From 69adb23c59e991ddcabf5cfce415fd8b638dbc1a Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Thu, 1 Mar 2018 21:15:50 +0100 Subject: Improve handling of filesystem permissions and other fixes --- setup/configs/security.yml | 28 +++++++++++++++------- setup/projects/adei/templates/60-adei.yml.j2 | 17 ++++++------- setup/projects/adei/vars/globals.yml | 12 +++++----- setup/projects/adei/vars/pods.yml | 2 +- setup/projects/adei/vars/volumes.yml | 18 +++++++------- .../projects/kaas/templates/40-kaas-manager.yml.j2 | 3 +++ setup/projects/kaas/vars/volumes.yml | 11 +++++---- setup/projects/katrin/vars/volumes.yml | 2 +- 8 files changed, 52 insertions(+), 41 deletions(-) (limited to 'setup') diff --git a/setup/configs/security.yml b/setup/configs/security.yml index b870c55..22784b3 100644 --- a/setup/configs/security.yml +++ b/setup/configs/security.yml @@ -1,26 +1,36 @@ -ands_openshift_gid_mode: - ands_default: "MustRunAs" -# sample: "RunAsAny" - -#ands_openshift_uid_mode: -# ands_default: "MustRunAsRange" +#The SCC is global, not per project. +# It is better to work with groups. +#ands_openshift_uid_mode: "MustRunAsRange" +# Allow setting the required fsGroup in pod-specification (default is MustRunAs). +# - If Ceph or other block storage is used, it is necessary set 'fsGroup' in pod definitions if 'RunAsAny' strategy is selected. Otherwise, the matching rules will fail. +# - For some reason, 'fsGroup' is not used as 'gid' for container. The 'gid' is always 0 (maybe only if container is run by unknown user or withiout known group). +# - May be it also should not. While documentation states that the new files are created with fsGroup gid, it also states that fsGroup is only used for network block storage (ceph). +# - Using "MustRunAs" a first 'gid' specified in the project 'supplementalGroups' will be used as 'fsGroup'. +# - Yes, in the project, not 'pod'. Consequently, the 'group' assigned to project is always in the 'supGroups' if 'MustRunAs' is selected. +# - gid=0 is also always in +# I tend to keep the default settings and use +s to enfore group ownership. If project uses multiple 'groups', the first group in the range should not be used and we avoid unintended sharing. +#ands_openshift_gid_mode: "RunAsAny" +#To enforce the range specified in the project configuration. +# - The gids outside of the range will be rejected and pod will fail if "MustRunAs" is selected. +ands_openshift_groups_mode: "MustRunAs" #ands_openshift_uid_ranges: ands_openshift_gid_ranges: kaas: "4000/10" katrin: "5000/10" - test: "7100/10" adei: "6000/10" bora: "6100/10" web: "6200/10" mon: "7000/10" + test: "7100/10" +# The default user and group mentioned in some projects ands_openshift_uids: - kaas: { id: 6000 } + kaas: { id: 4000 } ands_openshift_gids: - kaas: { id: 6000 } + kaas: { id: 4000 } ands_default_file_group: root ands_default_file_owner: root diff --git a/setup/projects/adei/templates/60-adei.yml.j2 b/setup/projects/adei/templates/60-adei.yml.j2 index 537368f..ca3c17a 100644 --- a/setup/projects/adei/templates/60-adei.yml.j2 +++ b/setup/projects/adei/templates/60-adei.yml.j2 @@ -95,6 +95,8 @@ objects: adei-type: "{{ pod_type }}" adei-name: "{{ name }}" adei-setup: "${setup}" + annotations: + kaas/replicas: "{{ cfg.replicas }}" spec: replicas: "{{ cfg.replicas }}" revisionHistoryLimit: "{{ adei_pod_history_limit }}" @@ -127,20 +129,15 @@ objects: {% if (cfg.groups is defined) or (cfg.run_as is defined) %} securityContext: {% if (cfg.run_as is defined) %} -{% if (kaas_project_config.uids | default(kaas_openshift_uids))[cfg.run_as] is defined %} - - {{ (kaas_project_config.uids | default(kaas_openshift_uids))[cfg.run_as].id }} -{% else %} - - {{ cfg.run_as }} -{% endif %} + runAsUser: {{ (kaas_project_uids[cfg.run_as] is defined) | ternary(kaas_project_uids[cfg.run_as].id, cfg.run_as) }} {% endif %} {% if (cfg.groups is defined) %} +{% if (ands_openshift_gid_mode | default('')) == "RunAsAny" %} + fsGroup: {{ (kaas_project_gids[cfg.groups[0]] is defined) | ternary(kaas_project_gids[cfg.groups[0]].id, cfg.groups[0]) }} +{% endif %} supplementalGroups: {% for group in cfg.groups %} -{% if (kaas_project_config.gids | default(kaas_openshift_gids))[group] is defined %} - - {{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }} -{% else %} - - {{ group }} -{% endif %} + - {{ (kaas_project_gids[group] is defined) | ternary(kaas_project_gids[group].id, group) }} {% endfor %} {% endif %} {% endif %} diff --git a/setup/projects/adei/vars/globals.yml b/setup/projects/adei/vars/globals.yml index 21f4db1..f8d7816 100644 --- a/setup/projects/adei/vars/globals.yml +++ b/setup/projects/adei/vars/globals.yml @@ -182,7 +182,7 @@ adei_frontends: cacher: name: "adei-${setup}-cacher" replicas: "${cache_replicas}" - cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh" ] env: "{{ adei_pod_env | union(adei_cache_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -191,7 +191,7 @@ adei_frontends: archive_cacher: name: "adei-${setup}-archive-cacher" replicas: "1" - cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh", "-m", "archive" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh", "-m", "archive" ] env: "{{ adei_pod_env | union(adei_arc_cache_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -200,7 +200,7 @@ adei_frontends: log_cacher: name: "adei-${setup}-log-cacher" replicas: "${enable_logs}" - cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh" ] env: "{{ adei_pod_env | union(adei_log_cache_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -209,7 +209,7 @@ adei_frontends: update: name: "adei-${setup}-update" cron: "${update_schedule}" - cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei.cron.