Fix rootless image usage with enhanced security-context #160
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/helm-chart#160
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "justusbunsi/helm-chart:master"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I've noticed that the commented
securityContext
is not really useable with the rootless image due to different directory structure compared to the default image.Important for the
readOnlyRootFilesystem
is to declare theTMPDIR
environment variable, so that the tmp directory (which is readonly in this case) won't be used. Instead, another writeable directory can be used.Another thing is the explicit hint that all these security options cannot be used with the default (root-based) image, because of its design.
Although this PR would fix the referenced issue, I am not totally happy with the current implementation. It would be more straight forward to use the same mount points for both image variants. Unfortunately, this is not possible right now due to hard coded paths in the default (root) image startup scripts.Anyone have suggestions on how this could be more simple?Sum-up:
As mentioned in Discord, this PR tried to make too many changes. The necessary changes made in 1f331a7e6577fc798196a84a957330aca0d663cd will fix an error that occurs due to restricted access to the
/tmp
directory in a rootless image with all thesecurityContext
options enabled.I also updated the default image to 1.14.2.
Fixes: #158
WIP: Fix rootless image usage with enhanced security-contextto Fix rootless image usage with enhanced security-contextThanks for the PR.
Will look at your changes this week.
Maybe I found a solution for my mentioned worries regarding the current fix. But it includes a patch for the rootful docker image in the Gitea project. Currently, this root based image has hard coded
/data
references in its setup scripts and templates. Making this part of the image configurable during runtime by setting theGITEA_WORK_DIR
environment variable inside the image to/data
allows us to handle both image variants the same way in this helm chart.I am currently working on these modifications in Gitea and provide a PR; it's useful anyway to allow such configuration ?. After it's merged, my suggested changes for this helm chart will be less complex since both images can use the same paths configured from inside the chart.
What do you say @luhahn? Shall we wait for the necessary modification in Gitea before making any further actions in this PR?
EDIT: Without having it tested yet, this is how this PR could be simplified.
sorry again, our cluster had some major issues, which caused me to have no time at all. I will try to get back to you this week!
648e168f3b
to1f331a7e65
Hi, I finally got some time to spend on gitea :)
I've got some questions regarding your PR.
@ -77,6 +77,8 @@ spec:
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
- name: TMPDIR
Little bit confused here.
Why do we need a second env variable for a tmp directory?
GITEA_TEMP is already existing and pointing to the exact same directory
@ -135,3 +137,3 @@
volumeMounts:
- name: temp
mountPath: /tmp/gitea
mountPath: /tmp
why storing all the tmp data directly into tmp and not into a seperate directory?
sorry, should've read your explanation before :D
Looks good to me, tested on my cluster
@justusbunsi please "update branch" se we can merge it
1f331a7e65
to2d43ae9c3c
@6543 Done.