summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSuren A. Chilingaryan <csa@suren.me>2018-03-01 21:15:50 +0100
committerSuren A. Chilingaryan <csa@suren.me>2018-03-01 21:15:50 +0100
commit69adb23c59e991ddcabf5cfce415fd8b638dbc1a (patch)
tree8693e708f751923f6f7f9dd48004303bebb4e126
parent1f3e2a9f59e83dc3f0fcbecf096a7e7b40d36ed7 (diff)
downloadands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.gz
ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.bz2
ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.xz
ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.zip
Improve handling of filesystem permissions and other fixes
-rw-r--r--roles/ands_kaas/tasks/do_project.yml2
-rw-r--r--roles/ands_kaas/tasks/file.yml8
-rw-r--r--roles/ands_kaas/tasks/project.yml7
-rw-r--r--roles/ands_kaas/tasks/sync.yml2
-rw-r--r--roles/ands_kaas/tasks/templates.yml2
-rw-r--r--roles/ands_kaas/tasks/volume.yml2
-rw-r--r--roles/ands_kaas/templates/00-gfs-volumes.yml.j213
-rw-r--r--roles/ands_kaas/templates/50-kaas-pods.yml.j217
-rw-r--r--roles/ands_openshift/tasks/security_resources.yml28
-rw-r--r--roles/openshift_resource/tasks/patch.yml10
-rw-r--r--roles/openshift_resource/tasks/resource.yml6
-rw-r--r--roles/openshift_resource/tasks/template.yml8
-rw-r--r--setup/configs/security.yml28
-rw-r--r--setup/projects/adei/templates/60-adei.yml.j217
-rw-r--r--setup/projects/adei/vars/globals.yml12
-rw-r--r--setup/projects/adei/vars/pods.yml2
-rw-r--r--setup/projects/adei/vars/volumes.yml18
-rw-r--r--setup/projects/kaas/templates/40-kaas-manager.yml.j23
-rw-r--r--setup/projects/kaas/vars/volumes.yml11
-rw-r--r--setup/projects/katrin/vars/volumes.yml2
20 files changed, 105 insertions, 93 deletions
diff --git a/roles/ands_kaas/tasks/do_project.yml b/roles/ands_kaas/tasks/do_project.yml
index 4fac6c6..5cafe25 100644
--- a/roles/ands_kaas/tasks/do_project.yml
+++ b/roles/ands_kaas/tasks/do_project.yml
@@ -43,7 +43,7 @@
include_tasks: keys.yml
# delegate_to: "{{ groups.masters[0] }}"
run_once: true
- with_dict: "{{ kaas_project_config.pods | default({}) }}"
+ with_dict: "{{ kaas_project_pods }}"
loop_control:
loop_var: pod
diff --git a/roles/ands_kaas/tasks/file.yml b/roles/ands_kaas/tasks/file.yml
index a839473..488823b 100644
--- a/roles/ands_kaas/tasks/file.yml
+++ b/roles/ands_kaas/tasks/file.yml
@@ -3,15 +3,15 @@
set_fact: group="{{ file.group | default(kaas_project_config.file_group | default(ands_default_file_group)) }}"
- name : Resolve project groups
- set_fact: group="{{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }}"
- when: group in ( kaas_project_config.gids | default(kaas_openshift_gids) )
+ set_fact: group="{{ kaas_project_gids[group].id }}"
+ when: group in kaas_project_gids
- name: Set owner
set_fact: owner="{{ file.owner | default(kaas_project_config.file_owner | default(ands_default_file_owner)) }}"
- name : Resolve project uids
- set_fact: owner="{{ (kaas_project_config.uids | default(kaas_openshift_uids) )[owner].id }}"
