diff options
Diffstat (limited to 'setup')
-rw-r--r-- | setup/configs/security.yml | 28 | ||||
-rw-r--r-- | setup/projects/adei/templates/60-adei.yml.j2 | 17 | ||||
-rw-r--r-- | setup/projects/adei/vars/globals.yml | 12 | ||||
-rw-r--r-- | setup/projects/adei/vars/pods.yml | 2 | ||||
-rw-r--r-- | setup/projects/adei/vars/volumes.yml | 18 | ||||
-rw-r--r-- | setup/projects/kaas/templates/40-kaas-manager.yml.j2 | 3 | ||||
-rw-r--r-- | setup/projects/kaas/vars/volumes.yml | 11 | ||||
-rw-r--r-- | setup/projects/katrin/vars/volumes.yml | 2 |
8 files changed, 52 insertions, 41 deletions
diff --git a/setup/configs/security.yml b/setup/configs/security.yml index b870c55..22784b3 100644 --- a/setup/configs/security.yml +++ b/setup/configs/security.yml @@ -1,26 +1,36 @@ -ands_openshift_gid_mode: - ands_default: "MustRunAs" -# sample: "RunAsAny" - -#ands_openshift_uid_mode: -# ands_default: "MustRunAsRange" +#The SCC is global, not per project. +# It is better to work with groups. +#ands_openshift_uid_mode: "MustRunAsRange" +# Allow setting the required fsGroup in pod-specification (default is MustRunAs). +# - If Ceph or other block storage is used, it is necessary set 'fsGroup' in pod definitions if 'RunAsAny' strategy is selected. Otherwise, the matching rules will fail. +# - For some reason, 'fsGroup' is not used as 'gid' for container. The 'gid' is always 0 (maybe only if container is run by unknown user or withiout known group). +# - May be it also should not. While documentation states that the new files are created with fsGroup gid, it also states that fsGroup is only used for network block storage (ceph). +# - Using "MustRunAs" a first 'gid' specified in the project 'supplementalGroups' will be used as 'fsGroup'. +# - Yes, in the project, not 'pod'. Consequently, the 'group' assigned to project is always in the 'supGroups' if 'MustRunAs' is selected. +# - gid=0 is also always in +# I tend to keep the default settings and use +s to enfore group ownership. If project uses multiple 'groups', the first group in the range should not be used and we avoid unintended sharing. +#ands_openshift_gid_mode: "RunAsAny" +#To enforce the range specified in the project configuration. +# - The gids outside of the range will be rejected and pod will fail if "MustRunAs" is selected. +ands_openshift_groups_mode: "MustRunAs" #ands_openshift_uid_ranges: ands_openshift_gid_ranges: kaas: "4000/10" katrin: "5000/10" - test: "7100/10" adei: "6000/10" bora: "6100/10" web: "6200/10" mon: "7000/10" + test: "7100/10" +# The default user and group mentioned in some projects ands_openshift_uids: - kaas: { id: 6000 } + kaas: { id: 4000 } ands_openshift_gids: - kaas: { id: 6000 } + kaas: { id: 4000 } ands_default_file_group: root ands_default_file_owner: root diff --git a/setup/projects/adei/templates/60-adei.yml.j2 b/setup/projects/adei/templates/60-adei.yml.j2 index 537368f..ca3c17a 100644 --- a/setup/projects/adei/templates/60-adei.yml.j2 +++ b/setup/projects/adei/templates/60-adei.yml.j2 @@ -95,6 +95,8 @@ objects: adei-type: "{{ pod_type }}" adei-name: "{{ name }}" adei-setup: "${setup}" + annotations: + kaas/replicas: "{{ cfg.replicas }}" spec: replicas: "{{ cfg.replicas }}" revisionHistoryLimit: "{{ adei_pod_history_limit }}" @@ -127,20 +129,15 @@ objects: {% if (cfg.groups is defined) or (cfg.run_as is defined) %} securityContext: {% if (cfg.run_as is defined) %} -{% if (kaas_project_config.uids | default(kaas_openshift_uids))[cfg.run_as] is defined %} - - {{ (kaas_project_config.uids | default(kaas_openshift_uids))[cfg.run_as].id }} -{% else %} - - {{ cfg.run_as }} -{% endif %} + runAsUser: {{ (kaas_project_uids[cfg.run_as] is defined) | ternary(kaas_project_uids[cfg.run_as].id, cfg.run_as) }} {% endif %} {% if (cfg.groups is defined) %} +{% if (ands_openshift_gid_mode | default('')) == "RunAsAny" %} + fsGroup: {{ (kaas_project_gids[cfg.groups[0]] is defined) | ternary(kaas_project_gids[cfg.groups[0]].id, cfg.groups[0]) }} +{% endif %} supplementalGroups: {% for group in cfg.groups %} -{% if (kaas_project_config.gids | default(kaas_openshift_gids))[group] is defined %} - - {{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }} -{% else %} - - {{ group }} -{% endif %} + - {{ (kaas_project_gids[group] is defined) | ternary(kaas_project_gids[group].id, group) }} {% endfor %} {% endif %} {% endif %} diff --git a/setup/projects/adei/vars/globals.yml b/setup/projects/adei/vars/globals.yml index 21f4db1..f8d7816 100644 --- a/setup/projects/adei/vars/globals.yml +++ b/setup/projects/adei/vars/globals.yml @@ -182,7 +182,7 @@ adei_frontends: cacher: name: "adei-${setup}-cacher" replicas: "${cache_replicas}" - cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh" ] env: "{{ adei_pod_env | union(adei_cache_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -191,7 +191,7 @@ adei_frontends: archive_cacher: name: "adei-${setup}-archive-cacher" replicas: "1" - cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh", "-m", "archive" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh", "-m", "archive" ] env: "{{ adei_pod_env | union(adei_arc_cache_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -200,7 +200,7 @@ adei_frontends: log_cacher: name: "adei-${setup}-log-cacher" replicas: "${enable_logs}" - cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh" ] env: "{{ adei_pod_env | union(adei_log_cache_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -209,7 +209,7 @@ adei_frontends: update: name: "adei-${setup}-update" cron: "${update_schedule}" - cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei.cron.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei.cron.sh" ] env: "{{ adei_pod_env | union(adei_cron_env) | union(adei_update_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -218,7 +218,7 @@ adei_frontends: maintain: name: "adei-${setup}-maintain" cron: "${maintain_schedule}" - cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei_manager.cron.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei_manager.cron.sh" ] env: "{{ adei_pod_env | union(adei_cron_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -227,7 +227,7 @@ adei_frontends: clean: name: "adei-${setup}-clean" cron: "${clean_schedule}" - cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei_clean.cron.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei_clean.cron.sh" ] env: "{{ adei_pod_env | union(adei_cron_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" diff --git a/setup/projects/adei/vars/pods.yml b/setup/projects/adei/vars/pods.yml index 5278c44..182db9c 100644 --- a/setup/projects/adei/vars/pods.yml +++ b/setup/projects/adei/vars/pods.yml @@ -30,9 +30,9 @@ pods: env: - { name: "DB_SERVICE_HOST", value: "mysql.adei.svc.cluster.local" } - { name: "DB_SERVICE_PORT", value: "3306" } + - { name: "DB_EXTRA_HOSTS", value: "mysql.katrin.svc.cluster.local" } # - { name: "DB_SERVICE_CONTROL_USER", value: "pma" } # - { name: "DB_SERVICE_CONTROL_PASSWORD", value: "secret@adei/pma-password" } - - { name: "DB_EXTRA_HOSTS", value: "mysql.katrin.svc.cluster.local" } probes: - { port: 8080, path: '/' } diff --git a/setup/projects/adei/vars/volumes.yml b/setup/projects/adei/vars/volumes.yml index cdeb4e7..768e27f 100644 --- a/setup/projects/adei/vars/volumes.yml +++ b/setup/projects/adei/vars/volumes.yml @@ -1,6 +1,6 @@ gids: - adei: { id: 6000 } - adei_db: { id: 6001 } + adei: { id: 6001 } + adei_db: { id: 6002 } volumes: adei_init: { volume: "openshift", path: "/adei/init"} # mysql @@ -13,10 +13,10 @@ volumes: adei_db: { volume: "databases", path: "/adei", write: true } # mysql files: - - { osv: "adei_cfg", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_cfg", path: "/prod", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_cfg", path: "/dbg", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_src", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_log", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_tmp", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_db", path: "mysql", state: "directory", group: "adei_db", mode: "0775" } + - { osv: "adei_cfg", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_src", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_src", path: "/prod", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_src", path: "/dbg", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_log", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_tmp", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_db", path: "mysql", state: "directory", group: "adei_db", mode: "02775" } diff --git a/setup/projects/kaas/templates/40-kaas-manager.yml.j2 b/setup/projects/kaas/templates/40-kaas-manager.yml.j2 index e181737..b9cba4e 100644 --- a/setup/projects/kaas/templates/40-kaas-manager.yml.j2 +++ b/setup/projects/kaas/templates/40-kaas-manager.yml.j2 @@ -43,6 +43,9 @@ objects: {% for ofs in range(gid_range[1] | default(1) | int) %} - {{ (gid_range[0] | int) + ofs }} {% endfor %} +{% if (ands_openshift_gid_mode | default('')) == "RunAsAny" %} + fsGroup: {{ gid_range[0] }} +{% endif %} {% if (kaas_project_config.run_pods_as is defined) %} {% if ((kaas_project_config.uids | default(kaas_openshift_uids))[kaas_project_config.run_pods_as] is defined) %} runAsUser: {{ (kaas_project_config.uids | default(kaas_openshift_uids))[kaas_project_config.run_pods_as].id }} diff --git a/setup/projects/kaas/vars/volumes.yml b/setup/projects/kaas/vars/volumes.yml index 3554aa6..cf9c697 100644 --- a/setup/projects/kaas/vars/volumes.yml +++ b/setup/projects/kaas/vars/volumes.yml @@ -1,10 +1,11 @@ -gids: - kaas: { id: 4000 } +#defined globaly +#gids: +# kaas: { id: 4000 } files: - - { osv: "data", path: "/www", state: "directory", group: "kaas", mode: "0775" } - - { osv: "etc", path: "/apache2", state: "directory", group: "kaas", mode: "0775" } - - { osv: "tmp", path: "/apache2", state: "directory", group: "kaas", mode: "0775" } + - { osv: "data", path: "/www", state: "directory", group: "kaas", mode: "02775" } + - { osv: "etc", path: "/apache2", state: "directory", group: "kaas", mode: "02775" } + - { osv: "tmp", path: "/apache2", state: "directory", group: "kaas", mode: "02775" } #resync: true sync_set_gid: kaas diff --git a/setup/projects/katrin/vars/volumes.yml b/setup/projects/katrin/vars/volumes.yml index ca22a28..3b53bb3 100644 --- a/setup/projects/katrin/vars/volumes.yml +++ b/setup/projects/katrin/vars/volumes.yml @@ -5,7 +5,7 @@ extra_volumes: katrin: { volume: "katrin_data", path: "/", capacity: "40Ti", write: true } files: - - { osv: "katrin", path: "/", state: "directory", group: "katrin", mode: "0775" } + - { osv: "katrin", path: "/", state: "directory", group: "katrin", mode: "02775" } #resync: true #sync_set_gid: katrin |