fix: dragonfly cannot start due to disk permissions (#437)

Describe the pull request This pull request addresses an issue preventing Dragonfly from starting due to disk permission errors. The fix involves modifying the disk permission settings, allowing Dragonfly to access the necessary resources and launch as expected. **Checklist** - [x] I have linked the relative issue to this pull request - [x] I have made the modifications or added tests related to my PR - [x] I have added/updated the documentation for my RP - [x] I put my PR in Ready for Review only when all the checklist is checked **Breaking changes ?** no
42atomys · May 23, 2023 · f49eb31 · f49eb31
1 parent 4442a58
commit f49eb31
Show file tree

Hide file tree

Showing 6 changed files with 124 additions and 0 deletions.
diff --git a/deploy/modules/service/cronjob.tf b/deploy/modules/service/cronjob.tf
@@ -77,6 +77,35 @@ resource "kubernetes_cron_job" "app" {
               }
             }
 
+            dynamic "init_container" {
+              for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false }
+
+              content {
+                name  = "fix-permissions-${init_container.key}"
+                image = "busybox"
+                command = [
+                  "chown",
+                  "-R",
+                  "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}",
+                  init_container.value.mountPath,
+                ]
+
+                security_context {
+                  run_as_group    = 0
+                  run_as_user     = 0
+                  run_as_non_root = false
+                }
+
+                volume_mount {
+                  name              = init_container.value.volumeName
+                  mount_path        = init_container.value.mountPath
+                  read_only         = lookup(init_container.value, "readOnly", false)
+                  sub_path          = lookup(init_container.value, "subPath", null)
+                  mount_propagation = lookup(init_container.value, "mountPropagation", null)
+                }
+              }
+            }
+
             security_context {
               run_as_user         = lookup(var.podSecurityContext, "runAsUser", 1000)
               run_as_group        = lookup(var.podSecurityContext, "runAsGroup", 1000)

diff --git a/deploy/modules/service/deamonset.tf b/deploy/modules/service/deamonset.tf
@@ -62,6 +62,35 @@ resource "kubernetes_daemonset" "app" {
           }
         }
 
+        dynamic "init_container" {
+          for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false }
+
+          content {
+            name  = "fix-permissions-${init_container.key}"
+            image = "busybox"
+            command = [
+              "chown",
+              "-R",
+              "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}",
+              init_container.value.mountPath,
+            ]
+
+            security_context {
+              run_as_group    = 0
+              run_as_user     = 0
+              run_as_non_root = false
+            }
+
+            volume_mount {
+              name              = init_container.value.volumeName
+              mount_path        = init_container.value.mountPath
+              read_only         = lookup(init_container.value, "readOnly", false)
+              sub_path          = lookup(init_container.value, "subPath", null)
+              mount_propagation = lookup(init_container.value, "mountPropagation", null)
+            }
+          }
+        }
+
         security_context {
           run_as_user         = lookup(var.podSecurityContext, "runAsUser", 1000)
           run_as_group        = lookup(var.podSecurityContext, "runAsGroup", 1000)

diff --git a/deploy/modules/service/deployment.tf b/deploy/modules/service/deployment.tf
@@ -64,6 +64,35 @@ resource "kubernetes_deployment" "app" {
           }
         }
 
+        dynamic "init_container" {
+          for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false }
+
+          content {
+            name  = "fix-permissions-${init_container.key}"
+            image = "busybox"
+            command = [
+              "chown",
+              "-R",
+              "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}",
+              init_container.value.mountPath,
+            ]
+
+            security_context {
+              run_as_group    = 0
+              run_as_user     = 0
+              run_as_non_root = false
+            }
+
+            volume_mount {
+              name              = init_container.value.volumeName
+              mount_path        = init_container.value.mountPath
+              read_only         = lookup(init_container.value, "readOnly", false)
+              sub_path          = lookup(init_container.value, "subPath", null)
+              mount_propagation = lookup(init_container.value, "mountPropagation", null)
+            }
+          }
+        }
+
         security_context {
           run_as_user         = lookup(var.podSecurityContext, "runAsUser", 1000)
           run_as_group        = lookup(var.podSecurityContext, "runAsGroup", 1000)

diff --git a/deploy/modules/service/statefulset.tf b/deploy/modules/service/statefulset.tf
@@ -70,6 +70,35 @@ resource "kubernetes_stateful_set" "app" {
           }
         }
 
+        dynamic "init_container" {
+          for_each = { for k, v in var.volumeMounts : k => v if var.fixPermissions == true && v.readOnly == false }
+
+          content {
+            name  = "fix-permissions-${init_container.key}"
+            image = "busybox"
+            command = [
+              "chown",
+              "-R",
+              "${var.containerSecurityContext.runAsUser}:${var.containerSecurityContext.runAsGroup}",
+              init_container.value.mountPath,
+            ]
+
+            security_context {
+              run_as_group    = 0
+              run_as_user     = 0
+              run_as_non_root = false
+            }
+
+            volume_mount {
+              name              = init_container.value.volumeName
+              mount_path        = init_container.value.mountPath
+              read_only         = lookup(init_container.value, "readOnly", false)
+              sub_path          = lookup(init_container.value, "subPath", null)
+              mount_propagation = lookup(init_container.value, "mountPropagation", null)
+            }
+          }
+        }
+
         security_context {
           run_as_user         = lookup(var.podSecurityContext, "runAsUser", 1000)
           run_as_group        = lookup(var.podSecurityContext, "runAsGroup", 1000)

diff --git a/deploy/modules/service/variables.tf b/deploy/modules/service/variables.tf
@@ -654,3 +654,9 @@ variable "serviceType" {
     error_message = "serviceType must be one of ClusterIP, NodePort or LoadBalancer"
   }
 }
+
+variable "fixPermissions" {
+  type        = bool
+  description = "Fix permissions of the mounted volumes (start an init container as root to chown the volumes)"
+  default     = false
+}
diff --git a/deploy/stacks/apps/s42/storages.tf b/deploy/stacks/apps/s42/storages.tf
@@ -249,6 +249,8 @@ module "dragonfly" {
   replicas             = 1
   maxUnavailable       = 0
 
+  fixPermissions = true
+
   prometheus = {
     enabled = true
     port    = 6379