Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openshift: improve compatibility #131

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

openshift: improve compatibility #131

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,22 @@ EXPOSE 1883 8883 8080 44053 4369 8888 \
9100 9101 9102 9103 9104 9105 9106 9107 9108 9109


VOLUME ["/vernemq/log", "/vernemq/data", "/vernemq/etc"]
VOLUME ["/vernemq/log", "/vernemq/data"]

HEALTHCHECK CMD vernemq ping | grep -q pong

USER vernemq
# Openshift Compatibility
COPY --chown=10000:10000 bin/uid_entrypoint /usr/sbin/uid_entrypoint

USER root

RUN chgrp -R 0 /vernemq && \
chmod -R g=u /vernemq && \
chgrp -R 0 /usr/sbin/uid_entrypoint && \
chmod -R g=u /usr/sbin/uid_entrypoint

RUN chmod g=u /etc/passwd
USER vernemq
ENTRYPOINT [ "uid_entrypoint" ]
CMD ["start_vernemq"]

14 changes: 13 additions & 1 deletion Dockerfile.alpine
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,21 @@ EXPOSE 1883 8883 8080 44053 4369 8888 \
9100 9101 9102 9103 9104 9105 9106 9107 9108 9109


VOLUME ["/vernemq/log", "/vernemq/data", "/vernemq/etc"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain why you've removed the /vernemq/etc volume?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Docker container runtime modifies permissions for folders listed as volumes when spinning up a container if no special mount point is defined.
  • Helm chart does not mount anything to /vernemq/etc.
  • This creates issues when running as random user.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With your addition would mounting a custom /vernemq/etc/vernemq.conf.local still work?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dergraf it shouldn't make a difference, and @blazdivjak is probably right, it shouldn't have been there in the first place most likely. You can still mount that file from within docker run or k8s even without the volume statement.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, thanks. Does this mean that we can get rid of log and data too?

VOLUME ["/vernemq/log", "/vernemq/data"]

HEALTHCHECK CMD vernemq ping | grep -q pong

# Openshift Compatibility
COPY --chown=10000:10000 bin/uid_entrypoint /usr/sbin/uid_entrypoint

USER root

RUN chgrp -R 0 /vernemq && \
chmod -R g=u /vernemq && \
chgrp -R 0 /usr/sbin/uid_entrypoint && \
chmod -R g=u /usr/sbin/uid_entrypoint

RUN chmod g=u /etc/passwd
USER vernemq
ENTRYPOINT [ "uid_entrypoint" ]
CMD ["start_vernemq"]
7 changes: 7 additions & 0 deletions bin/uid_entrypoint
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/bash
if ! whoami &> /dev/null; then
if [ -w /etc/passwd ]; then
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:/vernemq:/sbin/nologin" >> /etc/passwd
fi
fi
exec "$@"
18 changes: 18 additions & 0 deletions helm/vernemq/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,3 +109,21 @@ $ helm install vernemq/vernemq --name my-release -f values.yaml
Roles and RoleBindings resources will be created automatically.

To manually setup RBAC you need to set the parameter `rbac.create=false` and specify the service account to be used for each service by setting the parameters: `serviceAccounts.create` to `false` and `serviceAccounts.name` to the name of a pre-existing service account.

### Openshift Configuration

To deploy chart on Openshift admin permissions inside a project are required to
create the required service account, role and rolebinding.

You can either use `helm template` and `oc apply` to deploy with admin
permissions or grant Tiller admin access within a selected project.

Security context configuration must be disabled in values file because Openshift
will use random user to run the container.

```yaml
securityContext: {}
#runAsUser: 10000
#runAsGroup: 10000
#fsGroup: 10000
```
1 change: 1 addition & 0 deletions helm/vernemq/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ tolerations: []
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
podAntiAffinity: soft

# If deployed on Openshift disable securityContext by setting it to {}
securityContext:
runAsUser: 10000
runAsGroup: 10000
Expand Down