Skip to content

Commit

Permalink
Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087.
Browse files Browse the repository at this point in the history 
The cap_dac_read_search is not among default capabilities in containers,
so cap_dac_override is needed.
  • Loading branch information
@adelton
adelton committed Dec 27, 2024
1 parent c251d21 commit 58b6fd1
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions Dockerfile.fedora-rawhide
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ RUN dnf upgrade -y --setopt=install_weak_deps=False \
# var-lib-nfs-rpc_pipefs.mount would run (and fail) nondeterministically
RUN systemctl mask rpc-gssd.service

RUN mkdir /usr/lib/systemd/system/sssd.service.d
# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087
RUN ( echo '[Service]' ; sed '/^CapabilityBoundingSet=/!d; s/CAP_DAC_READ_SEARCH/& CAP_DAC_OVERRIDE/' /usr/lib/systemd/system/sssd.service ) > /usr/lib/systemd/system/sssd.service.d/capabilities.conf
RUN setcap cap_dac_override+ep /usr/libexec/sssd/ldap_child

# Container image which runs systemd
# debug: RUN test -f /etc/machine-id && ! test -s /etc/machine-id
# debug: RUN test "$container" = oci
Expand Down

0 comments on commit 58b6fd1

Please sign in to comment.