- when: owner in ( kaas_project_config.uids | default(kaas_openshift_uids) )
+ set_fact: owner="{{ kaas_project_uids[owner].id }}"
+ when: owner in kaas_project_uids
- name: "Setting up files in {{ path }}"
file:
diff --git a/roles/ands_kaas/tasks/project.yml b/roles/ands_kaas/tasks/project.yml
index f7eb1df..b8574cf 100644
--- a/roles/ands_kaas/tasks/project.yml
+++ b/roles/ands_kaas/tasks/project.yml
@@ -28,5 +28,8 @@
- include_tasks: do_project.yml
vars:
var_name: "var_{{kaas_project}}_config"
- kaas_project_config: "{{ hostvars[inventory_hostname][var_name] }}"
- kaas_project_volumes: "{{ kaas_project_config.volumes | default(kaas_project_config.extra_volumes | default({}) | combine(kaas_openshift_volumes)) }}" \ No newline at end of file
+ kaas_project_config: "{{ hostvars[inventory_hostname][var_name] }}"
+ kaas_project_volumes: "{{ kaas_project_config.volumes | default(kaas_project_config.extra_volumes | default({}) | combine(kaas_openshift_volumes)) }}"
+ kaas_project_pods: "{{ kaas_project_config.pods | default({}) }}"
+ kaas_project_gids: "{{ kaas_project_config.gids | default(kaas_openshift_gids) }}"
+ kaas_project_uids: "{{ kaas_project_config.uids | default(kaas_openshift_uids) }}"
diff --git a/roles/ands_kaas/tasks/sync.yml b/roles/ands_kaas/tasks/sync.yml
index a4febe7..8caefe9 100644
--- a/roles/ands_kaas/tasks/sync.yml
+++ b/roles/ands_kaas/tasks/sync.yml
@@ -11,7 +11,7 @@
- name: "Ensure the data is writeable by project pods"
vars:
grp: "{{ kaas_project_config.sync_set_gid }}"
- gid: "{{ ((kaas_project_config.gids | default(kaas_openshift_gids))[grp] is defined) | ternary((kaas_project_config.gids | default(kaas_openshift_gids))[grp].id, grp) }}"
+ gid: "{{ (kaas_project_gids[grp] is defined) | ternary(kaas_project_gids[grp].id, grp) }}"
file:
path: "{{ remote_path }}"
state: "directory"
diff --git a/roles/ands_kaas/tasks/templates.yml b/roles/ands_kaas/tasks/templates.yml
index 2de4fad..9fc378f 100644
--- a/roles/ands_kaas/tasks/templates.yml
+++ b/roles/ands_kaas/tasks/templates.yml
@@ -4,7 +4,7 @@
command: "echo {{ item | quote }}"
register: results
changed_when: false
- when: (kaas_project_config.pods | default([]) | length > 0) or not (item | regex_search('kaas-pods'))
+ when: (kaas_project_pods | length > 0) or not (item | regex_search('kaas-pods'))
with_fileglob:
- "{{ role_path }}/templates/{{ kaas_template_glob | default('*') }}.j2"
- "{{ kaas_project_path }}/templates/{{ kaas_template_glob | default('*') }}.j2"
diff --git a/roles/ands_kaas/tasks/volume.yml b/roles/ands_kaas/tasks/volume.yml
index ff51fb0..783654a 100644
--- a/roles/ands_kaas/tasks/volume.yml
+++ b/roles/ands_kaas/tasks/volume.yml
@@ -16,7 +16,7 @@
path: "{{ path }}"
state: "directory"
recurse: "no"
- mode: "{{ volume.mode | default(0775) }}"
+ mode: "{{ volume.mode | default(02775) }}"
owner: "{{ volume.owner | default(kaas_project_config.file_owner) | default(kaas_default_file_owner) }}"
group: "{{ volume.group | default(kaas_project_config.file_group) | default(default_group) }}"
