diff --git a/images/recycler/Dockerfile b/images/recycler/Dockerfile index 0a3cc653e66c..e7947a8f2c9e 100644 --- a/images/recycler/Dockerfile +++ b/images/recycler/Dockerfile @@ -9,11 +9,8 @@ # FROM openshift/origin -RUN yum install -y sudo - -# Edit sudoers file -# To avoid error: sudo: sorry, you must have a tty to run sudo -RUN sed -i -e "s/Defaults requiretty.*/ #Defaults requiretty/g" /etc/sudoers +RUN yum install -y sudo && \ + sed -i -e "s/Defaults requiretty.*/ #Defaults requiretty/g" /etc/sudoers ADD scripts/recycler.sh /usr/share/openshift/scripts/volumes/recycler.sh diff --git a/images/recycler/scripts/recycler.sh b/images/recycler/scripts/recycler.sh index 760b2ea34f76..0dc5d71a63e8 100755 --- a/images/recycler/scripts/recycler.sh +++ b/images/recycler/scripts/recycler.sh @@ -35,14 +35,13 @@ find "${dir}" -type f -print0 | xargs -r -n 1 -0 bash -c 'recycle_file "$@"' {} function rm_all() { filename="${1}" uid=$(stat -c "#%u" "${filename}") - echo "rm_all '${filename}'" sudo -u "${uid}" rm -rf "${filename}" } export -f rm_all find "${dir}" ! -type d -print0 | xargs -r -n 1 -0 bash -c 'rm_all "$@"' {} -find "${dir}" -mindepth 1 -type d -print0 | sort -z -k 1 -rg | xargs -r -n 1 -0 bash -c 'rm_all "$@"' {} +find "${dir}" -mindepth 1 -type d -print0 | sort -zrg | xargs -r -n 1 -0 bash -c 'rm_all "$@"' {} echo "Scrub OK" exit 0 diff --git a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go index cc308d1da175..bd3b2dbc74df 100644 --- a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go +++ b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go @@ -19,8 +19,8 @@ const ( SecurityContextConstraintNonRootDesc = "nonroot provides all features of the restricted SCC but allows users to run with any non-root UID. The user must specify the UID or it must be specified on the by the manifest of the container runtime." // SecurityContextConstraintHostMountAndAnyUID is used as the name for the system default host mount + any UID scc. - SecurityContextConstraintHostMountAndAnyUID = "hostmountanyuid" - SecurityContextConstraintHostMountAndAnyUIDDesc = "hostmount provides all the features of the restricted SCC but allows host mounts and any UID by a pod. This is primarily used by the persistent volume recycler. WARNING: this SCC allows host file system access. Grant with caution." + SecurityContextConstraintHostMountAndAnyUID = "hostmount-anyuid" + SecurityContextConstraintHostMountAndAnyUIDDesc = "hostmount-anyuid provides all the features of the restricted SCC but allows host mounts and any UID by a pod. This is primarily used by the persistent volume recycler. WARNING: this SCC allows host file system access as any UID, including UID 0. Grant with caution." // SecurityContextConstraintHostNS is used as the name for the system default scc // that grants access to all host ns features. @@ -133,7 +133,7 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string // This strategy requires that annotations on the namespace which will be populated // by the admission controller. If namespaces are not annotated creating the strategy // will fail. - Type: kapi.SELinuxStrategyRunAsAny, + Type: kapi.RunAsUserStrategyRunAsAny, }, FSGroup: kapi.FSGroupStrategyOptions{ // This strategy requires that annotations on the namespace which will be populated