Latest SSSD needs the DAC_READ_SEARCH capability.

See also https://bugzilla.redhat.com/show_bug.cgi?id=2334087 and containers/podman#24904.
adelton · Jan 7, 2025 · c199da2 · c199da2
1 parent 8bf127e
commit c199da2
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 8 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -17,6 +17,8 @@ services:
             # - /sys/fs/cgroup:/sys/fs/cgroup:ro
         hostname: ipa.example.test
         stop_signal: RTMIN+3
+        cap_add:
+            - DAC_READ_SEARCH
         # tty: true
     idp:
         build:
@@ -29,6 +31,8 @@ services:
         stop_signal: RTMIN+3
         links:
             - ipa:ipa.example.test
+        cap_add:
+            - DAC_READ_SEARCH
         # tty: true
     www:
         build:
@@ -53,6 +57,8 @@ services:
             - ipa:ipa.example.test
             - idp:idp.example.test
             - app:app.example.test
+        cap_add:
+            - DAC_READ_SEARCH
         # Uncomment the following if you want to be able to access the
         # www container on host's interface as well.
         # ports:
@@ -73,6 +79,8 @@ services:
             - www:www.example.test
         ports:
             - "55022:22"
+        cap_add:
+            - DAC_READ_SEARCH
     app:
         build:
             context: ./src

diff --git a/docker-compose.yml.www-with-app.patch b/docker-compose.yml.www-with-app.patch
@@ -1,8 +1,8 @@
---- docker-compose.yml	2018-12-11 09:09:16.638080854 +0100
-+++ docker-compose.yml.www-with-app	2018-12-11 10:36:01.788270676 +0100
-@@ -33,20 +33,10 @@
-         links:
-             - ipa:ipa.example.test
+--- docker-compose.yml	2025-01-07 13:24:30.383332565 +0100
++++ docker-compose.yml.www-with-app	2025-01-07 13:45:34.152136298 +0100
+@@ -34,20 +34,10 @@
+         cap_add:
+             - DAC_READ_SEARCH
          # tty: true
 -    www:
 +    wwwapp:
@@ -28,17 +28,19 @@
              - ipa:ipa.example.test
              - idp:idp.example.test
 -            - app:app.example.test
+         cap_add:
+             - DAC_READ_SEARCH
          # Uncomment the following if you want to be able to access the
-         # www container on host's interface as well.
-         # ports:
-@@ -75,15 +64,6 @@
+@@ -76,17 +65,8 @@
          links:
              - ipa:ipa.example.test
              - idp:idp.example.test
 -            - www:www.example.test
 +            - wwwapp:www.example.test
          ports:
              - "55022:22"
+         cap_add:
+             - DAC_READ_SEARCH
 -    app:
 -        build:
 -            context: ./src