Change group owner of mnesia dir to 999

ansd · ansd · commit a650146fb73d · 2020-09-08T17:11:53.000+02:00
Relates to #234 Otherwise, the RabbitMQ process can't write the pid file into the /var/lib/rabbitmq/mnesia/ directory on OpenShift due to permissions denied. Before this commit, mnesia dir was owned by user root and group root. On OpenShift, mnesia did not have rwx bits for everyone due to stricter security constraints: drwxrwx---. 2 root root 6 Aug 20 10:03 mnesia
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
@@ -494,15 +494,30 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 				{
 					Name:  "copy-config",
 					Image: builder.Instance.Spec.Image,
+					SecurityContext: &corev1.SecurityContext{
+						RunAsUser: pointer.Int64Ptr(0),
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{
+								// Remove default capabilities allowed by Docker except for CHOWN and FOWNER
+								"SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FSETID",
+								"KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP",
+							},
+						},
+					},
 					Command: []string{
-						"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf && echo '' >> /etc/rabbitmq/rabbitmq.conf ; " +
-							"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config ; " +
-							"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf ; " +
+						"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf " +
+							"&& chown 999:999 /etc/rabbitmq/rabbitmq.conf " +
+							"&& echo '' >> /etc/rabbitmq/rabbitmq.conf ; " +
+							"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config " +
+							"&& chown 999:999 /etc/rabbitmq/advanced.config ; " +
+							"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf " +
+							"&& chown 999:999 /etc/rabbitmq/rabbitmq-env.conf ; " +
 							"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie " +
 							"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie " +
 							"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; " +
 							"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins " +
-							"&& chown 999:999 /etc/rabbitmq/enabled_plugins",
+							"&& chown 999:999 /etc/rabbitmq/enabled_plugins ; " +
+							"chgrp 999 /var/lib/rabbitmq/mnesia/",
 					},
 					Resources: corev1.ResourceRequirements{
 						Limits: map[corev1.ResourceName]k8sresource.Quantity{
@@ -535,6 +550,10 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 							Name:      "erlang-cookie-secret",
 							MountPath: "/tmp/erlang-cookie-secret/",
 						},
+						{
+							Name:      "persistence",
+							MountPath: "/var/lib/rabbitmq/mnesia/",
+						},
 					},
 				},
 			},
diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
@@ -941,19 +941,24 @@ var _ = Describe("StatefulSet", func() {
 			Expect(stsBuilder.Update(statefulSet)).To(Succeed())
 
 			initContainers := statefulSet.Spec.Template.Spec.InitContainers
-			Expect(len(initContainers)).To(Equal(1))
+			Expect(initContainers).To(HaveLen(1))
 
 			container := extractContainer(initContainers, "copy-config")
-			Expect(container.Command).To(Equal([]string{
-				"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf && echo '' >> /etc/rabbitmq/rabbitmq.conf ; " +
-					"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config ; " +
-					"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf ; " +
-					"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie " +
-					"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie " +
-					"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; " +
-					"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins " +
-					"&& chown 999:999 /etc/rabbitmq/enabled_plugins",
-			}))
+			Expect(container.Command).To(ConsistOf(
+				"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf "+
+					"&& chown 999:999 /etc/rabbitmq/rabbitmq.conf "+
+					"&& echo '' >> /etc/rabbitmq/rabbitmq.conf ; "+
+					"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config "+
+					"&& chown 999:999 /etc/rabbitmq/advanced.config ; "+
+					"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf "+
+					"&& chown 999:999 /etc/rabbitmq/rabbitmq-env.conf ; "+
+					"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie "+
+					"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie "+
+					"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; "+
+					"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins "+
+					"&& chown 999:999 /etc/rabbitmq/enabled_plugins ; "+
+					"chgrp 999 /var/lib/rabbitmq/mnesia/",
+			))
 
 			Expect(container.VolumeMounts).To(ConsistOf(
 				corev1.VolumeMount{
@@ -977,9 +982,18 @@ var _ = Describe("StatefulSet", func() {
 					Name:      "erlang-cookie-secret",
 					MountPath: "/tmp/erlang-cookie-secret/",
 				},
+				corev1.VolumeMount{
+					Name:      "persistence",
+					MountPath: "/var/lib/rabbitmq/mnesia/",
+				},
 			))
 
 			Expect(container.Image).To(Equal("rabbitmq-image-from-cr"))
+			Expect(container.SecurityContext.RunAsUser).To(Equal(pointer.Int64Ptr(0)))
+			Expect(container.SecurityContext.Capabilities.Drop).To(ConsistOf([]corev1.Capability{
+				"SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FSETID",
+				"KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP",
+			}))
 		})
 
 		It("adds the required terminationGracePeriodSeconds", func() {