register: chmod
diff --git a/roles/ands_kaas/templates/00-gfs-volumes.yml.j2 b/roles/ands_kaas/templates/00-gfs-volumes.yml.j2
index c9341ed..a69942d 100644
--- a/roles/ands_kaas/templates/00-gfs-volumes.yml.j2
+++ b/roles/ands_kaas/templates/00-gfs-volumes.yml.j2
@@ -2,18 +2,23 @@
apiVersion: v1
kind: Template
metadata:
- name:
+ name: {{ kaas_project }}-gfs-volumes
annotations:
- descriptions: "KATRIN Volumes"
+ descriptions: "{{ kaas_project }} glusterfs volumes"
objects:
{% for name, vol in kaas_project_volumes.iteritems() %}
{% set oc_name = vol.name | default(name) | regex_replace('_','-') %}
{% set cfgpath = vol.path | default("") %}
{% set path = cfgpath if cfgpath[:1] == "/" else "/" + kaas_project + "/" + cfgpath %}
+{% if oc_name | regex_search("^" + kaas_project) %}
+{% set pvname = oc_name %}
+{% else %}
+{% set pvname = (kaas_project + "-" + oc_name) | regex_replace('_','-') %}
+{% endif %}
- apiVersion: v1
kind: PersistentVolume
metadata:
- name: {{ oc_name }}
+ name: {{ pvname }}
spec:
persistentVolumeReclaimPolicy: Retain
glusterfs:
@@ -32,7 +37,7 @@ objects:
metadata:
name: {{ oc_name }}
spec:
- volumeName: {{ oc_name }}
+ volumeName: {{ pvname }}
accessModes:
- {{ vol.access | default('ReadWriteMany') }}
resources:
diff --git a/roles/ands_kaas/templates/50-kaas-pods.yml.j2 b/roles/ands_kaas/templates/50-kaas-pods.yml.j2
index 2ed7462..216dc01 100644
--- a/roles/ands_kaas/templates/50-kaas-pods.yml.j2
+++ b/roles/ands_kaas/templates/50-kaas-pods.yml.j2
@@ -7,7 +7,7 @@ metadata:
annotations:
descriptions: {{ kaas_project_config.description | default(kaas_project ~ "auto-generated pod template") }}
objects:
-{% for name, pod in (kaas_project_config.pods | default({})).iteritems() %}
+{% for name, pod in kaas_project_pods.iteritems() %}
{% set pubkey = "kaas_" ~ name ~ "_pubkey" %}
{% set privkey = "kaas_" ~ name ~ "_privkey" %}
{% set cakey = "kaas_" ~ name ~ "_ca" %}
@@ -104,20 +104,15 @@ objects:
{% if (pod.groups is defined) or (pod.run_as is defined) %}
securityContext:
{% if (pod.run_as is defined) %}
- {% if (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as] is defined %}
- runAsUser: {{ (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as].id }}
- {% else %}
- runAsUser: {{ pod.run_as }}
- {% endif %}
+ runAsUser: {{ (kaas_project_uids[pod.run_as] is defined) | ternary(kaas_project_uids[pod.run_as].id, pod.run_as) }}
{% endif %}
{% if (pod.groups is defined) %}
+ {% if (ands_openshift_gid_mode | default('')) == "RunAsAny" %}
+ fsGroup: {{ (kaas_project_gids[pod.groups[0]] is defined) | ternary(kaas_project_gids[pod.groups[0]].id, pod.groups[0]) }}
+ {% endif %}
supplementalGroups:
{% for group in pod.groups %}
- {% if (kaas_project_config.gids | default(kaas_openshift_gids))[group] is defined %}
- - {{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }}
- {% else %}
- - {{ group }}
- {% endif %}
+ - {{ (kaas_project_gids[group] is defined) | ternary(kaas_project_gids[group].id, group) }}
