Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possibility to run as readOnlyRootFilesysystem #624

Closed
thomaswoeckinger opened this issue Sep 20, 2023 · 4 comments · Fixed by #648
Closed

Possibility to run as readOnlyRootFilesysystem #624

thomaswoeckinger opened this issue Sep 20, 2023 · 4 comments · Fixed by #648
Milestone
v0.8.1

Comments

@thomaswoeckinger
Copy link

thomaswoeckinger commented Sep 20, 2023
edited
Loading

In Openshift environments (may in others too) it is possible to restrict containers with SecurityContextConstraints (SCC).

Especial setting the root filesystem to read only would increase security.

Currently the init container setup-zk? is preventing read only root filesystem, as it is writing to /tmp.

So if this container would mount an emptyDir to /tmp it would be possible to set the root filesystem to read only.
@radu-gheorghe
Copy link
Contributor

Just to make sure I'm on the right track: we'd first need to allow setting container-level securityContext in the Helm chart, correct?

Because it doesn't seem to be currently possible. We have podOptions.podSecurityContext but that seems to refer to pod-level securityContext options, such as runAsUser. readOnlyRootFilesystem would be at the container level.

Oh, and I setup-zk is only created when we specify a chroot. I guess that in order to properly test things, that container should also have readOnlyRootFilesystem in its definition, correct? And there's no good reason not to have readOnlyRootFilesystem on that container (once it works like that), correct?

I'll continue poking at this under the assumption that all of the above are correct 🙂 but any feedback is welcome.

@thomaswoeckinger
Copy link
Author

It is not that complicated, it is sufficient to use an emptyDir and mount it to /tmp. This is because readOnlyRootFilesystem is not used wirh mount points.

@HoustonPutman
Copy link
Contributor

Yeah @radu-gheorghe , Thomas is not saying that we need to be able to specify readOnlyFilesystem, as that is already possible. We just need to make sure any folder that we write to in Solr or in the init containers is backed by a volume (ephemeral volumes by default), so that we don't see an error when the readOnlyFilesystem option is used.

@radu-gheorghe
Copy link
Contributor

OK, so I'll change zk-init to mount an emptyDir into /tmp. I'll also add readOnlyFilesystem to its definition in order to test it, but I'd like to leave it like that, I don't see a reason not to. Sounds good?

And I'll also try to test with readOnlyFilesystem everywhere. Maybe the Solr container also writes to /tmp or somewhere funky. I couldn't do that so far, but I'll press on 😁

@radu-gheorghe radu-gheorghe mentioned this issue Oct 26, 2023
Merged
@HoustonPutman HoustonPutman linked a pull request Oct 30, 2023 that will close this issue
Support readOnlyRootFilesystem #648
Merged
@HoustonPutman HoustonPutman added this to the main (v0.9.0) milestone Nov 6, 2023
@HoustonPutman HoustonPutman modified the milestones: main (v0.9.0), v0.8.1 Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.8.1
Development

Successfully merging a pull request may close this issue.

Support readOnlyRootFilesystem radu-gheorghe/solr-operator
3 participants
@radu-gheorghe @HoustonPutman @thomaswoeckinger