Unable to set fsGroup other than 1000 in helm chart #338

New Issue

Open

opened 2022-07-10 15:56:07 +00:00 by justusbunsi · 3 comments

justusbunsi commented 2022-07-10 15:56:07 +00:00 (Migrated from gitea.com)

Copy Link

Re-post from GitHub: https://github.com/go-gitea/gitea/issues/19138.

Switching UID and GID is not possible, too.

Re-post from GitHub: https://github.com/go-gitea/gitea/issues/19138. Switching UID and GID is not possible, too.

nmasse-itix commented 2022-07-13 14:40:32 +00:00 (Migrated from gitea.com)

Copy Link

Hello,

The workaround found by tgckpg is correct (create a pvc and mount it to /var/lib/gitea). This is a common challenge when running container images with arbitrary user id.

There are (at least) four options if we want to fix this:

1. Change the Dockerfile of Gitea to include a chmod 777 /var/lib/gitea
2. Add the extra volume / volume mount in the helm chart

extraVolumes:
  - name: var-lib-gitea
    persistentVolumeClaim:
      claimName: var-lib-gitea

# additional volumes to mount, both to the init container and to the main
# container. As an example, can be used to mount a client cert when connecting
# to an external Postgres server.
extraVolumeMounts:
  - name: var-lib-gitea
    mountPath: "/var/lib/gitea"

3. Set the home environment variable in the helm chart (this is my current setup)

statefulset:
  env:
  # Override the home directory of the git user since the default one
  # (/var/lib/gitea/git) is not writable.
  - name: HOME
    value: /data/git

4. Do nothing and just document the workaround

What are your views on this?

Hello, The workaround found by tgckpg is correct (create a pvc and mount it to /var/lib/gitea). This is a common challenge when running container images with arbitrary user id. There are (at least) four options if we want to fix this: 1. Change the Dockerfile of Gitea to include a `chmod 777 /var/lib/gitea` 2. Add the extra volume / volume mount in the helm chart ```yaml extraVolumes: - name: var-lib-gitea persistentVolumeClaim: claimName: var-lib-gitea # additional volumes to mount, both to the init container and to the main # container. As an example, can be used to mount a client cert when connecting # to an external Postgres server. extraVolumeMounts: - name: var-lib-gitea mountPath: "/var/lib/gitea" ``` 3. Set the home environment variable in the helm chart (this is my current setup) ```yaml statefulset: env: # Override the home directory of the git user since the default one # (/var/lib/gitea/git) is not writable. - name: HOME value: /data/git ``` 4. Do nothing and just document the workaround What are your views on this?

pat-s commented 2023-11-15 18:54:45 +00:00 (Migrated from gitea.com)

Copy Link

I just debugged this a bit:

• $HOME in the helm chart (w rootless img) is actually /data/gitea/git by default, not var/lib/gitea/git (vanilla docker image)
• On a fresh Gitea instance in k8s with chart v9.5.1 I was able to change fsGroup and friends, i.e. I used the following values.yml settings

podSecurityContext:
  fsGroup: 1001

containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
    add:
      - SYS_CHROOT
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 1001
  runAsNonRoot: true
  runAsUser: 1001

resulting in

id
uid=1001 gid=1001 groups=1001

and a healthy pod. It might be that something changed in the rootless image meanwhile (I don't have time to go through the changes) but it looks like as if this is not an issue anymore.

Hence I'll close here, happy to re-open if anybody (e.g. @nmasse-itix) is still having issues here.

PS: I used 1.21-rootless.

I just debugged this a bit: - `$HOME` in the helm chart (w rootless img) is actually `/data/gitea/git` by default, not `var/lib/gitea/git` (vanilla docker image) - On a fresh Gitea instance in k8s with chart v9.5.1 I was able to change `fsGroup` and friends, i.e. I used the following values.yml settings ```yml podSecurityContext: fsGroup: 1001 containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL add: - SYS_CHROOT privileged: false readOnlyRootFilesystem: true runAsGroup: 1001 runAsNonRoot: true runAsUser: 1001 ``` resulting in ``` id uid=1001 gid=1001 groups=1001 ``` and a healthy pod. It might be that something changed in the rootless image meanwhile (I don't have time to go through the changes) but it looks like as if this is not an issue anymore. Hence I'll close here, happy to re-open if anybody (e.g. @nmasse-itix) is still having issues here. PS: I used `1.21-rootless`.

justusbunsi commented 2023-11-16 18:49:16 +00:00 (Migrated from gitea.com)

Copy Link

We have hard coded chown 1000:1000 in our init.yaml template that are executed when using the root-based images¹², or when configuring signing GPG key³ (no matter the used image).

Unfortunately, it's not as easy as replacing them with ${UID}:${GID}.

