From a850f8b2f51b96a9d57dab1a6ab55b9ecdeaa0ca Mon Sep 17 00:00:00 2001
From: Mai Bui <maibui@microsoft.com>
Date: Thu, 19 Oct 2023 14:17:05 -0400
Subject: [PATCH] Fix privileged and volumes for macsec container (#16894)

### Why I did it
Privileges and volumes were incorrectly set in macsec container. Privileged flag is set to false and volumes are not mounted properly.
 ```
admin@vlab-01:~$ docker inspect macsec0 | grep Privi
            "Privileged": false,
admin@vlab-01:~$ docker inspect macsec0 | grep -A 10 Binds
            "Binds": [
                "/var/run/redis0:/var/run/redis:rw",
                "/var/run/redis-chassis:/var/run/redis-chassis:ro",
                "/usr/share/sonic/device/x86_64-nokia_ixr7250e_36x400g-r0/Nokia-IXR7250E-36x100G/0:/usr/share/sonic/hwsku:ro",
                "/var/run/redis0/:/var/run/redis0/:rw",
                "/usr/share/sonic/device/x86_64-nokia_ixr7250e_36x400g-r0:/usr/share/sonic/platform:ro"
            ],
```
### How I did it

#### How to verify it
Make sure privileged settings remain unchanged and make sure volumes are properly mounted
```
admin@vlab-01:~$ docker inspect macsec | grep Privi
            "Privileged": false,
admin@vlab-01:~$ docker inspect macsec | grep -A 10 Binds
            "Binds": [
                "/etc/timezone:/etc/timezone:ro",
                "/var/run/redis:/var/run/redis:rw",
                "/var/run/redis-chassis:/var/run/redis-chassis:ro",
                "/etc/fips/fips_enable:/etc/fips/fips_enable:ro",
                "/usr/share/sonic/templates/rsyslog-container.conf.j2:/usr/share/sonic/templates/rsyslog-container.conf.j2:ro",
                "/etc/sonic:/etc/sonic:ro",
                "/host/warmboot:/var/warmboot",
                "/usr/share/sonic/device/x86_64-kvm_x86_64-r0/Force10-S6000/:/usr/share/sonic/hwsku:ro",
                "/usr/share/sonic/device/x86_64-kvm_x86_64-r0:/usr/share/sonic/platform:ro"
            ],
```
---
 rules/docker-macsec.mk | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/docker-macsec.mk b/rules/docker-macsec.mk
index 49f80133b9bd..bb85a65b4f89 100644
--- a/rules/docker-macsec.mk
+++ b/rules/docker-macsec.mk
@@ -38,10 +38,10 @@ endif
 $(DOCKER_MACSEC)_CONTAINER_NAME = macsec
 $(DOCKER_MACSEC)_VERSION = 1.0.0
 $(DOCKER_MACSEC)_PACKAGE_NAME = macsec
-$(DOCKER_MACSEC)_RUN_OPT += --privileged -t
-$(DOCKER_MACSEC)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
-$(DOCKER_MACSEC)_RUN_OPT += -v /etc/timezone:/etc/timezone:ro 
-$(DOCKER_MACSEC)_RUN_OPT += -v /host/warmboot:/var/warmboot
+$(DOCKER_MACSEC)_CONTAINER_PRIVILEGED = false
+$(DOCKER_MACSEC)_CONTAINER_VOLUMES += /etc/sonic:/etc/sonic:ro
+$(DOCKER_MACSEC)_CONTAINER_VOLUMES += /etc/timezone:/etc/timezone:ro
+$(DOCKER_MACSEC)_CONTAINER_VOLUMES += /host/warmboot:/var/warmboot
 
 $(DOCKER_MACSEC)_SERVICE_REQUIRES = updategraph
 $(DOCKER_MACSEC)_SERVICE_AFTER = swss syncd