Change group owner of mnesia dir to 999

Relates to #234 Otherwise, the RabbitMQ process can't write the pid file into the /var/lib/rabbitmq/mnesia/ directory on OpenShift due to permissions denied. Before this commit, mnesia dir was owned by user root and group root. On OpenShift, mnesia did not have rwx bits for everyone due to stricter security constraints: drwxrwx---. 2 root root 6 Aug 20 10:03 mnesia
rabbitmq · Sep 3, 2020 · 04f1933 · 04f1933
1 parent a235ccd
commit 04f1933
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 7 deletions.
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
@@ -512,6 +512,22 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 						},
 					},
 				},
+				{
+					Name:  "mnesia-group-changer",
+					Image: "alpine",
+					SecurityContext: &corev1.SecurityContext{
+						RunAsUser: pointer.Int64Ptr(0),
+					},
+					VolumeMounts: []corev1.VolumeMount{
+						{
+							Name:      "persistence",
+							MountPath: "/var/lib/rabbitmq/mnesia/",
+						},
+					},
+					Command: []string{
+						"sh", "-c", "chgrp 999 /var/lib/rabbitmq/mnesia/",
+					},
+				},
 			},
 			Volumes: volumes,
 			Containers: []corev1.Container{

diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
@@ -917,15 +917,15 @@ var _ = Describe("StatefulSet", func() {
 			Expect(actualProbeCommand).To(Equal([]string{"/bin/sh", "-c", "rabbitmq-diagnostics check_port_connectivity"}))
 		})
 
-		It("templates the correct InitContainer", func() {
+		It("templates the correct InitContainers", func() {
 			stsBuilder := builder.StatefulSet()
 			Expect(stsBuilder.Update(statefulSet)).To(Succeed())
 
 			initContainers := statefulSet.Spec.Template.Spec.InitContainers
-			Expect(len(initContainers)).To(Equal(1))
+			Expect(initContainers).To(HaveLen(2))
 
-			container := extractContainer(initContainers, "copy-config")
-			Expect(container.Command).To(Equal([]string{
+			copyContainer := extractContainer(initContainers, "copy-config")
+			Expect(copyContainer.Command).To(Equal([]string{
 				"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf && echo '' >> /etc/rabbitmq/rabbitmq.conf ; " +
 					"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config ; " +
 					"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf ; " +
@@ -935,8 +935,7 @@ var _ = Describe("StatefulSet", func() {
 					"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins " +
 					"&& chown 999:999 /etc/rabbitmq/enabled_plugins",
 			}))
-
-			Expect(container.VolumeMounts).Should(ConsistOf(
+			Expect(copyContainer.VolumeMounts).To(ConsistOf(
 				corev1.VolumeMount{
 					Name:      "server-conf",
 					MountPath: "/tmp/rabbitmq/",
@@ -959,8 +958,18 @@ var _ = Describe("StatefulSet", func() {
 					MountPath: "/tmp/erlang-cookie-secret/",
 				},
 			))
+			Expect(copyContainer.Image).To(Equal("rabbitmq-image-from-cr"))
 
-			Expect(container.Image).To(Equal("rabbitmq-image-from-cr"))
+			groupChangeContainer := extractContainer(initContainers, "mnesia-group-changer")
+			Expect(groupChangeContainer.Command).To(ConsistOf("sh", "-c", "chgrp 999 /var/lib/rabbitmq/mnesia/"))
+			Expect(groupChangeContainer.VolumeMounts).To(ConsistOf(
+				corev1.VolumeMount{
+					Name:      "persistence",
+					MountPath: "/var/lib/rabbitmq/mnesia/",
+				},
+			))
+			Expect(groupChangeContainer.Image).To(Equal("alpine"))
+			Expect(groupChangeContainer.SecurityContext.RunAsUser).To(Equal(pointer.Int64Ptr(0)))
 		})
 
 		It("adds the required terminationGracePeriodSeconds", func() {