PVC Write permissions

wallyworld · 6 January 2021 00:03

I pulled the charm solr charm and installed it.

I dumped the Juju db to see the pod spec that was sent in:

    containers:
    - envConfig:
        SOLR_JAVA_MEM: -Xms2g -Xmx3g
        SOLR_LOG_LEVEL: INFO
      imageDetails:
        imagePath: bitnami/solr:8.7.0-debian-10-r31
      imagePullPolicy: Always
      name: ddd
      ports:
      - containerPort: 8983
        name: solr
        protocol: TCP
    kubernetesResources:
      pod:
        securityContext:
          fsGroup: 1001
          runAsGroup: 1001
          runAsUser: 1001
    version: 3
    kubernetesResources:
      secrets:
      - data: {}
        name: charm-secrets
        type: Opaque
      services:
      - name: solr-port
        spec:
          clusterIP: ''
          ports:
          - name: solr
            port: 8983
            protocol: TCP
          type: NodePort

There’s 2 kubernetesResources sections. It does still parse ok but comes out as:

{
  "kubernetesResources": {
    "secrets": [
      {
        "data": {}, 
        "type": "Opaque", 
        "name": "charm-secrets"
      }
    ], 
    "services": [
      {
        "name": "solr-port", 
        "spec": {
          "clusterIP": "", 
          "type": "NodePort", 
          "ports": [
            {
              "protocol": "TCP", 
              "name": "solr", 
              "port": 8983
            }
          ]
        }
      }
    ]
  }, 
  "version": 3, 
  "containers": [
    {
      "imagePullPolicy": "Always", 
      "imageDetails": {
        "imagePath": "bitnami/solr:8.7.0-debian-10-r31"
      }, 
      "ports": [
        {
          "protocol": "TCP", 
          "containerPort": 8983, 
          "name": "solr"
        }
      ], 
      "envConfig": {
        "SOLR_JAVA_MEM": "-Xms2g -Xmx3g", 
        "SOLR_LOG_LEVEL": "INFO"
      }, 
      "name": "ddd"
    }
  ]
}

I fixed the charm and got the desired result. Here’s the diff:

diff --git a/src/charm.py b/src/charm.py
index 82b7aad..da5e687 100755
--- a/src/charm.py
+++ b/src/charm.py
@@ -72,15 +72,6 @@ class SolrCharm(CharmBase):
             ]
         spec = {
                 "version": 3,
-                "kubernetesResources":{
-                    "pod":{
-                        "securityContext":{
-                            "fsGroup": 1001,
-                            "runAsUser": 1001,
-                            "runAsGroup":1001,
-                        }
-                    }
-                },
                 "containers": [
                     {
                         "name": self.app.name,
@@ -108,7 +99,7 @@ class SolrCharm(CharmBase):
                     #        {
                     #            "name":"binami",
                     #           "mountPath":"/bitnami",
-                    #            
+                    #
                     #        }
                     #    ]
                     #}
@@ -135,6 +126,13 @@ class SolrCharm(CharmBase):
         resources = {
             "secrets": [{"name": "charm-secrets", "type": "Opaque", "data": secrets_data}],
             "services": services,
+            "pod": {
+                "securityContext": {
+                    "fsGroup": 1001,
+                    "runAsUser": 1001,
+                    "runAsGroup": 1001,
+                }
+            }
         }
         logger.info(f"Pod resources <<EOM\n{yaml.dump(resources)}\nEOM")

The issues is that the pod security context info was being added to the wrong section.

magicaltrout · 6 January 2021 00:09

Thanks a lot @wallyworld! This is all black magic, I’m glad someone who knows what they are doing could figure it out.

Looking forward to getting this cleaned up and shipped in some state.

As an aside as containers progress to non-root based containers more frequently, I wonder what effect this will have on charms and charm developers, clearly the fsGroup / runAsUser stuff doesn’t effect your testsuites, but does hit this K8S/Ceph implementation, I guess the permissions you see on microk8s are more frequent but its something developers need to be wary of because cool charms that would otherwise work out the box will blow up with permissions errors like this one that only certain people will see.

wallyworld · 6 January 2021 00:20

Yeah, there’s a bit to get your head around. Not sure if this helps.

If there’s gaps, any suggestions to improve gratefully accepted. It’s hard to know what is unclear to people having been immersed in it for a bit.

magicaltrout · 12 January 2021 23:22

Sorry for the delay in testing this, busy couple of weeks. Looks like those changes did the trick, thanks for testing for me Ian!

bugg@DESKTOP-JIMKO29:~/Projects/solr-k8s-charm$ kubectl -n zk logs solr-0

Welcome to the Bitnami solr container
Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-solr
Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-solr/issues

nami    INFO  Initializing solr
solr    INFO
solr    INFO  ########################################################################
solr    INFO   Installation parameters for solr:
solr    INFO     Solr URL: http://localhost:8983/solr
solr    INFO   This installation requires no credentials.
solr    INFO  ########################################################################
solr    INFO
nami    INFO  solr successfully initialized
INFO  ==> Starting gosu...
OpenJDK 64-Bit Server VM warning: Failed to reserve shared memory. (error = 12)
OpenJDK 64-Bit Server VM warning: Failed to reserve shared memory. (error = 12)
OpenJDK 64-Bit Server VM warning: Failed to reserve shared memory. (error = 12)
OpenJDK 64-Bit Server VM warning: Failed to reserve shared memory. (error = 12)
2021-01-12 23:19:49.560 INFO  (main) [   ] o.e.j.u.log Logging initialized @1501ms to org.eclipse.jetty.util.log.Slf4jLog
2021-01-12 23:19:49.633 WARN  (main) [   ] o.e.j.x.XmlConfiguration Ignored arg: <Arg name="threadpool">
<New id="threadpool" class="com.codahale.metrics.jetty9.InstrumentedQueuedThreadPool"><Arg name="registry">
    <Call id="solrJettyMetricRegistry" name="getOrCreate" class="com.codahale.metrics.SharedMetricRegistries"><Arg>solr.jetty</Arg></Call>
  </Arg></New>
  </Arg>
2021-01-12 23:19:49.744 INFO  (main) [   ] o.e.j.s.Server jetty-9.4.27.v20200227; built: 2020-02-27T18:37:21.340Z; git: a304fd9f351f337e7c0e2a7c28878dd536149c6c; jvm 1.8.0_275-b01
2021-01-12 23:19:49.769 INFO  (main) [   ] o.e.j.d.p.ScanningAppProvider Deployment monitor [file:///opt/bitnami/solr/server/contexts/] at interval 0
2021-01-12 23:19:50.140 INFO  (main) [   ] o.e.j.w.StandardDescriptorProcessor NO JSP Support for /solr, did not find org.apache.jasper.servlet.JspServlet
2021-01-12 23:19:50.158 INFO  (main) [   ] o.e.j.s.session DefaultSessionIdManager workerName=node0
2021-01-12 23:19:50.158 INFO  (main) [   ] o.e.j.s.session No SessionScavenger set, using defaults
2021-01-12 23:19:50.161 INFO  (main) [   ] o.e.j.s.session node0 Scavenging every 660000ms
2021-01-12 23:19:50.283 INFO  (main) [   ] o.a.s.s.SolrDispatchFilter Using logger factory org.apache.logging.slf4j.Log4jLoggerFactory
2021-01-12 23:19:50.290 INFO  (main) [   ] o.a.s.s.SolrDispatchFilter  ___      _       Welcome to Apache Solr? version 8.7.0
2021-01-12 23:19:50.290 INFO  (main) [   ] o.a.s.s.SolrDispatchFilter / __| ___| |_ _   Starting in standalone mode on port 8983
2021-01-12 23:19:50.293 INFO  (main) [   ] o.a.s.s.SolrDispatchFilter \__ \/ _ \ | '_|  Install dir: /opt/bitnami/solr
2021-01-12 23:19:50.294 INFO  (main) [   ] o.a.s.s.SolrDispatchFilter |___/\___/_|_|    Start time: 2021-01-12T23:19:50.294Z
