Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/elasticsearch] error on CopyTLS with OCP #30985

Open
giuliocalzolari opened this issue Dec 11, 2024 · 2 comments
Open

[bitnami/elasticsearch] error on CopyTLS with OCP #30985

giuliocalzolari opened this issue Dec 11, 2024 · 2 comments
Assignees
@jotamartos
Labels
elasticsearch in-progress tech-issues The user has a technical issue about an application

Comments

@giuliocalzolari
Copy link
Contributor

giuliocalzolari commented Dec 11, 2024
edited by carrodher
Loading

Name and Version

bitnami/elasticsearch 21.3.18

What architecture are you using?

amd64

What steps will reproduce the bug?

fresh install in ocp with autogenerated tls and sysctlImage enabled

Are you using any custom parameters or values?

elasticsearch:
  sysctlImage:
    enabled: true
  security:
    enabled: true
    tls:
      autoGenerated: true

What is the expected behavior?

The TLS certs are copied without problems

What do you see instead?

lrwxrwxrwx. 1 root root 13 Dec 11 12:29 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root 14 Dec 11 12:29 tls.crt -> ..data/tls.crt
lrwxrwxrwx. 1 root root 14 Dec 11 12:29 tls.key -> ..data/tls.key
cat: /certs/ca.crt: Permission denied
Copied /certs/ca.crt to /tmp/ca.crt
cat: /certs/tls.crt: Permission denied
Copied /certs/tls.crt to /tmp/tls.crt
cat: /certs/tls.key: Permission denied
Copied /certs/tls.key to /tmp/tls.key
All files have been copied.

Additional information

when sysctlImage.enabled: true is set on OCP the privilege SCC must be provided otherwise the ES initcontainer sysctl cannot be executed.
But granting scc privileged on the OCP level will mount the certs folder with uid 0.

  volumePermissions:
    enabled: true

does not help
@giuliocalzolari giuliocalzolari added the tech-issues The user has a technical issue about an application label Dec 11, 2024
@giuliocalzolari giuliocalzolari changed the title [bitnami/elasticsearch] error on CopyTls with OCP Dec 11, 2024
@github-actions github-actions bot added the triage Triage is needed label Dec 11, 2024
@carrodher
Copy link
Member

Bitnami containers are designed to operate as non-root by default. Consequently, any files or directories used by the application should be owned by the root group, as the random user (1001 by default) is a member of this root group. To ensure proper permissions, you'll need to adjust the ownership of your local directory accordingly.

For more comprehensive information about non-root containers and their significance for security, you can explore the following resources:

These references provide valuable insights into the best practices and considerations when working with non-root containers in Bitnami applications.
@giuliocalzolari
Copy link
Contributor Author

hi @carrodher thanks, for the additional documentation I've already reviewed most of them (before opening this issue), and it seems there is a sort of mutual exclusion between sysctlImage.enabled: true that requires root permission and copyTls initcontainer that cannot be executed if the tls secret is mounted with uid
@github-actions github-actions bot removed the triage Triage is needed label Dec 12, 2024
@github-actions github-actions bot assigned jotamartos and unassigned carrodher Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
elasticsearch in-progress tech-issues The user has a technical issue about an application
3 participants
@jotamartos @giuliocalzolari @carrodher