From f9ccb1c8829cef551b875c7c387530e7980414a7 Mon Sep 17 00:00:00 2001
From: Steven Dake <stdake@cisco.com>
Date: Mon, 9 Nov 2015 22:14:56 -0500
Subject: [PATCH] Drop root for Horizon service

Drop root privileges for Horizon service.  It is necesssary to set
a capability on the filesystem to allow binding to port 80 as a
non-root user.  I have tested this works correctly from a registry
on both CentOS and Ubuntu.

Change-Id: I4c26f28bb28b6633784e6842f3423a2425332c27
Partially-Implements: blueprint drop-root
---
 docker/horizon/Dockerfile.j2 | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/docker/horizon/Dockerfile.j2 b/docker/horizon/Dockerfile.j2
index 30b2277814..c083fa1072 100644
--- a/docker/horizon/Dockerfile.j2
+++ b/docker/horizon/Dockerfile.j2
@@ -56,7 +56,25 @@ RUN ln -s horizon-source/* horizon \
 
 {% endif %}
 
+# Set NET_BIND_SERVICE capability to httpd/apache2 so that it may run on
+# ports lower than 1024.
+#  Set pidfile and log directory to be writeable by # the horizon user.
+{% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
+
+RUN setcap 'cap_net_bind_service=ep' /usr/sbin/httpd \
+    && chown horizon: /run/httpd /etc/httpd/logs
+
+{% elif base_distro in ['ubuntu'] %}
+
+RUN setcap 'cap_net_bind_service=ep' /usr/sbin/apache2 \
+    && chown -R horizon: /var/run/apache2 /var/log/apache2
+
+{% endif %}
+
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 755 /usr/local/bin/kolla_extend_start
+RUN chmod 755 /usr/local/bin/kolla_extend_start \
+     && usermod -a -G kolla horizon
+
+USER horizon
 
 {{ include_footer }}
-- 
GitLab