Skip to content

Commit

Permalink
Stop running Horizon as root
Browse files Browse the repository at this point in the history 
Jira: https://issues.redhat.com/browse/OSPRH-13293

Signed-off-by: Brendan Shephard <bshephar@redhat.com>
  • Loading branch information
@bshephar
bshephar committed Feb 24, 2025
1 parent 8ce6119 commit fcbb540
Showing 1 changed file with 10 additions and 5 deletions.
15 changes: 10 additions & 5 deletions pkg/horizon/deployment.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ import (

const (
// ServiceCommand is the command used to run Kolla and launch the initial Apache process
ServiceCommand = "/usr/local/bin/kolla_start"
ServiceCommand = "/usr/local/bin/kolla_httpd_setup && /usr/local/bin/kolla_start"
horizonDashboardURL = "/dashboard/auth/login/?next=/dashboard/"
horizonContainerPortName = "horizon"
)
Expand All @@ -44,9 +44,11 @@ func Deployment(
enabledServices map[string]string,
topology *topologyv1.Topology,
) (*appsv1.Deployment, error) {
runAsUser := int64(0)

args := []string{"-c", ServiceCommand}
var runAsNonRoot bool = false
var runAsUserGroup int64 = 8443

args := []string{"--single-child", "/bin/bash", "-c", ServiceCommand}

containerPort := corev1.ContainerPort{
Name: horizonContainerPortName,
Expand Down Expand Up @@ -112,11 +114,14 @@ func Deployment(
{
Name: ServiceName,
Command: []string{
"/bin/bash"},
"/usr/bin/dumb-init",
},
Args: args,
Image: instance.Spec.ContainerImage,
SecurityContext: &corev1.SecurityContext{
RunAsUser: &runAsUser,
RunAsUser: &runAsUserGroup,
RunAsNonRoot: &runAsNonRoot,
RunAsGroup: &runAsUserGroup,
},
Env: env.MergeEnvs([]corev1.EnvVar{}, envVars),
VolumeMounts: volumeMounts,
Expand Down

0 comments on commit fcbb540

Please sign in to comment.