{% endfor %}
{% endif %}
{% endif %}
diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml
index 5b80f1e..fd72240 100644
--- a/roles/ands_openshift/tasks/security_resources.yml
+++ b/roles/ands_openshift/tasks/security_resources.yml
@@ -1,7 +1,4 @@
---
-- name: Ensure OpenShift patch directory exists
- file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root
-
# No spaces in patch, otherwise escaping mess...
- name: Patch group range in project configuration
include_role: name="openshift_resource" tasks_from="patch.yml"
@@ -9,7 +6,6 @@
project: "{{ item.key }}"
resource: "ns/{{ item.key }}"
patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ item.value }}"}}}'
- patch_path: "{{ ands_openshift_patch_path }}"
with_dict: "{{ ands_openshift_gid_ranges | default({}) }}"
- name: Patch uid range in project configuration
@@ -18,29 +14,31 @@
project: "{{ item.key }}"
resource: "ns/{{ item.key }}"
patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ item.value }}"}}}'
- patch_path: "{{ ands_openshift_patch_path }}"
with_dict: "{{ ands_openshift_uid_ranges | default({}) }}"
- name: Restrict supplementalGroups
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ item.key }}"
+ project: "default"
resource: "scc/restricted"
- modes: "{{ ands_openshift_gid_mode | default({}) }}"
- mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}"
+ mode: "{{ ands_openshift_groups_mode | default(false) }}"
patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
- patch_path: "{{ ands_openshift_patch_path }}"
when: mode != false
- with_dict: "{{ ands_openshift_projects | default({}) }}"
+
+- name: Restrict fsGroup
+ include_role: name="openshift_resource" tasks_from="patch.yml"
+ vars:
+ project: "default"
+ resource: "scc/restricted"
+ mode: "{{ ands_openshift_gid_mode | default(false) }}"
+ patch: '{"fsGroup":{"type":"{{mode}}"}}'
+ when: mode != false
- name: Configure runAsUser
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ item.key }}"
+ project: "default"
resource: "scc/restricted"
- modes: "{{ ands_openshift_uid_mode | default({}) }}"
- mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}"
+ mode: "{{ ands_openshift_uid_mode | default(false) }}"
patch: '{"runAsUser":{"type":"{{mode}}"}}'
- patch_path: "{{ ands_openshift_patch_path }}"
when: mode != false
- with_dict: "{{ ands_openshift_projects | default({}) }}"
diff --git a/roles/openshift_resource/tasks/patch.yml b/roles/openshift_resource/tasks/patch.yml
index e2bbcfa..501f692 100644
--- a/roles/openshift_resource/tasks/patch.yml
+++ b/roles/openshift_resource/tasks/patch.yml
@@ -1,10 +1,10 @@
---
-- name: Lookup the specified resource
+- name: "Lookup {{resource}} in {{project}}"
command: "oc get -n '{{project}}' '{{resource}}' -o json"
register: orig_result
changed_when: 0
-- name: Lookup API version of the specified resource
+- name: "Lookup API version of {{resource}} in {{project}}"
command: "oc get -n '{{project}}' '{{resource}}' --template {{'{{' + '.apiVersion' + '}}'}}"
register: api_version
changed_when: 0
@@ -13,14 +13,14 @@
- name: Escaping patch
set_fact: xpatch='{{patch | to_json | regex_replace(" ","") | regex_replace("^", " ")}}'
-- name: Generate dummy patch {{resource}} in {{project}}
+- name: "Generate dummy patch for {{resource}} in {{project}}"
command: "oc patch -n '{{project}}' --patch ' {\"apiVersion\": \"{{api_version.stdout}}\"}' --local=true -f - -o json"
args:
stdin: " {{ orig_result.stdout_lines | join('') }}"
register: dummy_result
changed_when: 0
-- name: Generate test patch {{resource}} in {{project}}
+- name: "Generate test patch {{resource}} in {{project}}"
command: "oc patch -n '{{project}}' --patch '{{xpatch}}' --local=true -f - -o json"
args:
stdin: " {{ orig_result.stdout_lines | join('') }}"
@@ -33,7 +33,7 @@
#- debug: msg="{{ patch_result.stdout }}"
# when: dummy_result.stdout != patch_result.stdout
-- name: Patch {{resource}} in {{project}}
+- name: "Patch {{resource}} in {{project}}"
