-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix solr security context #33
Conversation
@gislab-augsburg could you try using
|
@klml @gislab-augsburg In OpenShift everything is owned by root, right? # -- [k8s: Security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0 |
No, the exact opposite. Openshift assigns arbitrary UIDs higher than 1000 |
OK, thx. Then my proposal of before is probably no option.
This could be another option worth testing: # -- [k8s: Security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
podSecurityContext:
runAsUser: ""
runAsGroup: ""
fsGroup: "" The problem is that the solr volume for persisting data is not owned by the correct user (which is set in the solr base image to UID 8983).
So we could resolve this by implementing the same mechanism as in #32 and use an |
I solved it as described above. @gislab-augsburg forget about testing the securityContext. But please try out the new approach with initContainer, just like we did for ckan in #32. |
We need to revert 313c09c in #24, as it breaks deployment of the chart (solr) due to file permission issues.
@eidottermihi @klml Is it possible to simply overwrite the defaults at deploytime? Most people don't use OpenShift and I want to keep the default set to values that work for most people. If it's just a config change for you, that would not hurt too much, right?
Have you tried:
With latest
helm
version, even this might work now: