Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The mongodb bootstrap can not finished due to permission issue #64

Open
hchenxa opened this issue Mar 17, 2020 · 5 comments
Open

The mongodb bootstrap can not finished due to permission issue #64

hchenxa opened this issue Mar 17, 2020 · 5 comments
Assignees
@kgcarr

Comments

@hchenxa
Copy link

hchenxa commented Mar 17, 2020

We found that the mongodb can not started on some of environment due to permission issue like below:

Install CS3.3 on OCP4.2

icp-memcached-7cd994d94-mbh2f                             1/1     Running                      0          176m
icp-mongodb-0                                             0/2     Init:1/2                     0          12m
management-ingress-5949f9644b-jpm6m                       1/1     Running                      0          175m

[root@knolls-inf ~]# oc logs icp-mongodb-0 -c bootstrap
2020/03/16 06:48:54 Determined Domain to be ibm-common-services.svc.cluster.local
2020/03/16 06:48:54 Peer list updated
was []
now [icp-mongodb-0.icp-mongodb.ibm-common-services.svc.cluster.local]
2020/03/16 06:48:54 execing: /init/on-start.sh with stdin: icp-mongodb-0.icp-mongodb.ibm-common-services.svc.cluster.local

After investigated, stuck in this script /init/on-start.sh, hit the permission problem

Error opening CA Certificate /data/configdb/tls.crt
139970125055888:error:0200100D:system library:fopen:Permission denied:bss_file.c:402:fopen('/data/configdb/tls.crt','r')

bash-4.2$ ls -lrth
total 16K
-rw-r--r--. 1 root root  383 Mar 16 10:30 mongod.conf
-rw-------. 1 root root    7 Mar 16 10:30 key.txt
-r--------. 1 root root 1.7K Mar 16 10:30 tls.key
-r--------. 1 root root 1.2K Mar 16 10:30 tls.crt

After modified statefulset icp-mongodb to add runAsUser: 999, the pod can be startup.

@kgcarr I check the code and find that we comment the chown/chmod in install configmap and remove the securitycontext in statefulset compare with the helm chart we used before.
@kgcarr kgcarr self-assigned this Mar 17, 2020
@kgcarr
Copy link
Member

kgcarr commented Mar 17, 2020

The securityContext is also missing a runAsNonRoot: true which is a security risk

@kgcarr
Copy link
Member

kgcarr commented Mar 17, 2020
edited
Loading 

securityContext:
    runAsUser: 999
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true

for bootstrap, mongodb, and metrics containers

Also fixing the missed memory limits here...two were still set to 8GB but should be 5GB

@kgcarr
Copy link
Member

kgcarr commented Mar 19, 2020 

create Pod icp-mongodb-0 in StatefulSet icp-mongodb failed error: pods "icp-mongodb-0" is forbidden: unable to validate against any security context constraint: [spec.initContainers[1].securityContext.securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000570000, 1000579999] spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000570000, 1000579999] spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000570000, 1000579999]]

ran into this issue during testing...for Openshift we'll use 1000571999

@kgcarr
Copy link
Member

kgcarr commented Mar 19, 2020

I cannot do what I used to do because I now run in openshift.io/scc: restricted

@kgcarr
Copy link
Member

kgcarr commented Mar 24, 2020

@hchenxa see my comment in #65

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kgcarr kgcarr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hchenxa @kgcarr