command: "oc patch -n '{{project}}' '{{resource}}' --patch '{{xpatch}}'"
register: result
changed_when: (result | succeeded)
diff --git a/roles/openshift_resource/tasks/resource.yml b/roles/openshift_resource/tasks/resource.yml
index 4e6e7ac..87af5c9 100644
--- a/roles/openshift_resource/tasks/resource.yml
+++ b/roles/openshift_resource/tasks/resource.yml
@@ -3,20 +3,20 @@
- name: Find out which resources we are going to configure
set_fact: rkind="{{ tmpl.kind }}" rname="{{ tmpl.metadata.name }}"
- - name: "Lookup the specified resource {{rkind}}/{{rname}}"
+ - name: "Lookup the specified resource {{rkind}}/{{rname}} in {{project}}"
command: "oc get -n {{project}} {{rkind}}/{{rname}}"
register: find_result
changed_when: false
failed_when: false
- - name: "Detroy existing resources {{rkind}}/{{rname}}"
+ - name: "Detroy existing resources {{rkind}}/{{rname}} in {{project}}"
command: "oc delete -n {{project}} {{rkind}}/{{rname}}"
register: rm_result
failed_when: false
changed_when: (rm_result | succeeded)
when: (recreate|default(false))
- - name: "Create resources defined in {{ template }}"
+ - name: "Populate resources defined in {{ template }} to {{project}}"
command: "oc create -n {{project}} -f '{{ template_path }}/{{ template }}' {{ create_args | default('') }}"
when: (recreate|default(false)) or (find_result.rc != 0)
run_once: true
diff --git a/roles/openshift_resource/tasks/template.yml b/roles/openshift_resource/tasks/template.yml
index 6c9340b..7e74de4 100644
--- a/roles/openshift_resource/tasks/template.yml
+++ b/roles/openshift_resource/tasks/template.yml
@@ -5,7 +5,7 @@
vars:
query: "objects[*].{kind: kind, name: metadata.name}"
- - name: "{{ template }}: Lookup the specified resource"
+ - name: "{{ template }}: Lookup the specified resource in {{project}}"
command: "oc get -n {{project}} {{item.kind}}/{{item.name}}"
register: results
failed_when: false
@@ -13,13 +13,13 @@
with_items: "{{ resources | default([]) }}"
# when: not (recreate|default(false))
- - name: "{{ template }}: Detroy existing resources"
+ - name: "{{ template }}: Detroy existing resources in {{project}}"
command: "oc delete -n {{project}} {{resources[item|int].kind}}/{{resources[item|int].name}}"
failed_when: false
with_sequence: start=0 count="{{resources | default([]) | length}}"
when: ((recreate|default(false)) or (results | changed)) and (results.results[item|int].rc == 0)
- - name: "{{ template }}: Create resources defined"
- shell: "oc process -f '{{ template_path }}/{{template}}' {{ template_args | default('') }} | oc create -n {{project}} -f - {{ create_args | default('') }}"
+ - name: "{{ template }}: Populate resources to {{project}}"
+ shell: "oc process -n {{project}} -f '{{ template_path }}/{{template}}' {{ template_args | default('') }} | oc create -n {{project}} -f - {{ create_args | default('') }}"
when: (recreate|default(false)) or (results | changed)
run_once: true
diff --git a/setup/configs/security.yml b/setup/configs/security.yml
index b870c55..22784b3 100644
--- a/setup/configs/security.yml
+++ b/setup/configs/security.yml
@@ -1,26 +1,36 @@
-ands_openshift_gid_mode:
- ands_default: "MustRunAs"
-# sample: "RunAsAny"
-
-#ands_openshift_uid_mode:
-# ands_default: "MustRunAsRange"
+#The SCC is global, not per project.
+# It is better to work with groups.
+#ands_openshift_uid_mode: "MustRunAsRange"
+# Allow setting the required fsGroup in pod-specification (default is MustRunAs).
+# - If Ceph or other block storage is used, it is necessary set 'fsGroup' in pod definitions if 'RunAsAny' strategy is selected. Otherwise, the matching rules will fail.
+# - For some reason, 'fsGroup' is not used as 'gid' for container. The 'gid' is always 0 (maybe only if container is run by unknown user or withiout known group).
+# - May be it also should not. While documentation states that the new files are created with fsGroup gid, it also states that fsGroup is only used for network block storage (ceph).