I've tried with this diff

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 0843da5..853b7e5 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -100,6 +100,21 @@ storageClassName: {{ $storageClass | quote }}
 {{- end }}
 {{- end -}}
 
+{{- define "gitea.securityContext.userIdAndGroupId" -}}
+{{- $podUser := default "" (.Values.podSecurityContext.runAsUser | quote) }}
+{{- $podGroup := default "" (.Values.podSecurityContext.runAsGroup | quote) }}
+{{- $containerUser := default "" (.Values.containerSecurityContext.runAsUser | quote) }}
+{{- $containerGroup := default "" (.Values.containerSecurityContext.runAsGroup | quote) }}
+{{- if or (ne $podUser "") (ne $containerUser "") }}
+- name: UID
+  value: {{ default $podUser $containerUser }}
+{{- end }}
+{{- if or (ne $podGroup "") (ne $containerGroup "") }}
+- name: GID
+  value: {{ default $podGroup $containerGroup }}
+{{- end }}
+{{- end -}}
+
 {{/*
 Common labels
 */}}
diff --git a/templates/gitea/deployment.yaml b/templates/gitea/deployment.yaml
index 247a560..240091e 100644
--- a/templates/gitea/deployment.yaml
+++ b/templates/gitea/deployment.yaml
@@ -75,6 +75,7 @@ spec:
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
             {{- end }}
+            {{- include "gitea.securityContext.userIdAndGroupId" . | nindent 12 }}
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml
index f07f1a5..feee679 100644
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@@ -27,7 +27,7 @@ stringData:
     set -x
 
     {{- if not .Values.image.rootless }}
-    chown 1000:1000 /data
+    chown ${UID}:${GID} /data
     {{- end }}
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
@@ -36,7 +36,7 @@ stringData:
     # prepare temp directory structure
     mkdir -p "${GITEA_TEMP}"
     {{- if not .Values.image.rootless }}
-    chown 1000:1000 "${GITEA_TEMP}"
+    chown ${UID}:${GID} "${GITEA_TEMP}"
     {{- end }}
     chmod ug+rwx "${GITEA_TEMP}"
 
@@ -44,7 +44,7 @@ stringData:
     if [ ! -d "${GNUPGHOME}" ]; then
       mkdir -p "${GNUPGHOME}"
       chmod 700 "${GNUPGHOME}"
-      chown 1000:1000 "${GNUPGHOME}"
+      chown ${UID}:${GID} "${GNUPGHOME}"
     fi
     {{- end }}
 
diff --git a/values.yaml b/values.yaml
index b6712e7..e1fb519 100644
--- a/values.yaml
+++ b/values.yaml
@@ -50,8 +50,8 @@ image:
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
   digest: ""
-  pullPolicy: Always
-  rootless: true
+  pullPolicy: IfNotPresent
+  rootless: false
   fullOverride: ""
 
 ## @param imagePullSecrets Secret to use for pulling the image
@@ -61,10 +61,20 @@ imagePullSecrets: []
 # Security context is only usable with rootless image due to image design
 ## @param podSecurityContext.fsGroup Set the shared file system group for all containers in the pod.
 podSecurityContext:
-  fsGroup: 1000
-
-## @param containerSecurityContext Security context
-containerSecurityContext: {}
+  fsGroup: 1001
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+    add:
+      - SYS_CHROOT
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 1001
+  runAsNonRoot: true
+  runAsUser: 1001
 #   allowPrivilegeEscalation: false
 #   capabilities:
 #     drop:

