdir /usr/lib/systemd/system/sssd.service.d
RUN ( echo '[Service]' ; sed '/^CapabilityBoundingSet=/!d; s/CAP_DAC_READ_SEARCH/& CAP_DAC_OVERRIDE/' /usr/lib/systemd/system/sssd.service ) > /usr/lib/systemd/system/sssd.service.d/capabilities.conf
RUN setcap cap_dac_override+ep /usr/libexec/sssd/ldap_child

COPY init-data ipa-client-enroll populate-data-volume setup-authorized-keys /usr/sbin/

COPY http-klist-kinit-kpasswd http-server /usr/local/bin/
Expand Down
6 changes: 6 additions & 0 deletions src/Dockerfile.idp
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
FROM registry.fedoraproject.org/fedora:41
RUN dnf install -y /usr/sbin/ipa-client-install /usr/sbin/ipsilon-server-install ipsilon-authform ipsilon-saml2 ipsilon-openidc ipsilon-infosssd sqlite openssl && dnf clean all

# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087
RUN mkdir /usr/lib/systemd/system/sssd.service.d
RUN ( echo '[Service]' ; sed '/^CapabilityBoundingSet=/!d; s/CAP_DAC_READ_SEARCH/& CAP_DAC_OVERRIDE/' /usr/lib/systemd/system/sssd.service ) > /usr/lib/systemd/system/sssd.service.d/capabilities.conf
RUN setcap cap_dac_override+ep /usr/libexec/sssd/ldap_child

COPY init-data ipa-client-enroll ipsilon-server-configure ipsilon-server-wait-for-sp populate-data-volume /usr/sbin/
COPY ipa-client-enroll.service ipsilon-server-configure.service ipsilon-server-wait-for-sp.service populate-data-volume.service /usr/lib/systemd/system/
RUN ln -s /usr/lib/systemd/system/ipa-client-enroll.service /usr/lib/systemd/system/default.target.wants/
Expand Down
6 changes: 6 additions & 0 deletions src/Dockerfile.www
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
FROM registry.fedoraproject.org/fedora:41
RUN dnf install -y /usr/sbin/ipa-client-install /usr/bin/ipsilon-client-install ipsilon-saml2 httpd mod_ssl mod_auth_gssapi mod_auth_openidc mod_intercept_form_submit mod_lookup_identity sssd-dbus /usr/bin/xargs openssl && dnf clean all

# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087
RUN mkdir /usr/lib/systemd/system/sssd.service.d
RUN ( echo '[Service]' ; sed '/^CapabilityBoundingSet=/!d; s/CAP_DAC_READ_SEARCH/& CAP_DAC_OVERRIDE/' /usr/lib/systemd/system/sssd.service ) > /usr/lib/systemd/system/sssd.service.d/capabilities.conf
RUN setcap cap_dac_override+ep /usr/libexec/sssd/ldap_child

COPY init-data ipa-client-enroll ipsilon-client-configure populate-data-volume www-setup-apache /usr/sbin/
COPY ipa-client-enroll.service ipsilon-client-configure.service populate-data-volume.service www-setup-apache.service /usr/lib/systemd/system/
RUN ln -s /usr/lib/systemd/system/ipa-client-enroll.service /usr/lib/systemd/system/default.target.wants/
Expand Down
6 changes: 6 additions & 0 deletions src/Dockerfile.www-with-app
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
FROM registry.fedoraproject.org/fedora:41
RUN dnf install -y /usr/sbin/ipa-client-install /usr/bin/ipsilon-client-install ipsilon-saml2 httpd mod_ssl mod_auth_gssapi mod_intercept_form_submit mod_lookup_identity sssd-dbus /usr/bin/xargs /usr/bin/systemd-tmpfiles openssl && dnf clean all

# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087
RUN mkdir /usr/lib/systemd/system/sssd.service.d
RUN ( echo '[Service]' ; sed '/^CapabilityBoundingSet=/!d; s/CAP_DAC_READ_SEARCH/& CAP_DAC_OVERRIDE/' /usr/lib/systemd/system/sssd.service ) > /usr/lib/systemd/system/sssd.service.d/capabilities.conf
RUN setcap cap_dac_override+ep /usr/libexec/sssd/ldap_child

COPY init-data ipa-client-enroll ipsilon-client-configure populate-data-volume www-setup-apache /usr/sbin/
COPY ipa-client-enroll.service ipsilon-client-configure.service populate-data-volume.service www-setup-apache.service /usr/lib/systemd/system/
RUN ln -s /usr/lib/systemd/system/ipa-client-enroll.service /usr/lib/systemd/system/default.target.wants/
Expand Down

0 comments on commit 202696e

Please sign in to comment.