Change group owner of mnesia dir to 999

Relates to #234 Otherwise, the RabbitMQ process can't write the pid file into the /var/lib/rabbitmq/mnesia/ directory on OpenShift due to permissions denied. Before this commit, mnesia dir was owned by user root and group root. On OpenShift, mnesia did not have rwx bits for everyone due to stricter security constraints: drwxrwx---. 2 root root 6 Aug 20 10:03 mnesia
rabbitmq · Sep 8, 2020 · a650146 · a650146
1 parent ccb5a4f
commit a650146
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 15 deletions.
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
@@ -494,15 +494,30 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 				{
 					Name:  "copy-config",
 					Image: builder.Instance.Spec.Image,
+					SecurityContext: &corev1.SecurityContext{
+						RunAsUser: pointer.Int64Ptr(0),
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{
+								// Remove default capabilities allowed by Docker except for CHOWN and FOWNER
+								"SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FSETID",
+								"KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP",
+							},
+						},
+					},
 					Command: []string{
-						"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf && echo '' >> /etc/rabbitmq/rabbitmq.conf ; " +
-							"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config ; " +
-							"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf ; " +
+						"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf " +
+							"&& chown 999:999 /etc/rabbitmq/rabbitmq.conf " +
+							"&& echo '' >> /etc/rabbitmq/rabbitmq.conf ; " +
+							"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config " +
+							"&& chown 999:999 /etc/rabbitmq/advanced.config ; " +
+							"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf " +
+							"&& chown 999:999 /etc/rabbitmq/rabbitmq-env.conf ; " +
 							"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie " +
 							"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie " +
 							"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; " +
 							"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins " +
-							"&& chown 999:999 /etc/rabbitmq/enabled_plugins",
+							"&& chown 999:999 /etc/rabbitmq/enabled_plugins ; " +
+							"chgrp 999 /var/lib/rabbitmq/mnesia/",
 					},
 					Resources: corev1.ResourceRequirements{
 						Limits: map[corev1.ResourceName]k8sresource.Quantity{
@@ -535,6 +550,10 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 							Name:      "erlang-cookie-secret",
 							MountPath: "/tmp/erlang-cookie-secret/",
 						},
+						{
+							Name:      "persistence",
+							MountPath: "/var/lib/rabbitmq/mnesia/",
+						},
 					},
 				},
 			},

diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
@@ -941,19 +941,24 @@ var _ = Describe("StatefulSet", func() {
 			Expect(stsBuilder.Update(statefulSet)).To(Succeed())
 
 			initContainers := statefulSet.Spec.Template.Spec.InitContainers
-			Expect(len(initContainers)).To(Equal(1))
+			Expect(initContainers).To(HaveLen(1))
 
 			container := extractContainer(initContainers, "copy-config")
-			Expect(container.Command).To(Equal([]string{
-				"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf && echo '' >> /etc/rabbitmq/rabbitmq.conf ; " +
-					"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config ; " +
-					"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf ; " +
-					"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie " +
-					"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie " +
-					"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; " +
-					"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins " +
-					"&& chown 999:999 /etc/rabbitmq/enabled_plugins",
-			}))
+			Expect(container.Command).To(ConsistOf(
+				"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf "+
+					"&& chown 999:999 /etc/rabbitmq/rabbitmq.conf "+
+					"&& echo '' >> /etc/rabbitmq/rabbitmq.conf ; "+
+					"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config "+
+					"&& chown 999:999 /etc/rabbitmq/advanced.config ; "+
+					"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf "+
+					"&& chown 999:999 /etc/rabbitmq/rabbitmq-env.conf ; "+
+					"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie "+
+					"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie "+
+					"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; "+
+					"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins "+
+					"&& chown 999:999 /etc/rabbitmq/enabled_plugins ; "+
+					"chgrp 999 /var/lib/rabbitmq/mnesia/",
+			))
 
 			Expect(container.VolumeMounts).To(ConsistOf(
 				corev1.VolumeMount{
@@ -977,9 +982,18 @@ var _ = Describe("StatefulSet", func() {
 					Name:      "erlang-cookie-secret",
 					MountPath: "/tmp/erlang-cookie-secret/",
 				},
+				corev1.VolumeMount{
+					Name:      "persistence",
+					MountPath: "/var/lib/rabbitmq/mnesia/",
+				},
 			))
 
 			Expect(container.Image).To(Equal("rabbitmq-image-from-cr"))
+			Expect(container.SecurityContext.RunAsUser).To(Equal(pointer.Int64Ptr(0)))
+			Expect(container.SecurityContext.Capabilities.Drop).To(ConsistOf([]corev1.Capability{
+				"SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FSETID",
+				"KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP",
+			}))
 		})
 
 		It("adds the required terminationGracePeriodSeconds", func() {