+# - Using "MustRunAs" a first 'gid' specified in the project 'supplementalGroups' will be used as 'fsGroup'.
+# - Yes, in the project, not 'pod'. Consequently, the 'group' assigned to project is always in the 'supGroups' if 'MustRunAs' is selected.
+# - gid=0 is also always in
+# I tend to keep the default settings and use +s to enfore group ownership. If project uses multiple 'groups', the first group in the range should not be used and we avoid unintended sharing.
+#ands_openshift_gid_mode: "RunAsAny"
+#To enforce the range specified in the project configuration.
+# - The gids outside of the range will be rejected and pod will fail if "MustRunAs" is selected.
+ands_openshift_groups_mode: "MustRunAs"
#ands_openshift_uid_ranges:
ands_openshift_gid_ranges:
kaas: "4000/10"
katrin: "5000/10"
- test: "7100/10"
adei: "6000/10"
bora: "6100/10"
web: "6200/10"
mon: "7000/10"
+ test: "7100/10"
+# The default user and group mentioned in some projects
ands_openshift_uids:
- kaas: { id: 6000 }
+ kaas: { id: 4000 }
ands_openshift_gids:
- kaas: { id: 6000 }
+ kaas: { id: 4000 }
ands_default_file_group: root
ands_default_file_owner: root
diff --git a/setup/projects/adei/templates/60-adei.yml.j2 b/setup/projects/adei/templates/60-adei.yml.j2
index 537368f..ca3c17a 100644
--- a/setup/projects/adei/templates/60-adei.yml.j2
+++ b/setup/projects/adei/templates/60-adei.yml.j2
@@ -95,6 +95,8 @@ objects:
adei-type: "{{ pod_type }}"
adei-name: "{{ name }}"
adei-setup: "${setup}"
+ annotations:
+ kaas/replicas: "{{ cfg.replicas }}"
spec:
replicas: "{{ cfg.replicas }}"
revisionHistoryLimit: "{{ adei_pod_history_limit }}"
@@ -127,20 +129,15 @@ objects:
{% if (cfg.groups is defined) or (cfg.run_as is defined) %}
securityContext:
{% if (cfg.run_as is defined) %}
-{% if (kaas_project_config.uids | default(kaas_openshift_uids))[cfg.run_as] is defined %}
- - {{ (kaas_project_config.uids | default(kaas_openshift_uids))[cfg.run_as].id }}
-{% else %}
- - {{ cfg.run_as }}
-{% endif %}
+ runAsUser: {{ (kaas_project_uids[cfg.run_as] is defined) | ternary(kaas_project_uids[cfg.run_as].id, cfg.run_as) }}
{% endif %}
{% if (cfg.groups is defined) %}
+{% if (ands_openshift_gid_mode | default('')) == "RunAsAny" %}
+ fsGroup: {{ (kaas_project_gids[cfg.groups[0]] is defined) | ternary(kaas_project_gids[cfg.groups[0]].id, cfg.groups[0]) }}
+{% endif %}
supplementalGroups:
{% for group in cfg.groups %}
-{% if (kaas_project_config.gids | default(kaas_openshift_gids))[group] is defined %}
- - {{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }}
-{% else %}
- - {{ group }}
-{% endif %}
+ - {{ (kaas_project_gids[group] is defined) | ternary(kaas_project_gids[group].id, group) }}
{% endfor %}
{% endif %}
{% endif %}
diff --git a/setup/projects/adei/vars/globals.yml b/setup/projects/adei/vars/globals.yml
index 21f4db1..f8d7816 100644
--- a/setup/projects/adei/vars/globals.yml
+++ b/setup/projects/adei/vars/globals.yml
@@ -182,7 +182,7 @@ adei_frontends:
cacher:
name: "adei-${setup}-cacher"
replicas: "${cache_replicas}"
- cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh" ]
+ cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh" ]
env: "{{ adei_pod_env | union(adei_cache_env) }}"
vols: "{{ adei_pod_vols }}"
mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}"
@@ -191,7 +191,7 @@ adei_frontends:
archive_cacher:
name: "adei-${setup}-archive-cacher"
replicas: "1"
- cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh", "-m", "archive" ]
+ cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh", "-m", "archive" ]
env: "{{ adei_pod_env | union(adei_arc_cache_env) }}"
vols: "{{ adei_pod_vols }}"
mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}"
@@ -200,7 +200,7 @@ adei_frontends:
log_cacher:
name: "adei-${setup}-log-cacher"
replicas: "${enable_logs}"
- cmd: [ "/bin/bash", "/adei/src/scripts/system/cacher.sh" ]
+ cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/system/cacher.sh" ]
env: "{{ adei_pod_env | union(adei_log_cache_env) }}"
vols: "{{ adei_pod_vols }}"
mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}"
@@ -209,7 +209,7 @@ adei_frontends:
update:
name: "adei-${setup}-update"
cron: "${update_schedule}"
- cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei.cron.sh" ]
+ cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei.cron.sh" ]
env: "{{ adei_pod_env | union(adei_cron_env) | union(adei_update_env) }}"
vols: "{{ adei_pod_vols }}"
mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}"
@@ -218,7 +218,7 @@ adei_frontends:
maintain:
name: "adei-${setup}-maintain"
cron: "${maintain_schedule}"
- cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei_manager.cron.sh" ]
+ cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei_manager.cron.sh" ]
env: "{{ adei_pod_env | union(adei_cron_env) }}"
vols: "{{ adei_pod_vols }}"
mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}"
@@ -227,7 +227,7 @@ adei_frontends:
clean:
name: "adei-${setup}-clean"
cron: "${clean_schedule}"
- cmd: [ "/bin/bash", "/adei/src/scripts/cron/adei_clean.cron.sh" ]
+ cmd: [ "/openshift-entrypoint.sh", "/adei/src/scripts/cron/adei_clean.cron.sh" ]
env: "{{ adei_pod_env | union(adei_cron_env) }}"
vols: "{{ adei_pod_vols }}"
mounts: "{{ adei_prod_mounts | union(adei_pod_mounts) }}"
diff --git a/setup/projects/adei/vars/pods.yml b/setup/projects/adei/vars/pods.yml
index 5278c44..182db9c 100644
--- a/setup/projects/adei/vars/pods.yml
+++ b/setup/projects/adei/vars/pods.yml
@@ -30,9 +30,9 @@ pods:
env:
- { name: "DB_SERVICE_HOST", value: "mysql.adei.svc.cluster.local" }
- { name: "DB_SERVICE_PORT", value: "3306" }
+ - { name: "DB_EXTRA_HOSTS", value: "mysql.katrin.svc.cluster.local" }
# - { name: "DB_SERVICE_CONTROL_USER", value: "pma" }
# - { name: "DB_SERVICE_CONTROL_PASSWORD", value: "secret@adei/pma-password" }
- - { name: "DB_EXTRA_HOSTS", value: "mysql.katrin.svc.cluster.local" }
probes:
- { port: 8080, path: '/' }
diff --git a/setup/projects/adei/vars/volumes.yml b/setup/projects/adei/vars/volumes.yml
index cdeb4e7..768e27f 100644
--- a/setup/projects/adei/vars/volumes.yml
+++ b/setup/projects/adei/vars/volumes.yml
@@ -1,6 +1,6 @@
gids:
- adei: { id: 6000 }
- adei_db: { id: 6001 }
+ adei: { id: 6001 }
+ adei_db: { id: 6002 }
volumes:
adei_init: { volume: "openshift", path: "/adei/init"} # mysql
@@ -13,10 +13,10 @@ volumes:
adei_db: { volume: "databases", path: "/adei", write: true } # mysql
files:
- - { osv: "adei_cfg", path: "/", state: "directory", group: "adei", mode: "0775" }
