Improve support for gitea instances not running as root or uid 1000 #266
No reviewers
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/helm-chart#266
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "nmasse-itix/helm-chart:no-chown"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Context
PR #259 introduced support for running Gitea as a uid different than 1000 (git) or 0 (root).
Problem
In init_directory_structure.sh, there is a "chown 1000:1000" on /tmp/gitea.
This chown only works when running as root or when the target directory is already owned by uid 1000.
As a result, the init container "init-directories" fails on startup when running Gitea with a uid different from 0 or 1000.
Initially, I worked around it by implementing an "initPreScript". But it would make user's life easier if we can make it work out-of-the-box.
Resolution
I'm taking model on the chown a few lines above that depends on the value of image.rootless. Since the chown only works on default (root) image and is useless on rootless image, there is no need to run it on rootless image.
It may be a good way to check the user currently running the init container. In case of root, there is probably no securityContexts set and a file/folder permission modification is necessary to match Gitea requirements. In case there is any securityContext defined, the runAsUser + runAsGroup setting should be used to actually
chown
any files for the later running live container. As fallback, we should use 1000:1000.For some reasons I haven't noticed that in the previous PR #259.
Yes, I should have included this in the previous PR since both topics are tied. I will be more careful for my next PR. :)
We need to handle two different cases:
When using the rootless image, all processes are running as the specified uid (1000 by default but customizable). And all created files and folders are necessarily owned by that uid.
Also, with uid > 0, we cannot use the chown command.
The Linux kernel prevents any user from:
For instance :
The only special case where we can use chown is when the user already owns the file. It is a "noop": nothing is actually done.
For instance :
The previous behavior in the Helm chart was unconditionnally "chown 1000:1000 /tmp/gitea" which:
The new proposed behavior :
To accomplish this, I was using the .Values.image.rootless flag since:
Let me know if something is unclear or if I'm wrong on some point.
I was refering to line 24-26 of templates/gitea/init.yaml:
Your comment covers every possibility I can think of atm. ?
Are you going to modify your PR to take all this into account?
(BTW, really like the way you are structuring your PR and issue descriptions).
@nmasse-itix we would like to include this PR in 5.0.0 would it be possible to make the changes mentioned above?
@luhanh I may have missed something but the PR already implements the described behavior.
When using a rootless image, no chown is executed.
And when using rootful image, chown is executed.
Do you want me to add a comment in the code to clarify why chown operations need to be conditional ?
Sorry, no you've not missed something, I just missunderstood the previous conversation :D
@nmasse-itix I thought you'd make the chown itself using dynamic uid:gid values, depending on the configuration, as it now would fail under some conditions when actually changing the user with securityContexts. That's what I was reading from your larger comment. But I may have just interpreted this. ?
For 5.0.0 I can totally live with the proposed change as-is. We can provide another change with 5.0.1. Changing the uid was not possible before and I don't expect many users to switch their uid for running environments. ?
In any case, please update your branch to match the current base. Let me know how we want to proceed.
fa49489242
to9c8bcb4ea8
From all the tests I've done, this PR covers the following cases:
Of course, there is always room for improvement. :)
edit: PR rebased on current master
I think we can move on with this PR. If there are new use cases or if we want to refine the init_directory_structure.sh script, we can do it in another milestone.
What do you think ?
You are right. The init container will proceed with your fix for all three cases. It seems we have issues with the rootless image not running as 1000:1000 in general. I tried it with 2000:2000 and got this at Gitea startup.
Here is my securityContext related
values.yaml
:Even setting environment variables to overrwide UID/GID for the git user didn't work.
Yes, that directory in the rootless image is not writable.
You can choose another one in your values.yaml like this:
LGTM
LGTM