From fcbb5400f9eee5aad76297b0204ce96dac8b6650 Mon Sep 17 00:00:00 2001
From: Brendan Shephard <bshephar@redhat.com>
Date: Thu, 20 Feb 2025 11:54:50 +1000
Subject: [PATCH] Stop running Horizon as root

Jira: https://issues.redhat.com/browse/OSPRH-13293

Signed-off-by: Brendan Shephard <bshephar@redhat.com>
---
 pkg/horizon/deployment.go | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/pkg/horizon/deployment.go b/pkg/horizon/deployment.go
index 716624d..cc808fe 100644
--- a/pkg/horizon/deployment.go
+++ b/pkg/horizon/deployment.go
@@ -30,7 +30,7 @@ import (
 
 const (
 	// ServiceCommand is the command used to run Kolla and launch the initial Apache process
-	ServiceCommand           = "/usr/local/bin/kolla_start"
+	ServiceCommand           = "/usr/local/bin/kolla_httpd_setup && /usr/local/bin/kolla_start"
 	horizonDashboardURL      = "/dashboard/auth/login/?next=/dashboard/"
 	horizonContainerPortName = "horizon"
 )
@@ -44,9 +44,11 @@ func Deployment(
 	enabledServices map[string]string,
 	topology *topologyv1.Topology,
 ) (*appsv1.Deployment, error) {
-	runAsUser := int64(0)
 
-	args := []string{"-c", ServiceCommand}
+	var runAsNonRoot bool = false
+	var runAsUserGroup int64 = 8443
+
+	args := []string{"--single-child", "/bin/bash", "-c", ServiceCommand}
 
 	containerPort := corev1.ContainerPort{
 		Name:          horizonContainerPortName,
@@ -112,11 +114,14 @@ func Deployment(
 						{
 							Name: ServiceName,
 							Command: []string{
-								"/bin/bash"},
+								"/usr/bin/dumb-init",
+							},
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser:    &runAsUserGroup,
+								RunAsNonRoot: &runAsNonRoot,
+								RunAsGroup:   &runAsUserGroup,
 							},
 							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:   volumeMounts,