Comments (9)
possibly we could expose the fsgroup workaround via a flag in the values.yaml file
from infinispan-helm-charts.
+1 to allowing this to be configurable. How about allowing a user to specify the entire container securityContext via deploy.container.securityContext
?
from infinispan-helm-charts.
I happened to have the exact same problem this morning. It seems that the persistent volume needs to be updated to allow it be writable.
Setting deploy.makeDataDirWritable: true
in the values of the chart should solve this.
from infinispan-helm-charts.
Thanks @rigazilla . I updated the config and the containers are starting up now without the need to set privileged on the namespace.
from infinispan-helm-charts.
This also affects our operator infinispan/infinispan-operator#392
Unfortunately we only have the workaround suggested by @rjl79. It would be great to have a better solution for this that didn't require an explicit workaround, but so far investigating this has been a low priority. Any suggestions are very welcome 🙂
from infinispan-helm-charts.
Thanks for the workaround @rjl79, although I cannot seem to get that to work.
I changed makeDataDirWritable: true in values.yaml and got Init:CreateContainerConfigError. I also tried this by modified my install command as such helm install infinispan-server . --set deploy.makeDataDirWritable=true -n token-cache and got Init:CreateContainerConfigError as well.
Error: container has runAsNonRoot and image will run as root (pod: "infinispan-server-0_token-service-cache-playground(1177de15-91ca-4ae6-97e0-92692a877e27)", container: data-chmod-pv)
Does this need to run as Root? I don't see anything in values.yaml that I can change related to this.
from infinispan-helm-charts.
another workaround could be to explicitly set the fs group on the pv. See here
from infinispan-helm-charts.
@rigazilla Sorry not quite following how that changes anything. Our situation is we are deploying to a namespace without privileged pod security. The initContainer data-chmod-pv
seems like what is requiring elevated permissions and terminates when it's done. Leaving the infinispan
container running as the jboss
user. From what the template blocks says, the initContainer data-chmod-pv
only runs when we set deploy.makeDataDirWriteable
to true
which is to fix the above issue error ISPN000512 Cannot acquire lock /opt/infinispan/server/data/___global.lck
. Taking all this in seems to make me think we just need a way to set the perms and mount that /opt/infinispan/server/data
other than using the initContainer. I added the fsGroup as in the link you provided, but it didn't change anything on our end when turning off privileged access in the namespace. I haven't had much exposure to helm charts, so maybe I'm missing something.
from infinispan-helm-charts.
@thetoolsmith , you have security issue or the solution doesn't work?
I didn't specify but you don't need the deploy.makeDataDirWriteable: true
change for this; with fsGroup
kubernetes should set correctly the group on the file system for you (see here)
from infinispan-helm-charts.
Related Issues (20)
- HelmChart should support encryption
- Infinispan Server failed to start org.infinispan.manager.EmbeddedCacheManagerStartupException HOT 18
- securityContext.fsGroup should not be assigned in default values
- Route/Ingress must be configured properly with TLS
- Docs for encryption should show how to use credentials store
- Helm chart encryption docs minor formatting fixes
- Add chart to Artifacthub HOT 3
- Update to Infinispan 15
- Server unable to start after pod restart with Infinispan 15
- Autoscaling support for Helm release HOT 1
- How to safely add password to security.batch HOT 2
- Error when added annotations or podLabeles HOT 16
- Add volume without using TemplateVolume HOT 4
- After Deploy infinispan don't work correcrtly HOT 26
- Console error after deploy default
- Enter to different infinispan securityRealm through UI console HOT 10
- User with role admin dont have possibility create cache HOT 23
- Error Create Cache HOT 25
- Allow the user to specify container securityContext HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from infinispan-helm-charts.