Run the swift_rsync container unprivileged

The container still needs the NET_BIND_SERVICE linux capability to bind to the rsync port. Change-Id: Iecc73e968113b8dca1de3b755751b56f414a3328 Closes-Bug: #1864986 Resolves: rhbz#1807841
2020-02-27 11:42:03 +01:00 · 2020-02-27 11:42:03 +01:00 · 1572a975d8
parent 6ba727a493
commit 1572a975d8
1 changed files with 3 additions and 1 deletions
--- a/deployment/swift/swift-storage-container-puppet.yaml
+++ b/deployment/swift/swift-storage-container-puppet.yaml
@ -557,7 +557,9 @@ outputs:
                restart: always
                healthcheck:
                  test: /openstack/healthcheck
-                privileged: true
+                privileged: false
+                cap_add:
+                  - NET_BIND_SERVICE
                volumes:
                  list_concat:
                    - {get_attr: [ContainersCommon, volumes]}