From e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Tue, 20 Feb 2018 15:10:45 +0100 Subject: Handling GlusterFS storage security in OpenShift containers --- setup/configs/openshift.yml | 3 ++- setup/configs/security.yml | 21 ++++++++++++++++ setup/configs/volumes.yml | 13 +++++++--- setup/projects/adei/vars/pods.yml | 52 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 setup/configs/security.yml create mode 100644 setup/projects/adei/vars/pods.yml (limited to 'setup') diff --git a/setup/configs/openshift.yml b/setup/configs/openshift.yml index 6b9995c..e2a2d6d 100644 --- a/setup/configs/openshift.yml +++ b/setup/configs/openshift.yml @@ -2,7 +2,8 @@ ands_openshift_projects: katrin: KArlsruhe TRItium Neutrino adei: ADEI - + +# test: Tesing ands_openshift_users: pdv: IPE Administation Account diff --git a/setup/configs/security.yml b/setup/configs/security.yml new file mode 100644 index 0000000..413f57e --- /dev/null +++ b/setup/configs/security.yml @@ -0,0 +1,21 @@ +ands_openshift_gid_mode: +# adei: "RunAsAny" + ands_default: "MustRunAs" + +#ands_openshift_uid_mode: +# ands_default: "MustRunAsRange" + +#ands_openshift_uid_ranges: + +ands_openshift_gid_ranges: + katrin: "5000/10" + adei: "5010/10" + +ands_openshift_uids: + kaas: { id: 6000 } + +ands_openshift_gids: + kaas: { id: 6000 } + +ands_default_file_group: root +ands_default_file_owner: root diff --git a/setup/configs/volumes.yml b/setup/configs/volumes.yml index d0ba063..d93f177 100644 --- a/setup/configs/volumes.yml +++ b/setup/configs/volumes.yml @@ -3,6 +3,8 @@ ands_paths: provision: /mnt/provision openshift: /mnt/openshift temporary: /mnt/temporary + databases: /mnt/databases + katrin_data: /mnt/katrin ands_heketi_domain: servers: "storage_nodes" @@ -14,11 +16,15 @@ ands_storage_domains: clients: "masters" volumes: provision: { type: "cfg", mount: "{{ ands_paths.provision }}" } - - servers: "storage_nodes" - clients: "nodes" - volumes: openshift: { type: "cfg", mount: "{{ ands_paths.openshift }}" } + databases: { type: "db", mount: "{{ ands_paths.databases }}" } temporary: { type: "tmp", mount: "{{ ands_paths.temporary }}" } + katrin_data: { type: "data", mount: "{{ ands_paths.katrin_data }}" } +# - servers: "storage_nodes" +# clients: "nodes" +# openshift: { type: "cfg", mount: "{{ ands_paths.openshift }}" } +# temporary: { type: "tmp", mount: "{{ ands_paths.temporary }}" } +# volumes: # - ovirt: # - pdv: @@ -31,7 +37,6 @@ ands_openshift_volumes: log: { volume: "temporary", path: "/log", write: true} tmp: { volume: "temporary", path: "/tmp", write: true} - # Global list, we only take things from the volume of project ands_openshift_files: - { osv: "log", path: "apache2-kaas", state: "directory", mode: "0777" } diff --git a/setup/projects/adei/vars/pods.yml b/setup/projects/adei/vars/pods.yml new file mode 100644 index 0000000..3b104ea --- /dev/null +++ b/setup/projects/adei/vars/pods.yml @@ -0,0 +1,52 @@ +volumes: + adei_etc: { volume: "openshift", path: "/adei/etc" } + adei_db: { volume: "databases", path: "/adei", write: true} + +gids: + adei: { id: 5010 } + adei_db: { id: 5011 } + +files: + - { osv: "adei_db", path: "mysql", state: "directory", group: "adei_db", mode: "0775" } + + +pods: + mysql: + service: { ports: [ 3306 ] } + sched: { replicas: 1, selector: { master: 1 } } + selector: { master: 1 } + groups: [ "adei_db" ] + images: + - image: "openshift/mysql-56-centos7" + env: + - { name: "MYSQL_USER", value: "adei" } + - { name: "MYSQL_PASSWORD", value: "adei" } + - { name: "MYSQL_DATABASE", value: "adei" } + mappings: + - { name: "adei_etc", path: "mysql", mount: "/etc/mysql" } + - { name: "adei_db", path: "mysql", mount: "/var/lib/mysql/data" } + probes: + - { port: 3306 } + phpmyadmin: + service: { host: "phpmyadmin.{{ openshift_master_default_subdomain }}", ports: [ 80/8080 ] } + sched: { replicas: 1 } + images: + - image: "chsa/phpmyadmin-centos:4" + env: + - { name: "DB_SERVICE_HOST", value: "mysql.adei.svc.cluster.local" } + - { name: "DB_SERVICE_PORT", value: "3306" } + - { name: "DB_SERVICE_CONTROL_USER", value: "pma" } + - { name: "DB_SERVICE_CONTROL_PASSWORD", value: "adei" } + - { name: "DB_EXTRA_HOSTS", value: "mysql.katrin.svc.cluster.local" } + probes: + - { port: 8080, path: '/' } + + + +#oc: +# - template: "[0-3]*" +# - template: "[4-6]*" +# - resource: "route/apache" +# oc: "expose svc/kaas --name apache --hostname=apache.{{ openshift_master_default_subdomain }}" +# - template: "*" + \ No newline at end of file -- cgit v1.2.3