2021-01-12 23:19:50.295 INFO  (main) [   ] o.a.s.s.SolrDispatchFilter Log level override, property solr.log.level=INFO
2021-01-12 23:19:50.303 INFO  (main) [   ] o.a.s.c.SolrPaths Using system property solr.solr.home: /opt/bitnami/solr/server/solr
2021-01-12 23:19:50.310 INFO  (main) [   ] o.a.s.c.SolrXmlConfig Loading container configuration from /opt/bitnami/solr/server/solr/solr.xml
2021-01-12 23:19:50.465 INFO  (main) [   ] o.a.s.c.SolrXmlConfig MBean server found: com.sun.jmx.mbeanserver.JmxMBeanServer@47542153, but no JMX reporters were configured - adding default JMX reporter.
2021-01-12 23:19:51.122 INFO  (main) [   ] o.a.s.h.c.HttpShardHandlerFactory Host whitelist initialized: WhitelistHostChecker [whitelistHosts=null, whitelistHostCheckingEnabled=true]
2021-01-12 23:19:51.315 WARN  (main) [   ] o.e.j.u.s.S.config Trusting all certificates configured for Client@2ece4966[provider=null,keyStore=null,trustStore=null]
2021-01-12 23:19:51.315 WARN  (main) [   ] o.e.j.u.s.S.config No Client EndPointIdentificationAlgorithm configured for Client@2ece4966[provider=null,keyStore=null,trustStore=null]
2021-01-12 23:19:51.534 WARN  (main) [   ] o.e.j.u.s.S.config Trusting all certificates configured for Client@841e575[provider=null,keyStore=null,trustStore=null]
2021-01-12 23:19:51.534 WARN  (main) [   ] o.e.j.u.s.S.config No Client EndPointIdentificationAlgorithm configured for Client@841e575[provider=null,keyStore=null,trustStore=null]
2021-01-12 23:19:51.590 WARN  (main) [   ] o.a.s.c.CoreContainer Not all security plugins configured!  authentication=disabled authorization=disabled.  Solr is only as secure as you make it. Consider configuring authentication/authorization before exposing Solr to users internal or external.  See https://s.apache.org/solrsecurity for more info
2021-01-12 23:19:51.807 INFO  (main) [   ] o.a.s.c.TransientSolrCoreCacheDefault Allocating transient cache for 2147483647 transient cores
2021-01-12 23:19:51.810 INFO  (main) [   ] o.a.s.h.a.MetricsHistoryHandler No .system collection, keeping metrics history in memory.
2021-01-12 23:19:51.908 INFO  (main) [   ] o.a.s.m.r.SolrJmxReporter JMX monitoring for 'solr.node' (registry 'solr.node') enabled at server: com.sun.jmx.mbeanserver.JmxMBeanServer@47542153
2021-01-12 23:19:51.911 INFO  (main) [   ] o.a.s.m.r.SolrJmxReporter JMX monitoring for 'solr.jvm' (registry 'solr.jvm') enabled at server: com.sun.jmx.mbeanserver.JmxMBeanServer@47542153
2021-01-12 23:19:51.921 INFO  (main) [   ] o.a.s.m.r.SolrJmxReporter JMX monitoring for 'solr.jetty' (registry 'solr.jetty') enabled at server: com.sun.jmx.mbeanserver.JmxMBeanServer@47542153
2021-01-12 23:19:51.958 INFO  (main) [   ] o.a.s.c.CorePropertiesLocator Found 0 core definitions underneath /opt/bitnami/solr/server/solr
2021-01-12 23:19:52.013 INFO  (main) [   ] o.e.j.s.h.ContextHandler Started o.e.j.w.WebAppContext@4d5650ae{/solr,file:///opt/bitnami/solr/server/solr-webapp/webapp/,AVAILABLE}{/opt/bitnami/solr/server/solr-webapp/webapp}
2021-01-12 23:19:52.023 INFO  (main) [   ] o.e.j.s.AbstractConnector Started ServerConnector@776b83cc{HTTP/1.1, (http/1.1, h2c)}{0.0.0.0:8983}
2021-01-12 23:19:52.023 INFO  (main) [   ] o.e.j.s.Server Started @3966ms

wallyworld · 14 January 2021 06:15

Awesome, glad you got it all working.