Issue: Deploying Artifactory as a deployment in Kubernetes. The VolumeMounts are being mounted as root:artifact and permissions of drwxr-sr-x
/var/opt/jfrog/artifactory
drwxr-sr-x 2 root artifact 4096 Jan 24 17:52 etc
/var/opt/jfrog/artifactory/etc
-rw-r--r-- 1 root artifact 1048 Jan 24 17:48 artifactory.config.import.yml
-rw-r--r-- 1 root artifact 12703 Jan 24 17:48 artifactory.system.propertiesExpected: The VolumeMount should be mounted as artifact:artifact with read and write permissions
kubernetes manifest file its incomplete due to restriction
spec:
securityContext:
runAsUser: 1030
runAsGroup: 1030
fsGroup: 1030
volumeMounts:
- name: artifactory-volume
mountPath: "/var/opt/jfrog/artifactory"
- name: bootstrap
mountPath: "/var/opt/jfrog/artifactory/etc/artifactory.config.import.yml"
subPath: bootstrap
- name: artifactory-system-properties
mountPath: "/var/opt/jfrog/artifactory/etc/artifactory.system.properties"
subPath: artifactory.system.properties
resources:
limits:
cpu: "3"
memory: 6Gi
requests:
cpu: "2"
memory: 4Gi
volumes:
- name: bootstrap
secret:
secretName: artifactory6170-artifactory
- name: artifactory-system-properties
configMap:
name: artifactory6170-artifactory-system-properties
- name: artifactory-volume
persistentVolumeClaim:
claimName: artifactory6170-artifactoryKubernetes Version :
Server Version: version.Info{
Major: "1",
Minor: "14",
GitVersion: "v1.14.1",
GitCommit: "b7394102d6ef778017f2ca4046abbaa23b88c290",
GitTreeState: "clean",
BuildDate: "2019-04-08T17:02:58Z",
GoVersion: "go1.12.1",
Compiler: "gc",
Platform: "linux/amd64"
}
I believe the security context covers the required
runAsUser: 1030runs the process as 1030
runAsGroup: 1030Any files created will also be owned by user 1030 and group 1030 when runAsGroup is specified. runs
fsGroup: 1030the owner of any volume attached will be owner by group ID 1099.
Not sure why the container comes up with wrong user ownership, any help would be really appreciated.
Error:
kubectl logs artifactory6170-artifactory-756cffb9-68zjj
2020-01-26 12:28:13 [719 entrypoint-artifactory.sh] Preparing to run Artifactory in Docker
2020-01-26 12:28:13 [720 entrypoint-artifactory.sh] Running as uid=1030(artifactory) gid=1030(artifactory) groups=1030(artifactory)
2020-01-26 12:28:13 [57 entrypoint-artifactory.sh] Dockerfile for this image can found inside the container.
2020-01-26 12:28:13 [58 entrypoint-artifactory.sh] To view the Dockerfile: 'cat /docker/artifactory-pro/Dockerfile.artifactory'.
2020-01-26 12:28:13 [63 entrypoint-artifactory.sh] Checking open files and processes limits
2020-01-26 12:28:13 [66 entrypoint-artifactory.sh] Current max open files is 1048576
2020-01-26 12:28:13 [78 entrypoint-artifactory.sh] Current max open processes is unlimited
2020-01-26 12:31:13 [211 entrypoint-artifactory.sh] Testing directory /var/opt/jfrog/artifactory has read/write permissions for user 'artifactory' (id 1030)
/entrypoint-artifactory.sh: line 180: /var/opt/jfrog/artifactory/etc/test-permissions: Permission denied
2020-01-26 12:31:13 [229 entrypoint-artifactory.sh] ###########################################################
2020-01-26 12:31:13 [230 entrypoint-artifactory.sh] /var/opt/jfrog/artifactory DOES NOT have proper permissions for user 'artifactory' (id 1030)
2020-01-26 12:31:13 [231 entrypoint-artifactory.sh] Directory: /var/opt/jfrog/artifactory, permissions: 2775, owner: artifactory, group: artifactory
2020-01-26 12:31:13 [232 entrypoint-artifactory.sh] Mounted directory must have read/write permissions for user 'artifactory' (id 1030)
2020-01-26 12:31:13 [233 entrypoint-artifactory.sh] ###########################################################
2020-01-26 12:31:13 [47 entrypoint-artifactory.sh] ERROR: Directory /var/opt/jfrog/artifactory has bad permissions for user 'artifactory' (id 1030)As explained here, here, here and here you cannot change the permission of mounted directory.
As a work around you can use initContainer which runs before the actual container to change the permission to the directory:
initContainers:
- name: volume-mount
image: busybox
command: ["sh", "-c", "chown -R 1030:1030 <your_directory>"]
volumeMounts:
- name: <your volume>
mountPath: <your mountPath>All i had to do was add an initContainer and mount the Configmaps to /tmp and have it moved to the necessary path /var/opt/jfrog/artifactory/etc/, instead of mounting the configmap in the volumemount /var/opt/jfrog/artifactory.
Reason: ConfigMaps are ReadOnly hence /etc was and would always be Readonly.
initContainers:
- name: "grant-permissions"
image: "busybox:1.26.2"
securityContext:
runAsUser: 0
imagePullPolicy: "IfNotPresent"
command:
- 'sh'
- '-c'
- 'mkdir /var/opt/jfrog/artifactory/etc ; cp -vf /tmp/artifactory* /var/opt/jfrog/artifactory/etc ; chown -R 1030:1030 /var/opt/jfrog/ ; rm -rfv /var/opt/jfrog/artifactory/lost+found'
volumeMounts:
- mountPath: "/var/opt/jfrog/artifactory"
name: artifactory-volume
- name: bootstrap
mountPath: "/tmp/artifactory.config.import.yml"
subPath: bootstrap
readOnly: false
- name: artifactory-system-properties
mountPath: "/tmp/artifactory.system.properties"
subPath: artifactory.system.properties
readOnly: falsethen mount the volume to the main container that runs artifactory
containers:
- name: artifactory
image: "registry.eu02.dsg.arm.com/sqa/artifactory-pro:6.17.0"
volumeMounts:
- name: artifactory-volume
mountPath: "/var/opt/jfrog/artifactory"