<html><head></head><body><div class="ydp5bb0ebe2yahoo-style-wrap" style="font-family: lucida console, sans-serif; font-size: 16px;"><div dir="ltr" data-setdir="false">Hi</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">I have dbus policy for a service running on the host for root user.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><div><div><!DOCTYPE busconfig PUBLIC</div><div> "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"</div><div> "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"></div><div><busconfig></div><div><br></div><div> <!-- Only root can own the bus --></div><div><br></div><div> <policy user="root"></div><div> <allow own_prefix="org.myOrg.HostService"/></div><div> </policy></div><div><br></div><div> <!-- Allow user "root" to invoke methods on the bus --></div><div> <policy user="root"></div><div> <allow send_destination="org.myOrg.HostService"/></div><div> <allow receive_sender="org.myOrg.HostService"/></div><div> </policy></div><div><br></div><div></busconfig></div><div><br></div></div><br></div><div dir="ltr" data-setdir="false">I have a process running in another container need to use this service.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">This process run as a different user by name frr. This user is created on and known to only this container.<br><div><div dir="ltr" data-setdir="false">root@sonic:~# docker exec -it myContainer bash</div><div>root@sonic:/# ps aux</div><div>USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND</div><div>frr 79 0.0 0.1 1215272 20316 pts/0 Sl Dec09 0:04 /usr/lib/frr/ze</div><div>frr 96 0.0 0.0 48348 8392 pts/0 S Dec09 0:00 /usr/lib/frr/st</div><div><br></div></div><br></div><div><br></div><div dir="ltr" data-setdir="false">When these processes trying to use dbus, they are not able to get the dbus conn</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><div><pre style="border: 0px; margin-top: 0px; margin-bottom: 0px; color: rgb(0, 0, 0);"><a class="ydp1aa8bb69hl" name="40" href="http://opengrok.force10networks.com:8080/source/xref/dell_sonic_share/sonic-buildimage/src/sonic-hostcomm/lib/src/hostcomm.cpp#40" style="color: rgb(0, 0, 0); display: inline-block; width: 6ex; text-align: right; padding-right: 0px; background-color: rgb(221, 221, 221); margin-right: 0.5ex;" rel="nofollow" target="_blank">40</a> <b>static</b> <a href="http://opengrok.force10networks.com:8080/source/s?defs=DBus&project=dell_sonic_share" style="color: rgb(32, 48, 162);" rel="nofollow" target="_blank">DBus</a>::<a href="http://opengrok.force10networks.com:8080/source/s?defs=Connection&project=dell_sonic_share" style="color: rgb(32, 48, 162);" rel="nofollow" target="_blank">Connection</a> <a href="http://opengrok.force10networks.com:8080/source/s?refs=conn&project=dell_sonic_share" class="ydp1aa8bb69xl" style="color: rgb(153, 102, 51); font-weight: bold;" rel="nofollow" target="_blank">conn</a> = <a href="http://opengrok.force10networks.com:8080/source/s?defs=DBus&project=dell_sonic_share" style="color: rgb(32, 48, 162);" rel="nofollow" target="_blank">DBus</a>::<a href="http://opengrok.force10networks.com:8080/source/s?defs=Connection&project=dell_sonic_share" style="color: rgb(32, 48, 162);" rel="nofollow" target="_blank">Connection</a>::<a href="http://opengrok.force10networks.com:8080/source/s?defs=SystemBus&project=dell_sonic_share" style="color: rgb(32, 48, 162);" rel="nofollow" target="_blank">SystemBus</a>();
</pre><div><br></div></div><br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">I tried adding user 'frr' to the policy but realized later that host would not know about this user ( after I continue to see the same problem ).</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">How can I let users created on containers to be able to access it through a policy. Can I do it policy on the host or is there any other way?</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">These processes have a limitation that they can not be run as root.</div><div dir="ltr" data-setdir="false"><br></div><div class="ydp5bb0ebe2signature"><div style="font-family:sans-serif;font-size:16px;"><div style="font-family:sans-serif;font-size:16px;" dir="ltr"><span><span style="color:rgb(0, 0, 0);font-family:sans-serif;font-size:16px;">~~ Thanks, Srinadh</span></span><br></div><div style="font-family:sans-serif;font-size:16px;" dir="ltr"><span><span style="color:rgb(0, 0, 0);font-family:sans-serif;font-size:16px;"><br></span></span></div><div style="font-family:sans-serif;font-size:16px;"><div><br></div></div></div></div></div></body></html>