Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CASMCMS-8060 Fix incomplete non-root cray-cfs-api changes #132

Merged
merged 1 commit into from
Apr 26, 2024
Merged

CASMCMS-8060 Fix incomplete non-root cray-cfs-api changes #132

merged 1 commit into from
Apr 26, 2024

Conversation

dborman-hpe
Copy link
Contributor

Summary and Scope

When the "cray-cfs-api" chart was converted to non-root, the change was incomplete. In addition to specifying a "securityContext" for the container, a "securityContext" also needs to be specified for the pod. This is what tells Kubernetes how to set up permissions on PVCs. Without that, the PVCs will have the default permissions of the underlying storage class, which can vary between storage classes.

The only reason things are currently working is because the CephFS storage class defaults to a top level directory of "root/root", mode "0x777". In Mercury we switch to a cStor storage class, where the default permissions are "0x755", and non-root containers are not able to create files.

Issues and Related PRs

Testing

Tested on:

  • Mercury

Test description:

Without this change the chart fails to deploy on Mercury systems. After patching the chart with this change, cray-cfs-api successfully deploys.

  • Were the install/upgrade-based validation checks/tests run (goss tests/install-validation doc)?
  • Were continuous integration tests run? If not, why?
  • Was upgrade tested? If not, why?
  • Was downgrade tested? If not, why?
  • Were new tests (or test issues/Jiras) created for this change?

Risks and Mitigations

There should be no visible changes, other than inside the running container the PVC mount point should no longer be owned by root.

Pull Request Checklist

  • Version number(s) incremented, if applicable
  • Copyrights updated
  • License file intact
  • Target branch correct
  • CHANGELOG.md updated
  • Testing is appropriate and complete, if applicable
  • HPC Product Announcement prepared, if applicable

@dborman-hpe
CASMCMS-8060 Fix incomplete non-root cray-cfs-api changes
b4c18cd 
When the "cray-cfs-api" chart was converted to non-root, the
change was incomplete.  In addition to specifying a
"securityContext" for the container, a "securityContext" also
needs to be specified for the pod.  This is what tells
Kubernetes how to set up permissions on PVCs.  Without that,
the PVCs will have the default permissions of the underlying
storage class, which can vary between storage classes.

The only reason things are currently working is because the
CephFS storage class defaults to a top level directory of
"root/root", mode "0x777".  In Mercury we switch to a cStor
storage class, where the default permissions are "0x755", and
non-root containers are not able to create files.
@dborman-hpe dborman-hpe requested a review from a team as a code owner April 26, 2024 19:51
@dborman-hpe dborman-hpe merged commit 536b98f into develop Apr 26, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlaine-hpe-2 dlaine-hpe-2 dlaine-hpe-2 approved these changes

@rbak-hpe rbak-hpe rbak-hpe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dborman-hpe @rbak-hpe @dlaine-hpe-2