- - { osv: "adei_cfg", path: "/prod", state: "directory", group: "adei", mode: "0775" }
- - { osv: "adei_cfg", path: "/dbg", state: "directory", group: "adei", mode: "0775" }
- - { osv: "adei_src", path: "/", state: "directory", group: "adei", mode: "0775" }
- - { osv: "adei_log", path: "/", state: "directory", group: "adei", mode: "0775" }
- - { osv: "adei_tmp", path: "/", state: "directory", group: "adei", mode: "0775" }
- - { osv: "adei_db", path: "mysql", state: "directory", group: "adei_db", mode: "0775" }
+ - { osv: "adei_cfg", path: "/", state: "directory", group: "adei", mode: "02775" }
+ - { osv: "adei_src", path: "/", state: "directory", group: "adei", mode: "02775" }
+ - { osv: "adei_src", path: "/prod", state: "directory", group: "adei", mode: "02775" }
+ - { osv: "adei_src", path: "/dbg", state: "directory", group: "adei", mode: "02775" }
+ - { osv: "adei_log", path: "/", state: "directory", group: "adei", mode: "02775" }
+ - { osv: "adei_tmp", path: "/", state: "directory", group: "adei", mode: "02775" }
+ - { osv: "adei_db", path: "mysql", state: "directory", group: "adei_db", mode: "02775" }
diff --git a/setup/projects/kaas/templates/40-kaas-manager.yml.j2 b/setup/projects/kaas/templates/40-kaas-manager.yml.j2
index e181737..b9cba4e 100644
--- a/setup/projects/kaas/templates/40-kaas-manager.yml.j2
+++ b/setup/projects/kaas/templates/40-kaas-manager.yml.j2
@@ -43,6 +43,9 @@ objects:
{% for ofs in range(gid_range[1] | default(1) | int) %}
- {{ (gid_range[0] | int) + ofs }}
{% endfor %}
+{% if (ands_openshift_gid_mode | default('')) == "RunAsAny" %}
+ fsGroup: {{ gid_range[0] }}
+{% endif %}
{% if (kaas_project_config.run_pods_as is defined) %}
{% if ((kaas_project_config.uids | default(kaas_openshift_uids))[kaas_project_config.run_pods_as] is defined) %}
runAsUser: {{ (kaas_project_config.uids | default(kaas_openshift_uids))[kaas_project_config.run_pods_as].id }}
diff --git a/setup/projects/kaas/vars/volumes.yml b/setup/projects/kaas/vars/volumes.yml
index 3554aa6..cf9c697 100644
--- a/setup/projects/kaas/vars/volumes.yml
+++ b/setup/projects/kaas/vars/volumes.yml
@@ -1,10 +1,11 @@
-gids:
- kaas: { id: 4000 }
+#defined globaly
+#gids:
+# kaas: { id: 4000 }
files:
- - { osv: "data", path: "/www", state: "directory", group: "kaas", mode: "0775" }
- - { osv: "etc", path: "/apache2", state: "directory", group: "kaas", mode: "0775" }
- - { osv: "tmp", path: "/apache2", state: "directory", group: "kaas", mode: "0775" }
+ - { osv: "data", path: "/www", state: "directory", group: "kaas", mode: "02775" }
+ - { osv: "etc", path: "/apache2", state: "directory", group: "kaas", mode: "02775" }
+ - { osv: "tmp", path: "/apache2", state: "directory", group: "kaas", mode: "02775" }
#resync: true
sync_set_gid: kaas
diff --git a/setup/projects/katrin/vars/volumes.yml b/setup/projects/katrin/vars/volumes.yml
index ca22a28..3b53bb3 100644
--- a/setup/projects/katrin/vars/volumes.yml
+++ b/setup/projects/katrin/vars/volumes.yml
@@ -5,7 +5,7 @@ extra_volumes:
katrin: { volume: "katrin_data", path: "/", capacity: "40Ti", write: true }
files:
- - { osv: "katrin", path: "/", state: "directory", group: "katrin", mode: "0775" }
+ - { osv: "katrin", path: "/", state: "directory", group: "katrin", mode: "02775" }
#resync: true
#sync_set_gid: katrin