---

1. 7eea1acf05/templates/gitea/init.yaml (L30) ↩︎

2. 7eea1acf05/templates/gitea/init.yaml (L39) ↩︎

3. 7eea1acf05/templates/gitea/init.yaml (L47) ↩︎

We have hard coded `chown 1000:1000` in our `init.yaml` template that are executed when using the root-based images[^1][^2], or when configuring signing GPG key[^3] (no matter the used image). Unfortunately, it's not as easy as replacing them with `${UID}:${GID}`. <details> <summary>I've tried with this diff</summary> ```diff diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 0843da5..853b7e5 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -100,6 +100,21 @@ storageClassName: {{ $storageClass | quote }} {{- end }} {{- end -}} +{{- define "gitea.securityContext.userIdAndGroupId" -}} +{{- $podUser := default "" (.Values.podSecurityContext.runAsUser | quote) }} +{{- $podGroup := default "" (.Values.podSecurityContext.runAsGroup | quote) }} +{{- $containerUser := default "" (.Values.containerSecurityContext.runAsUser | quote) }} +{{- $containerGroup := default "" (.Values.containerSecurityContext.runAsGroup | quote) }} +{{- if or (ne $podUser "") (ne $containerUser "") }} +- name: UID + value: {{ default $podUser $containerUser }} +{{- end }} +{{- if or (ne $podGroup "") (ne $containerGroup "") }} +- name: GID + value: {{ default $podGroup $containerGroup }} +{{- end }} +{{- end -}} + {{/* Common labels */}} diff --git a/templates/gitea/deployment.yaml b/templates/gitea/deployment.yaml index 247a560..240091e 100644 --- a/templates/gitea/deployment.yaml +++ b/templates/gitea/deployment.yaml @@ -75,6 +75,7 @@ spec: - name: GNUPGHOME value: {{ .Values.signing.gpgHome }} {{- end }} + {{- include "gitea.securityContext.userIdAndGroupId" . | nindent 12 }} volumeMounts: - name: init mountPath: /usr/sbin diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml index f07f1a5..feee679 100644 --- a/templates/gitea/init.yaml +++ b/templates/gitea/init.yaml @@ -27,7 +27,7 @@ stringData: set -x {{- if not .Values.image.rootless }} - chown 1000:1000 /data + chown ${UID}:${GID} /data {{- end }} mkdir -p /data/git/.ssh chmod -R 700 /data/git/.ssh @@ -36,7 +36,7 @@ stringData: # prepare temp directory structure mkdir -p "${GITEA_TEMP}" {{- if not .Values.image.rootless }} - chown 1000:1000 "${GITEA_TEMP}" + chown ${UID}:${GID} "${GITEA_TEMP}" {{- end }} chmod ug+rwx "${GITEA_TEMP}" @@ -44,7 +44,7 @@ stringData: if [ ! -d "${GNUPGHOME}" ]; then mkdir -p "${GNUPGHOME}" chmod 700 "${GNUPGHOME}" - chown 1000:1000 "${GNUPGHOME}" + chown ${UID}:${GID} "${GNUPGHOME}" fi {{- end }} diff --git a/values.yaml b/values.yaml index b6712e7..e1fb519 100644 --- a/values.yaml +++ b/values.yaml @@ -50,8 +50,8 @@ image: # Overrides the image tag whose default is the chart appVersion. tag: "" digest: "" - pullPolicy: Always - rootless: true + pullPolicy: IfNotPresent + rootless: false fullOverride: "" ## @param imagePullSecrets Secret to use for pulling the image @@ -61,10 +61,20 @@ imagePullSecrets: [] # Security context is only usable with rootless image due to image design ## @param podSecurityContext.fsGroup Set the shared file system group for all containers in the pod. podSecurityContext: - fsGroup: 1000 - -## @param containerSecurityContext Security context -containerSecurityContext: {} + fsGroup: 1001 + +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - SYS_CHROOT + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 # allowPrivilegeEscalation: false # capabilities: # drop: ``` </details> [^1]: https://gitea.com/gitea/helm-chart/src/commit/7eea1acf057b9c5ae957d4e0565fae8ef57ccf30/templates/gitea/init.yaml#L30 [^2]: https://gitea.com/gitea/helm-chart/src/commit/7eea1acf057b9c5ae957d4e0565fae8ef57ccf30/templates/gitea/init.yaml#L39 [^3]: https://gitea.com/gitea/helm-chart/src/commit/7eea1acf057b9c5ae957d4e0565fae8ef57ccf30/templates/gitea/init.yaml#L47

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

No results found.

v10.6.0

v10.5.0

v10.4.1

v10.4.0

v10.3.0

v10.2.0

v10.1.4

v10.1.3

v10.1.2

v10.1.1

v10.1.0

v10.0.2

v10.0.1

v10.0.0

v9.6.1

v9.6.0

v9.5.1

v9.5.0

v9.4.0

v9.3.0

v9.2.1

v9.2.0

v9.1.0

v9.0.4

v9.0.3

v9.0.2

v9.0.1

v9.0.0

v8.3.0

v8.2.0

v8.1.0

v8.0.3

v8.0.2

v8.0.1

v8.0.0

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.1.1

v4.1.0

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.0

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.9

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

Labels

Clear labels

has/backport

in progress

invalid

kind/breaking

kind/bug

kind/build

kind/dependency

kind/deployment

kind/docs

kind/enhancement

kind/feature

kind/lint

kind/proposal

kind/question

kind/refactor

kind/security

kind/testing

kind/translation

kind/ui

need/backport

priority/critical

priority/low

priority/maybe

priority/medium

reviewed/duplicate

reviewed/invalid

reviewed/wontfix

skip-changelog

status/blocked

status/needs-feedback

status/needs-reviews

status/wip

upstream/gitea

upstream/other

No Label

kind/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lunny/helm-chart#338

No description provided.