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei.cron.sh" ] env: "{{ adei_pod_env | union(adei_cron_env) | union(adei_update_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -218,7 +218,7 @@ adei_frontends: maintain: name: "adei-${setup}-maintain" cron: "${maintain_schedule}" - cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei_manager.cron.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei_manager.cron.sh" ] env: "{{ adei_pod_env | union(adei_cron_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -227,7 +227,7 @@ adei_frontends: clean: name: "adei-${setup}-clean" cron: "${clean_schedule}" - cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei_clean.cron.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei_clean.cron.sh" ] env: "{{ adei_pod_env | union(adei_cron_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" diff --git a/setup/projects/adei/vars/pods.yml b/setup/projects/adei/vars/pods.yml index 5278c44..182db9c 100644 --- a/setup/projects/adei/vars/pods.yml +++ b/setup/projects/adei/vars/pods.yml @@ -30,9 +30,9 @@ pods: env: - { name: "DB_SERVICE_HOST", value: "mysql.adei.svc.cluster.local" } - { name: "DB_SERVICE_PORT", value: "3306" } + - { name: "DB_EXTRA_HOSTS", value: "mysql.katrin.svc.cluster.local" } # - { name: "DB_SERVICE_CONTROL_USER", value: "pma" } # - { name: "DB_SERVICE_CONTROL_PASSWORD", value: "secret@adei/pma-password" } - - { name: "DB_EXTRA_HOSTS", value: "mysql.katrin.svc.cluster.local" } probes: - { port: 8080, path: '/' } diff --git a/setup/projects/adei/vars/volumes.yml b/setup/projects/adei/vars/volumes.yml index cdeb4e7..768e27f 100644 --- a/setup/projects/adei/vars/volumes.yml +++ b/setup/projects/adei/vars/volumes.yml @@ -1,6 +1,6 @@ gids: - adei: { id: 6000 } - adei_db: { id: 6001 } + adei: { id: 6001 } + adei_db: { id: 6002 } volumes: adei_init: { volume: "openshift", path: "/adei/init"} # mysql @@ -13,10 +13,10 @@ volumes: adei_db: { volume: "databases", path: "/adei", write: true } # mysql files: - - { osv: "adei_cfg", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_cfg", path: "/prod", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_cfg", path: "/dbg", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_src", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_log", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_tmp", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_db", path: "mysql", state: "directory", group: "adei_db", mode: "0775" } + - { osv: "adei_cfg", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_src", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_src", path: "/prod", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_src", path: "/dbg", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_log", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_tmp", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_db", path: "mysql", state: "directory", group: "adei_db", mode: "02775" } diff --git a/setup/projects/kaas/templates/40-kaas-manager.yml.j2 b/setup/projects/kaas/templates/40-kaas-manager.yml.j2 index e181737..b9cba4e 100644 --- a/setup/projects/kaas/templates/40-kaas-manager.yml.j2 +++ b/setup/projects/kaas/templates/40-kaas-manager.yml.j2 @@ -43,6 +43,9 @@ objects: {% for ofs in range(gid_range[1] | default(1) | int) %} - {{ (gid_range[0] | int) + ofs }} {% endfor %} +{% if (ands_openshift_gid_mode | default('')) == "RunAsAny" %} + fsGroup: {{ gid_range[0] }} +{% endif %} {% if (kaas_project_config.run_pods_as is defined) %} {% if ((kaas_project_config.uids | default(kaas_openshift_uids))[kaas_project_config.run_pods_as] is defined) %} runAsUser: {{ (kaas_project_config.uids | default(kaas_openshift_uids))[kaas_project_config.run_pods_as].id }} diff --git a/setup/projects/kaas/vars/volumes.yml b/setup/projects/kaas/vars/volumes.yml index 3554aa6..cf9c697 100644 --- a/setup/projects/kaas/vars/volumes.yml +++ b/setup/projects/kaas/vars/volumes.yml @@ -1,10 +1,11 @@ -gids: - kaas: { id: 4000 } +#defined globaly +#gids: +# kaas: { id: 4000 } files: - - { osv: "data", path: "/www", state: "directory", group: "kaas", mode: "0775" } - - { osv: "etc", path: "/apache2", state: "directory", group: "kaas", mode: "0775" } - - { osv: "tmp", path: "/apache2", state: "directory", group: "kaas", mode: "0775" } + - { osv: "data", path: "/www", state: "directory", group: "kaas", mode: "02775" } + - { osv: "etc", path: "/apache2", state: "directory", group: "kaas", mode: "02775" } + - { osv: "tmp", path: "/apache2", state: "directory", group: "kaas", mode: "02775" } #resync: true sync_set_gid: kaas diff --git a/setup/projects/katrin/vars/volumes.yml b/setup/projects/katrin/vars/volumes.yml index ca22a28..3b53bb3 100644 --- a/setup/projects/katrin/vars/volumes.yml +++ b/setup/projects/katrin/vars/volumes.yml @@ -5,7 +5,7 @@ extra_volumes: katrin: { volume: "katrin_data", path: "/", capacity: "40Ti", write: true } files: - - { osv: "katrin", path: "/", state: "directory", group: "katrin", mode: "0775" } + - { osv: "katrin", path: "/", state: "directory", group: "katrin", mode: "02775" } #resync: true #sync_set_gid: katrin -- cgit v1.2.3