This is an automated email from the ASF dual-hosted git repository.
houston pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-operator.git
The following commit(s) were added to refs/heads/main by this push:
new cc710af Use correct user & fsGroup for bakcupDir chmod (#520)
cc710af is described below
commit cc710af5d45ac9010848a11a2d9a5870f6b32486
Author: Adam Nych <[email protected]>
AuthorDate: Wed Apr 19 19:28:17 2023 +0200
Use correct user & fsGroup for bakcupDir chmod (#520)
Co-authored-by: Houston Putman <[email protected]>
---
controllers/controller_utils_test.go | 2 ++
controllers/util/solr_util.go | 51 +++++++++++++++++++++++++++++++-----
helm/solr-operator/Chart.yaml | 7 +++++
3 files changed, 53 insertions(+), 7 deletions(-)
diff --git a/controllers/controller_utils_test.go
b/controllers/controller_utils_test.go
index 899c33f..f96dec9 100644
--- a/controllers/controller_utils_test.go
+++ b/controllers/controller_utils_test.go
@@ -906,11 +906,13 @@ var (
}
one = int64(1)
two = int64(2)
+ three = int64(3)
four = int32(4)
five = int32(5)
testPodSecurityContext = corev1.PodSecurityContext{
RunAsUser: &one,
RunAsGroup: &two,
+ FSGroup: &three,
}
extraVolumes = []solrv1beta1.AdditionalVolume{
{
diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
index 9e46fe8..74a3588 100644
--- a/controllers/util/solr_util.go
+++ b/controllers/util/solr_util.go
@@ -75,7 +75,7 @@ var (
func GenerateStatefulSet(solrCloud *solr.SolrCloud, solrCloudStatus
*solr.SolrCloudStatus, hostNameIPs map[string]string, reconcileConfigInfo
map[string]string, tls *TLSCerts, security *SecurityConfig) *appsv1.StatefulSet
{
terminationGracePeriod := int64(60)
solrPodPort := solrCloud.Spec.SolrAddressability.PodPort
- fsGroup := int64(DefaultSolrGroup)
+ defaultFSGroup := int64(DefaultSolrGroup)
probeScheme := corev1.URISchemeHTTP
if tls != nil {
@@ -500,7 +500,7 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud,
solrCloudStatus *solr.SolrCl
Spec: corev1.PodSpec{
TerminationGracePeriodSeconds:
&terminationGracePeriod,
SecurityContext:
&corev1.PodSecurityContext{
- FSGroup: &fsGroup,
+ FSGroup: &defaultFSGroup,
},
Volumes: solrVolumes,
InitContainers: initContainers,
@@ -545,6 +545,9 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud,
solrCloudStatus *solr.SolrCl
if customPodOptions.PodSecurityContext != nil {
stateful.Spec.Template.Spec.SecurityContext =
customPodOptions.PodSecurityContext
+ if stateful.Spec.Template.Spec.SecurityContext.FSGroup
== nil {
+
stateful.Spec.Template.Spec.SecurityContext.FSGroup = &defaultFSGroup
+ }
}
if customPodOptions.Lifecycle != nil {
@@ -618,20 +621,54 @@ func generateSolrSetupInitContainers(solrCloud
*solr.SolrCloud, solrCloudStatus
},
}
setupCommands := []string{"cp /tmp/solr.xml /tmp-config/solr.xml"}
- setupCommands = append(setupCommands, fmt.Sprintf("adduser -u %d -H -D
solr", DefaultSolrUser))
+
+ // Figure out the solrUser and solrGroup to use
+ solrUser := DefaultSolrUser
+ solrFSGroup := DefaultSolrGroup
+
+ // Only add a user to the initContainer if one isn't provided in the
podSecurityContext
+ // This is so that we can check if the backupDir is writable given the
default user (since no user is provided)
+ addUserToInitContainer := true
+ if solrCloud.Spec.CustomSolrKubeOptions.PodOptions != nil {
+ solrPodSecurityContext :=
solrCloud.Spec.CustomSolrKubeOptions.PodOptions.PodSecurityContext
+
+ if solrPodSecurityContext != nil {
+ if solrPodSecurityContext.RunAsUser != nil {
+ solrUser =
int(*solrPodSecurityContext.RunAsUser)
+ addUserToInitContainer = false
+ } else if solrPodSecurityContext.RunAsNonRoot != nil &&
*solrPodSecurityContext.RunAsNonRoot {
+ // we can't add users to the initContainer,
even if we want to, since we cannot run as root.
+ addUserToInitContainer = false
+ }
+ if solrPodSecurityContext.FSGroup != nil {
+ solrFSGroup =
int(*solrPodSecurityContext.FSGroup)
+ }
+ }
+ }
// Add prep for backup-restore Repositories
// This entails setting the correct permissions for the directory
+ solrUserAdded := false
for _, repo := range solrCloud.Spec.BackupRepositories {
if IsRepoVolume(&repo) {
if _, volumeMount := RepoVolumeSourceAndMount(&repo,
solrCloud.Name); volumeMount != nil {
volumeMounts = append(volumeMounts,
*volumeMount)
+ if addUserToInitContainer && !solrUserAdded {
+ setupCommands = append(setupCommands,
fmt.Sprintf("addgroup -g %d solr", solrFSGroup))
+ setupCommands = append(setupCommands,
fmt.Sprintf("adduser -u %d -G solr -H -D solr", DefaultSolrUser))
+ // Only add users once even if there
are many backup repos
+ solrUserAdded = true
+ }
+ testDirCommand := "test -w " +
volumeMount.MountPath
+ if addUserToInitContainer {
+ testDirCommand = fmt.Sprintf("su solr
-c '%s'", testDirCommand)
+ }
setupCommands = append(setupCommands,
fmt.Sprintf(
- "(su solr -c 'test -w %s' || chown -R
%d:%d %s)",
- volumeMount.MountPath,
- DefaultSolrUser,
- DefaultSolrGroup,
+ "(%s || chown -R %d:%d %s)",
+ testDirCommand,
+ solrUser,
+ solrFSGroup,
volumeMount.MountPath))
}
}
diff --git a/helm/solr-operator/Chart.yaml b/helm/solr-operator/Chart.yaml
index 183e188..1c0ff90 100644
--- a/helm/solr-operator/Chart.yaml
+++ b/helm/solr-operator/Chart.yaml
@@ -176,6 +176,13 @@ annotations:
url: https://github.com/apache/solr-operator/issues/553
- name: GitHub PR
url: https://github.com/apache/solr-operator/pull/554
+ - kind: fixed
+ description: Use correct user & group for chmod command in cp-solr-xml
init container
+ links:
+ - name: GitHub PR
+ url: https://github.com/apache/solr-operator/pull/520
+ - name: GitHub Issue
+ url: https://github.com/apache/solr-operator/issues/519
artifacthub.io/images: |
- name: solr-operator
image: apache/solr-operator:v0.7.0-prerelease
