[bitnami/elasticsearch] crash when running as root when TLS certificates are read-only #77525
Comments
Remove the initContainer that copies TLS certificates from the secret to the emptyDir volume and revert to mounting the secret directly into the various statefulset pods. This fixes bitnami#31872, but will break bitnami#25280 until bitnami/containers#77525 is fixed Signed-off-by: Ian Roberts <i.roberts@sheffield.ac.uk>
|
Thank you for opening this issue and submitting the associated Pull Request. Our team will review and provide feedback. Once the PR is merged, the issue will automatically close. Your contribution is greatly appreciated! |
|
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
|
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary. |
|
Still relevant - associated PR is awaiting final review from @migruiz4 |
Remove the initContainer that copies TLS certificates from the secret to the emptyDir volume and revert to mounting the secret directly into the various statefulset pods. This fixes bitnami#31872, but will break bitnami#25280 until bitnami/containers#77525 is fixed Signed-off-by: Ian Roberts <i.roberts@sheffield.ac.uk>
Remove the initContainer that copies TLS certificates from the secret to the emptyDir volume and revert to mounting the secret directly into the various statefulset pods. This fixes bitnami#31872, but will break bitnami#25280 until bitnami/containers#77525 is fixed Signed-off-by: Ian Roberts <i.roberts@sheffield.ac.uk>
|
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
|
Fix is ready, still waiting for final review and merge. |
|
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
|
Not stale, #77526 still awaiting approval. |
|
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
|
Not stale - I made the requested changes to my fix in PR #77526 seven weeks ago (11th March) but they are still awaiting final review and merge. |
Name and Version
bitnami/elasticsearch:8.17.2-debian-12-r0
What architecture are you using?
amd64
What steps will reproduce the bug?
Run the container as root with a read-only volume mounted to /opt/bitnami/elasticsearch/config/certs.
(This bug was originally reported as bitnami/charts#25280 against the bitnami/elasticsearch Helm chart, which at the time mounted a Kubernetes secret at this path containing the TLS certificate and key files for Elasticsearch)
What is the expected behavior?
Container should start up correctly.
What do you see instead?
Container fails to start, with the error in this section of
libelasticsearch.sh:containers/bitnami/elasticsearch/8/debian-12/rootfs/opt/bitnami/scripts/libelasticsearch.sh
Lines 380 to 383 in 1e1e736
When running as root the container attempts to
chownall files under$DB_CONF_DIR(which is/opt/bitnami/elasticsearch/config), but this is not possible when thecertssubdirectory is a read-only filesystem.Additional information
A PR was accepted in the
chartsrepository to "fix" the problem by copying the TLS certificates to a writeable volume instead of directly mounting the read-only one, but this has other undesirable effects where renewed certificates are no longer picked up and reloaded automatically. It would be better to back out that change to the chart and instead fix the problem at source in the container image.The simplest fix would be to add
-fto thechowncommand to ignore files whose ownership cannot be changed. An alternative could be to change the location of the certificate files so they do not fall under a directory that will bechown-ed, but that may have further reaching knock-on effects on things like custom init scripts that assume the current file locations.The text was updated successfully, but these errors were encountered: