fix: dragonfly cannot start due to disk permissions (#437)

42atomys · web-flow · commit f49eb31a926c · 2023-05-24T01:38:28.000+02:00
Describe the pull request

This pull request addresses an issue preventing Dragonfly from starting
due to disk permission errors. The fix involves modifying the disk
permission settings, allowing Dragonfly to access the necessary
resources and launch as expected.

**Checklist**

- [x] I have linked the relative issue to this pull request
- [x] I have made the modifications or added tests related to my PR
- [x] I have added/updated the documentation for my RP
- [x] I put my PR in Ready for Review only when all the checklist is
checked

**Breaking changes ?**
no
diff --git a/deploy/modules/service/cronjob.tf b/deploy/modules/service/cronjob.tf
@@ -77,6 +77,35 @@ resource "kubernetes_cron_job" "app" {
               }
             }
 
+            dynamic "init_container" {
+              for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false }
+
+              content {
+                name  = "fix-permissions-${init_container.key}"
+                image = "busybox"
+                command = [
+                  "chown",
+                  "-R",
+                  "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}",
+                  init_container.value.mountPath,
+                ]
+
+                security_context {
+                  run_as_group    = 0
+                  run_as_user     = 0
+                  run_as_non_root = false
+                }
+
+                volume_mount {
+                  name              = init_container.value.volumeName
+                  mount_path        = init_container.value.mountPath
+                  read_only         = lookup(init_container.value, "readOnly", false)
+                  sub_path          = lookup(init_container.value, "subPath", null)
+                  mount_propagation = lookup(init_container.value, "mountPropagation", null)
+                }
+              }
+            }
+
             security_context {
               run_as_user         = lookup(var.podSecurityContext, "runAsUser", 1000)
               run_as_group        = lookup(var.podSecurityContext, "runAsGroup", 1000)
diff --git a/deploy/modules/service/deamonset.tf b/deploy/modules/service/deamonset.tf
@@ -62,6 +62,35 @@ resource "kubernetes_daemonset" "app" {
           }
         }
 
+        dynamic "init_container" {
+          for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false }
+
+          content {
+            name  = "fix-permissions-${init_container.key}"
+            image = "busybox"
+            command = [
+              "chown",
+              "-R",
+              "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}",
+              init_container.value.mountPath,
+            ]
+
+            security_context {
+              run_as_group    = 0
+              run_as_user     = 0
+              run_as_non_root = false
+            }
+
+            volume_mount {
+              name              = init_container.value.volumeName
+              mount_path        = init_container.value.mountPath
+              read_only         = lookup(init_container.value, "readOnly", false)
+              sub_path          = lookup(init_container.value, "subPath", null)
+              mount_propagation = lookup(init_container.value, "mountPropagation", null)
+            }
+          }
+        }
+
         security_context {
           run_as_user         = lookup(var.podSecurityContext, "runAsUser", 1000)
           run_as_group        = lookup(var.podSecurityContext, "runAsGroup", 1000)
diff --git a/deploy/modules/service/deployment.tf b/deploy/modules/service/deployment.tf
@@ -64,6 +64,35 @@ resource "kubernetes_deployment" "app" {
           }
         }
 
+        dynamic "init_container" {
+          for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false }
+
+          content {
+            name  = "fix-permissions-${init_container.key}"
+            image = "busybox"
+            command = [
+              "chown",
+              "-R",
+              "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}",
+              init_container.value.mountPath,
+            ]
+
+            security_context {
+              run_as_group    = 0
+              run_as_user     = 0
+              run_as_non_root = false
+            }
+
+            volume_mount {
+              name              = init_container.value.volumeName
+              mount_path        = init_container.value.mountPath
+              read_only         = lookup(init_container.value, "readOnly", false)
+              sub_path          = lookup(init_container.value, "subPath", null)
+              mount_propagation = lookup(init_container.value, "mountPropagation", null)
+            }
+          }
+        }
+
         security_context {
           run_as_user         = lookup(var.podSecurityContext, "runAsUser", 1000)
           run_as_group        = lookup(var.podSecurityContext, "runAsGroup", 1000)
diff --git a/deploy/modules/service/statefulset.tf b/deploy/modules/service/statefulset.tf
@@ -70,6 +70,35 @@ resource "kubernetes_stateful_set" "app" {
           }
         }
 
+        dynamic "init_container" {
+          for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false }
+
+          content {
+            name  = "fix-permissions-${init_container.key}"
+            image = "busybox"
+            command = [
+              "chown",
+              "-R",
+              "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}",
+              init_container.value.mountPath,
+            ]
+
+            security_context {
+              run_as_group    = 0
+              run_as_user     = 0
+              run_as_non_root = false
+            }
+
+            volume_mount {
+              name              = init_container.value.volumeName
+              mount_path        = init_container.value.mountPath
+              read_only         = lookup(init_container.value, "readOnly", false)
+              sub_path          = lookup(init_container.value, "subPath", null)
+              mount_propagation = lookup(init_container.value, "mountPropagation", null)
+            }
+          }
+        }
+
         security_context {
           run_as_user         = lookup(var.podSecurityContext, "runAsUser", 1000)
           run_as_group        = lookup(var.podSecurityContext, "runAsGroup", 1000)
diff --git a/deploy/modules/service/variables.tf b/deploy/modules/service/variables.tf
@@ -654,3 +654,9 @@ variable "serviceType" {
     error_message = "serviceType must be one of ClusterIP, NodePort or LoadBalancer"
   }
 }
+
+variable "fixPermissions" {
+  type        = bool
+  description = "Fix permissions of the mounted volumes (start an init container as root to chown the volumes)"
+  default     = false
+}
diff --git a/deploy/stacks/apps/s42/storages.tf b/deploy/stacks/apps/s42/storages.tf
@@ -249,6 +249,8 @@ module "dragonfly" {
   replicas             = 1
   maxUnavailable       = 0
 
+  fixPermissions = true
+
   prometheus = {
     enabled = true
     port    = 6379

Original file line number	Diff line number	Diff line change
`@@ -654,3 +654,9 @@ variable "serviceType" {`
`654`	`654`	`error_message = "serviceType must be one of ClusterIP, NodePort or LoadBalancer"`
`655`	`655`	`}`
`656`	`656`	`}`
	`657`	`+`
	`658`	`+variable "fixPermissions" {`
	`659`	`+ type = bool`
	`660`	`+ description = "Fix permissions of the mounted volumes (start an init container as root to chown the volumes)"`
	`661`	`+ default = false`
	`662`	`+}`