From 69adb23c59e991ddcabf5cfce415fd8b638dbc1a Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Thu, 1 Mar 2018 21:15:50 +0100 Subject: Improve handling of filesystem permissions and other fixes --- roles/ands_kaas/tasks/do_project.yml | 2 +- roles/ands_kaas/tasks/file.yml | 8 +++---- roles/ands_kaas/tasks/project.yml | 7 ++++-- roles/ands_kaas/tasks/sync.yml | 2 +- roles/ands_kaas/tasks/templates.yml | 2 +- roles/ands_kaas/tasks/volume.yml | 2 +- roles/ands_kaas/templates/00-gfs-volumes.yml.j2 | 13 ++++++---- roles/ands_kaas/templates/50-kaas-pods.yml.j2 | 17 +++++-------- roles/ands_openshift/tasks/security_resources.yml | 28 ++++++++++------------ roles/openshift_resource/tasks/patch.yml | 10 ++++---- roles/openshift_resource/tasks/resource.yml | 6 ++--- roles/openshift_resource/tasks/template.yml | 8 +++---- setup/configs/security.yml | 28 +++++++++++++++------- setup/projects/adei/templates/60-adei.yml.j2 | 17 ++++++------- setup/projects/adei/vars/globals.yml | 12 +++++----- setup/projects/adei/vars/pods.yml | 2 +- setup/projects/adei/vars/volumes.yml | 18 +++++++------- .../projects/kaas/templates/40-kaas-manager.yml.j2 | 3 +++ setup/projects/kaas/vars/volumes.yml | 11 +++++---- setup/projects/katrin/vars/volumes.yml | 2 +- 20 files changed, 105 insertions(+), 93 deletions(-) diff --git a/roles/ands_kaas/tasks/do_project.yml b/roles/ands_kaas/tasks/do_project.yml index 4fac6c6..5cafe25 100644 --- a/roles/ands_kaas/tasks/do_project.yml +++ b/roles/ands_kaas/tasks/do_project.yml @@ -43,7 +43,7 @@ include_tasks: keys.yml # delegate_to: "{{ groups.masters[0] }}" run_once: true - with_dict: "{{ kaas_project_config.pods | default({}) }}" + with_dict: "{{ kaas_project_pods }}" loop_control: loop_var: pod diff --git a/roles/ands_kaas/tasks/file.yml b/roles/ands_kaas/tasks/file.yml index a839473..488823b 100644 --- a/roles/ands_kaas/tasks/file.yml +++ b/roles/ands_kaas/tasks/file.yml @@ -3,15 +3,15 @@ set_fact: group="{{ file.group | default(kaas_project_config.file_group | default(ands_default_file_group)) }}" - name : Resolve project groups - set_fact: group="{{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }}" - when: group in ( kaas_project_config.gids | default(kaas_openshift_gids) ) + set_fact: group="{{ kaas_project_gids[group].id }}" + when: group in kaas_project_gids - name: Set owner set_fact: owner="{{ file.owner | default(kaas_project_config.file_owner | default(ands_default_file_owner)) }}" - name : Resolve project uids - set_fact: owner="{{ (kaas_project_config.uids | default(kaas_openshift_uids) )[owner].id }}" - when: owner in ( kaas_project_config.uids | default(kaas_openshift_uids) ) + set_fact: owner="{{ kaas_project_uids[owner].id }}" + when: owner in kaas_project_uids - name: "Setting up files in {{ path }}" file: diff --git a/roles/ands_kaas/tasks/project.yml b/roles/ands_kaas/tasks/project.yml index f7eb1df..b8574cf 100644 --- a/roles/ands_kaas/tasks/project.yml +++ b/roles/ands_kaas/tasks/project.yml @@ -28,5 +28,8 @@ - include_tasks: do_project.yml vars: var_name: "var_{{kaas_project}}_config" - kaas_project_config: "{{ hostvars[inventory_hostname][var_name] }}" - kaas_project_volumes: "{{ kaas_project_config.volumes | default(kaas_project_config.extra_volumes | default({}) | combine(kaas_openshift_volumes)) }}" \ No newline at end of file + kaas_project_config: "{{ hostvars[inventory_hostname][var_name] }}" + kaas_project_volumes: "{{ kaas_project_config.volumes | default(kaas_project_config.extra_volumes | default({}) | combine(kaas_openshift_volumes)) }}" + kaas_project_pods: "{{ kaas_project_config.pods | default({}) }}" + kaas_project_gids: "{{ kaas_project_config.gids | default(kaas_openshift_gids) }}" + kaas_project_uids: "{{ kaas_project_config.uids | default(kaas_openshift_uids) }}" diff --git a/roles/ands_kaas/tasks/sync.yml b/roles/ands_kaas/tasks/sync.yml index a4febe7..8caefe9 100644 --- a/roles/ands_kaas/tasks/sync.yml +++ b/roles/ands_kaas/tasks/sync.yml @@ -11,7 +11,7 @@ - name: "Ensure the data is writeable by project pods" vars: grp: "{{ kaas_project_config.sync_set_gid }}" - gid: "{{ ((kaas_project_config.gids | default(kaas_openshift_gids))[grp] is defined) | ternary((kaas_project_config.gids | default(kaas_openshift_gids))[grp].id, grp) }}" + gid: "{{ (kaas_project_gids[grp] is defined) | ternary(kaas_project_gids[grp].id, grp) }}" file: path: "{{ remote_path }}" state: "directory" diff --git a/roles/ands_kaas/tasks/templates.yml b/roles/ands_kaas/tasks/templates.yml index 2de4fad..9fc378f 100644 --- a/roles/ands_kaas/tasks/templates.yml +++ b/roles/ands_kaas/tasks/templates.yml @@ -4,7 +4,7 @@ command: "echo {{ item | quote }}" register: results changed_when: false - when: (kaas_project_config.pods | default([]) | length > 0) or not (item | regex_search('kaas-pods')) + when: (kaas_project_pods | length > 0) or not (item | regex_search('kaas-pods')) with_fileglob: - "{{ role_path }}/templates/{{ kaas_template_glob | default('*') }}.j2" - "{{ kaas_project_path }}/templates/{{ kaas_template_glob | default('*') }}.j2" diff --git a/roles/ands_kaas/tasks/volume.yml b/roles/ands_kaas/tasks/volume.yml index ff51fb0..783654a 100644 --- a/roles/ands_kaas/tasks/volume.yml +++ b/roles/ands_kaas/tasks/volume.yml @@ -16,7 +16,7 @@ path: "{{ path }}" state: "directory" recurse: "no" - mode: "{{ volume.mode | default(0775) }}" + mode: "{{ volume.mode | default(02775) }}" owner: "{{ volume.owner | default(kaas_project_config.file_owner) | default(kaas_default_file_owner) }}" group: "{{ volume.group | default(kaas_project_config.file_group) | default(default_group) }}" register: chmod diff --git a/roles/ands_kaas/templates/00-gfs-volumes.yml.j2 b/roles/ands_kaas/templates/00-gfs-volumes.yml.j2 index c9341ed..a69942d 100644 --- a/roles/ands_kaas/templates/00-gfs-volumes.yml.j2 +++ b/roles/ands_kaas/templates/00-gfs-volumes.yml.j2 @@ -2,18 +2,23 @@ apiVersion: v1 kind: Template metadata: - name: + name: {{ kaas_project }}-gfs-volumes annotations: - descriptions: "KATRIN Volumes" + descriptions: "{{ kaas_project }} glusterfs volumes" objects: {% for name, vol in kaas_project_volumes.iteritems() %} {% set oc_name = vol.name | default(name) | regex_replace('_','-') %} {% set cfgpath = vol.path | default("") %} {% set path = cfgpath if cfgpath[:1] == "/" else "/" + kaas_project + "/" + cfgpath %} +{% if oc_name | regex_search("^" + kaas_project) %} +{% set pvname = oc_name %} +{% else %} +{% set pvname = (kaas_project + "-" + oc_name) | regex_replace('_','-') %} +{% endif %} - apiVersion: v1 kind: PersistentVolume metadata: - name: {{ oc_name }} + name: {{ pvname }} spec: persistentVolumeReclaimPolicy: Retain glusterfs: @@ -32,7 +37,7 @@ objects: metadata: name: {{ oc_name }} spec: - volumeName: {{ oc_name }} + volumeName: {{ pvname }} accessModes: - {{ vol.access | default('ReadWriteMany') }} resources: diff --git a/roles/ands_kaas/templates/50-kaas-pods.yml.j2 b/roles/ands_kaas/templates/50-kaas-pods.yml.j2 index 2ed7462..216dc01 100644 --- a/roles/ands_kaas/templates/50-kaas-pods.yml.j2 +++ b/roles/ands_kaas/templates/50-kaas-pods.yml.j2 @@ -7,7 +7,7 @@ metadata: annotations: descriptions: {{ kaas_project_config.description | default(kaas_project ~ "auto-generated pod template") }} objects: -{% for name, pod in (kaas_project_config.pods | default({})).iteritems() %} +{% for name, pod in kaas_project_pods.iteritems() %} {% set pubkey = "kaas_" ~ name ~ "_pubkey" %} {% set privkey = "kaas_" ~ name ~ "_privkey" %} {% set cakey = "kaas_" ~ name ~ "_ca" %} @@ -104,20 +104,15 @@ objects: {% if (pod.groups is defined) or (pod.run_as is defined) %} securityContext: {% if (pod.run_as is defined) %} - {% if (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as] is defined %} - runAsUser: {{ (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as].id }} - {% else %} - runAsUser: {{ pod.run_as }} - {% endif %} + runAsUser: {{ (kaas_project_uids[pod.run_as] is defined) | ternary(kaas_project_uids[pod.run_as].id, pod.run_as) }} {% endif %} {% if (pod.groups is defined) %} + {% if (ands_openshift_gid_mode | default('')) == "RunAsAny" %} + fsGroup: {{ (kaas_project_gids[pod.groups[0]] is defined) | ternary(kaas_project_gids[pod.groups[0]].id, pod.groups[0]) }} + {% endif %} supplementalGroups: {% for group in pod.groups %} - {% if (kaas_project_config.gids | default(kaas_openshift_gids))[group] is defined %} - - {{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }} - {% else %} - - {{ group }} - {% endif %} + - {{ (kaas_project_gids[group] is defined) | ternary(kaas_project_gids[group].id, group) }} {% endfor %} {% endif %} {% endif %} diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml index 5b80f1e..fd72240 100644 --- a/roles/ands_openshift/tasks/security_resources.yml +++ b/roles/ands_openshift/tasks/security_resources.yml @@ -1,7 +1,4 @@ --- -- name: Ensure OpenShift patch directory exists - file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root - # No spaces in patch, otherwise escaping mess... - name: Patch group range in project configuration include_role: name="openshift_resource" tasks_from="patch.yml" @@ -9,7 +6,6 @@ project: "{{ item.key }}" resource: "ns/{{ item.key }}" patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ item.value }}"}}}' - patch_path: "{{ ands_openshift_patch_path }}" with_dict: "{{ ands_openshift_gid_ranges | default({}) }}" - name: Patch uid range in project configuration @@ -18,29 +14,31 @@ project: "{{ item.key }}" resource: "ns/{{ item.key }}" patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ item.value }}"}}}' - patch_path: "{{ ands_openshift_patch_path }}" with_dict: "{{ ands_openshift_uid_ranges | default({}) }}" - name: Restrict supplementalGroups include_role: name="openshift_resource" tasks_from="patch.yml" vars: - project: "{{ item.key }}" + project: "default" resource: "scc/restricted" - modes: "{{ ands_openshift_gid_mode | default({}) }}" - mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}" + mode: "{{ ands_openshift_groups_mode | default(false) }}" patch: '{"supplementalGroups":{"type":"{{mode}}"}}' - patch_path: "{{ ands_openshift_patch_path }}" when: mode != false - with_dict: "{{ ands_openshift_projects | default({}) }}" + +- name: Restrict fsGroup + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "default" + resource: "scc/restricted" + mode: "{{ ands_openshift_gid_mode | default(false) }}" + patch: '{"fsGroup":{"type":"{{mode}}"}}' + when: mode != false - name: Configure runAsUser include_role: name="openshift_resource" tasks_from="patch.yml" vars: - project: "{{ item.key }}" + project: "default" resource: "scc/restricted" - modes: "{{ ands_openshift_uid_mode | default({}) }}" - mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}" + mode: "{{ ands_openshift_uid_mode | default(false) }}" patch: '{"runAsUser":{"type":"{{mode}}"}}' - patch_path: "{{ ands_openshift_patch_path }}" when: mode != false - with_dict: "{{ ands_openshift_projects | default({}) }}" diff --git a/roles/openshift_resource/tasks/patch.yml b/roles/openshift_resource/tasks/patch.yml index e2bbcfa..501f692 100644 --- a/roles/openshift_resource/tasks/patch.yml +++ b/roles/openshift_resource/tasks/patch.yml @@ -1,10 +1,10 @@ --- -- name: Lookup the specified resource +- name: "Lookup {{resource}} in {{project}}" command: "oc get -n '{{project}}' '{{resource}}' -o json" register: orig_result changed_when: 0 -- name: Lookup API version of the specified resource +- name: "Lookup API version of {{resource}} in {{project}}" command: "oc get -n '{{project}}' '{{resource}}' --template {{'{{' + '.apiVersion' + '}}'}}" register: api_version changed_when: 0 @@ -13,14 +13,14 @@ - name: Escaping patch set_fact: xpatch='{{patch | to_json | regex_replace(" ","") | regex_replace("^", " ")}}' -- name: Generate dummy patch {{resource}} in {{project}} +- name: "Generate dummy patch for {{resource}} in {{project}}" command: "oc patch -n '{{project}}' --patch ' {\"apiVersion\": \"{{api_version.stdout}}\"}' --local=true -f - -o json" args: stdin: " {{ orig_result.stdout_lines | join('') }}" register: dummy_result changed_when: 0 -- name: Generate test patch {{resource}} in {{project}} +- name: "Generate test patch {{resource}} in {{project}}" command: "oc patch -n '{{project}}' --patch '{{xpatch}}' --local=true -f - -o json" args: stdin: " {{ orig_result.stdout_lines | join('') }}" @@ -33,7 +33,7 @@ #- debug: msg="{{ patch_result.stdout }}" # when: dummy_result.stdout != patch_result.stdout -- name: Patch {{resource}} in {{project}} +- name: "Patch {{resource}} in {{project}}" command: "oc patch -n '{{project}}' '{{resource}}' --patch '{{xpatch}}'" register: result changed_when: (result | succeeded) diff --git a/roles/openshift_resource/tasks/resource.yml b/roles/openshift_resource/tasks/resource.yml index 4e6e7ac..87af5c9 100644 --- a/roles/openshift_resource/tasks/resource.yml +++ b/roles/openshift_resource/tasks/resource.yml @@ -3,20 +3,20 @@ - name: Find out which resources we are going to configure set_fact: rkind="{{ tmpl.kind }}" rname="{{ tmpl.metadata.name }}" - - name: "Lookup the specified resource {{rkind}}/{{rname}}" + - name: "Lookup the specified resource {{rkind}}/{{rname}} in {{project}}" command: "oc get -n {{project}} {{rkind}}/{{rname}}" register: find_result changed_when: false failed_when: false - - name: "Detroy existing resources {{rkind}}/{{rname}}" + - name: "Detroy existing resources {{rkind}}/{{rname}} in {{project}}" command: "oc delete -n {{project}} {{rkind}}/{{rname}}" register: rm_result failed_when: false changed_when: (rm_result | succeeded) when: (recreate|default(false)) - - name: "Create resources defined in {{ template }}" + - name: "Populate resources defined in {{ template }} to {{project}}" command: "oc create -n {{project}} -f '{{ template_path }}/{{ template }}' {{ create_args | default('') }}" when: (recreate|default(false)) or (find_result.rc != 0) run_once: true diff --git a/roles/openshift_resource/tasks/template.yml b/roles/openshift_resource/tasks/template.yml index 6c9340b..7e74de4 100644 --- a/roles/openshift_resource/tasks/template.yml +++ b/roles/openshift_resource/tasks/template.yml @@ -5,7 +5,7 @@ vars: query: "objects[*].{kind: kind, name: metadata.name}" - - name: "{{ template }}: Lookup the specified resource" + - name: "{{ template }}: Lookup the specified resource in {{project}}" command: "oc get -n {{project}} {{item.kind}}/{{item.name}}" register: results failed_when: false @@ -13,13 +13,13 @@ with_items: "{{ resources | default([]) }}" # when: not (recreate|default(false)) - - name: "{{ template }}: Detroy existing resources" + - name: "{{ template }}: Detroy existing resources in {{project}}" command: "oc delete -n {{project}} {{resources[item|int].kind}}/{{resources[item|int].name}}" failed_when: false with_sequence: start=0 count="{{resources | default([]) | length}}" when: ((recreate|default(false)) or (results | changed)) and (results.results[item|int].rc == 0) - - name: "{{ template }}: Create resources defined" - shell: "oc process -f '{{ template_path }}/{{template}}' {{ template_args | default('') }} | oc create -n {{project}} -f - {{ create_args | default('') }}" + - name: "{{ template }}: Populate resources to {{project}}" + shell: "oc process -n {{project}} -f '{{ template_path }}/{{template}}' {{ template_args | default('') }} | oc create -n {{project}} -f - {{ create_args | default('') }}" when: (recreate|default(false)) or (results | changed) run_once: true diff --git a/setup/configs/security.yml b/setup/configs/security.yml index b870c55..22784b3 100644 --- a/setup/configs/security.yml +++ b/setup/configs/security.yml @@ -1,26 +1,36 @@ -ands_openshift_gid_mode: - ands_default: "MustRunAs" -# sample: "RunAsAny" - -#ands_openshift_uid_mode: -# ands_default: "MustRunAsRange" +#The SCC is global, not per project. +# It is better to work with groups. +#ands_openshift_uid_mode: "MustRunAsRange" +# Allow setting the required fsGroup in pod-specification (default is MustRunAs). +# - If Ceph or other block storage is used, it is necessary set 'fsGroup' in pod definitions if 'RunAsAny' strategy is selected. Otherwise, the matching rules will fail. +# - For some reason, 'fsGroup' is not used as 'gid' for container. The 'gid' is always 0 (maybe only if container is run by unknown user or withiout known group). +# - May be it also should not. While documentation states that the new files are created with fsGroup gid, it also states that fsGroup is only used for network block storage (ceph). +# - Using "MustRunAs" a first 'gid' specified in the project 'supplementalGroups' will be used as 'fsGroup'. +# - Yes, in the project, not 'pod'. Consequently, the 'group' assigned to project is always in the 'supGroups' if 'MustRunAs' is selected. +# - gid=0 is also always in +# I tend to keep the default settings and use +s to enfore group ownership. If project uses multiple 'groups', the first group in the range should not be used and we avoid unintended sharing. +#ands_openshift_gid_mode: "RunAsAny" +#To enforce the range specified in the project configuration. +# - The gids outside of the range will be rejected and pod will fail if "MustRunAs" is selected. +ands_openshift_groups_mode: "MustRunAs" #ands_openshift_uid_ranges: ands_openshift_gid_ranges: kaas: "4000/10" katrin: "5000/10" - test: "7100/10" adei: "6000/10" bora: "6100/10" web: "6200/10" mon: "7000/10" + test: "7100/10" +# The default user and group mentioned in some projects ands_openshift_uids: - kaas: { id: 6000 } + kaas: { id: 4000 } ands_openshift_gids: - kaas: { id: 6000 } + kaas: { id: 4000 } ands_default_file_group: root ands_default_file_owner: root diff --git a/setup/projects/adei/templates/60-adei.yml.j2 b/setup/projects/adei/templates/60-adei.yml.j2 index 537368f..ca3c17a 100644 --- a/setup/projects/adei/templates/60-adei.yml.j2 +++ b/setup/projects/adei/templates/60-adei.yml.j2 @@ -95,6 +95,8 @@ objects: adei-type: "{{ pod_type }}" adei-name: "{{ name }}" adei-setup: "${setup}" + annotations: + kaas/replicas: "{{ cfg.replicas }}" spec: replicas: "{{ cfg.replicas }}" revisionHistoryLimit: "{{ adei_pod_history_limit }}" @@ -127,20 +129,15 @@ objects: {% if (cfg.groups is defined) or (cfg.run_as is defined) %} securityContext: {% if (cfg.run_as is defined) %} -{% if (kaas_project_config.uids | default(kaas_openshift_uids))[cfg.run_as] is defined %} - - {{ (kaas_project_config.uids | default(kaas_openshift_uids))[cfg.run_as].id }} -{% else %} - - {{ cfg.run_as }} -{% endif %} + runAsUser: {{ (kaas_project_uids[cfg.run_as] is defined) | ternary(kaas_project_uids[cfg.run_as].id, cfg.run_as) }} {% endif %} {% if (cfg.groups is defined) %} +{% if (ands_openshift_gid_mode | default('')) == "RunAsAny" %} + fsGroup: {{ (kaas_project_gids[cfg.groups[0]] is defined) | ternary(kaas_project_gids[cfg.groups[0]].id, cfg.groups[0]) }} +{% endif %} supplementalGroups: {% for group in cfg.groups %} -{% if (kaas_project_config.gids | default(kaas_openshift_gids))[group] is defined %} - - {{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }} -{% else %} - - {{ group }} -{% endif %} + - {{ (kaas_project_gids[group] is defined) | ternary(kaas_project_gids[group].id, group) }} {% endfor %} {% endif %} {% endif %} diff --git a/setup/projects/adei/vars/globals.yml b/setup/projects/adei/vars/globals.yml index 21f4db1..f8d7816 100644 --- a/setup/projects/adei/vars/globals.yml +++ b/setup/projects/adei/vars/globals.yml @@ -182,7 +182,7 @@ adei_frontends: cacher: name: "adei-${setup}-cacher" replicas: "${cache_replicas}" - cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh" ] env: "{{ adei_pod_env | union(adei_cache_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -191,7 +191,7 @@ adei_frontends: archive_cacher: name: "adei-${setup}-archive-cacher" replicas: "1" - cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh", "-m", "archive" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh", "-m", "archive" ] env: "{{ adei_pod_env | union(adei_arc_cache_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -200,7 +200,7 @@ adei_frontends: log_cacher: name: "adei-${setup}-log-cacher" replicas: "${enable_logs}" - cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh" ] env: "{{ adei_pod_env | union(adei_log_cache_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -209,7 +209,7 @@ adei_frontends: update: name: "adei-${setup}-update" cron: "${update_schedule}" - cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei.cron.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei.cron.sh" ] env: "{{ adei_pod_env | union(adei_cron_env) | union(adei_update_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -218,7 +218,7 @@ adei_frontends: maintain: name: "adei-${setup}-maintain" cron: "${maintain_schedule}" - cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei_manager.cron.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei_manager.cron.sh" ] env: "{{ adei_pod_env | union(adei_cron_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" @@ -227,7 +227,7 @@ adei_frontends: clean: name: "adei-${setup}-clean" cron: "${clean_schedule}" - cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei_clean.cron.sh" ] + cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei_clean.cron.sh" ] env: "{{ adei_pod_env | union(adei_cron_env) }}" vols: "{{ adei_pod_vols }}" mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}" diff --git a/setup/projects/adei/vars/pods.yml b/setup/projects/adei/vars/pods.yml index 5278c44..182db9c 100644 --- a/setup/projects/adei/vars/pods.yml +++ b/setup/projects/adei/vars/pods.yml @@ -30,9 +30,9 @@ pods: env: - { name: "DB_SERVICE_HOST", value: "mysql.adei.svc.cluster.local" } - { name: "DB_SERVICE_PORT", value: "3306" } + - { name: "DB_EXTRA_HOSTS", value: "mysql.katrin.svc.cluster.local" } # - { name: "DB_SERVICE_CONTROL_USER", value: "pma" } # - { name: "DB_SERVICE_CONTROL_PASSWORD", value: "secret@adei/pma-password" } - - { name: "DB_EXTRA_HOSTS", value: "mysql.katrin.svc.cluster.local" } probes: - { port: 8080, path: '/' } diff --git a/setup/projects/adei/vars/volumes.yml b/setup/projects/adei/vars/volumes.yml index cdeb4e7..768e27f 100644 --- a/setup/projects/adei/vars/volumes.yml +++ b/setup/projects/adei/vars/volumes.yml @@ -1,6 +1,6 @@ gids: - adei: { id: 6000 } - adei_db: { id: 6001 } + adei: { id: 6001 } + adei_db: { id: 6002 } volumes: adei_init: { volume: "openshift", path: "/adei/init"} # mysql @@ -13,10 +13,10 @@ volumes: adei_db: { volume: "databases", path: "/adei", write: true } # mysql files: - - { osv: "adei_cfg", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_cfg", path: "/prod", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_cfg", path: "/dbg", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_src", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_log", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_tmp", path: "/", state: "directory", group: "adei", mode: "0775" } - - { osv: "adei_db", path: "mysql", state: "directory", group: "adei_db", mode: "0775" } + - { osv: "adei_cfg", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_src", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_src", path: "/prod", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_src", path: "/dbg", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_log", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_tmp", path: "/", state: "directory", group: "adei", mode: "02775" } + - { osv: "adei_db", path: "mysql", state: "directory", group: "adei_db", mode: "02775" } diff --git a/setup/projects/kaas/templates/40-kaas-manager.yml.j2 b/setup/projects/kaas/templates/40-kaas-manager.yml.j2 index e181737..b9cba4e 100644 --- a/setup/projects/kaas/templates/40-kaas-manager.yml.j2 +++ b/setup/projects/kaas/templates/40-kaas-manager.yml.j2 @@ -43,6 +43,9 @@ objects: {% for ofs in range(gid_range[1] | default(1) | int) %} - {{ (gid_range[0] | int) + ofs }} {% endfor %} +{% if (ands_openshift_gid_mode | default('')) == "RunAsAny" %} + fsGroup: {{ gid_range[0] }} +{% endif %} {% if (kaas_project_config.run_pods_as is defined) %} {% if ((kaas_project_config.uids | default(kaas_openshift_uids))[kaas_project_config.run_pods_as] is defined) %} runAsUser: {{ (kaas_project_config.uids | default(kaas_openshift_uids))[kaas_project_config.run_pods_as].id }} diff --git a/setup/projects/kaas/vars/volumes.yml b/setup/projects/kaas/vars/volumes.yml index 3554aa6..cf9c697 100644 --- a/setup/projects/kaas/vars/volumes.yml +++ b/setup/projects/kaas/vars/volumes.yml @@ -1,10 +1,11 @@ -gids: - kaas: { id: 4000 } +#defined globaly +#gids: +# kaas: { id: 4000 } files: - - { osv: "data", path: "/www", state: "directory", group: "kaas", mode: "0775" } - - { osv: "etc", path: "/apache2", state: "directory", group: "kaas", mode: "0775" } - - { osv: "tmp", path: "/apache2", state: "directory", group: "kaas", mode: "0775" } + - { osv: "data", path: "/www", state: "directory", group: "kaas", mode: "02775" } + - { osv: "etc", path: "/apache2", state: "directory", group: "kaas", mode: "02775" } + - { osv: "tmp", path: "/apache2", state: "directory", group: "kaas", mode: "02775" } #resync: true sync_set_gid: kaas diff --git a/setup/projects/katrin/vars/volumes.yml b/setup/projects/katrin/vars/volumes.yml index ca22a28..3b53bb3 100644 --- a/setup/projects/katrin/vars/volumes.yml +++ b/setup/projects/katrin/vars/volumes.yml @@ -5,7 +5,7 @@ extra_volumes: katrin: { volume: "katrin_data", path: "/", capacity: "40Ti", write: true } files: - - { osv: "katrin", path: "/", state: "directory", group: "katrin", mode: "0775" } + - { osv: "katrin", path: "/", state: "directory", group: "katrin", mode: "02775" } #resync: true #sync_set_gid: katrin -- cgit v1.2.1