Run rabbitmq container with rabbitmq user

This change makes rabbitmq container run with the rabbitmq user instead of the root user. As the rabbitmq user doesn't have write access to '/run' directory, the templates are updated to use the '/tmp' directory instead which the rabbitmq user has write access to. Change-Id: Ia35c3f741fefe3172c93bb042bf8d26bf7672cfc
2019-04-26 15:43:00 -04:00 · 2019-04-26 15:43:00 -04:00 · f5df62d836
commit f5df62d836
parent 20dafdaddb
4 changed files with 6 additions and 6 deletions
--- a/rabbitmq/templates/bin/_rabbitmq-liveness.sh.tpl
+++ b/rabbitmq/templates/bin/_rabbitmq-liveness.sh.tpl
@ -18,7 +18,7 @@ limitations under the License.

 set -e

-if [ -f /run/rabbit-disable-liveness-probe ]; then
+if [ -f /tmp/rabbit-disable-liveness-probe ]; then
   exit 0
 else
   exec rabbitmqctl status
--- a/rabbitmq/templates/bin/_rabbitmq-readiness.sh.tpl
+++ b/rabbitmq/templates/bin/_rabbitmq-readiness.sh.tpl
@ -18,7 +18,7 @@ limitations under the License.

 set -e

-if [ -f /run/rabbit-disable-readiness ]; then
+if [ -f /tmp/rabbit-disable-readiness ]; then
   exit 1
 else
   exec rabbitmqctl status
--- a/rabbitmq/templates/bin/_rabbitmq-start.sh.tpl
+++ b/rabbitmq/templates/bin/_rabbitmq-start.sh.tpl
@ -49,7 +49,7 @@ POD_INCREMENT=$(echo "${MY_POD_NAME}" | awk -F '-' '{print $NF}')
 if ! [ "${POD_INCREMENT}" -eq "0" ] && ! [ -d "/var/lib/rabbitmq/mnesia" ] ; then
  echo 'This is not the 1st rabbit pod & has not been initialised'
  # disable liveness probe as it may take some time for the pod to come online.
-  touch /run/rabbit-disable-liveness-probe
+  touch /tmp/rabbit-disable-liveness-probe
  POD_NAME_PREFIX="$(echo "${MY_POD_NAME}" | awk 'BEGIN{FS=OFS="-"}{NF--; print}')"
  for TARGET_POD in $(seq 0 +1 $((POD_INCREMENT - 1 ))); do
    END=$(($(date +%s) + 900))
@ -70,7 +70,7 @@ if ! [ "${POD_INCREMENT}" -eq "0" ] && ! [ -d "/var/lib/rabbitmq/mnesia" ] ; the

  # Start RabbitMQ, but disable readiness from being reported so the pod is not
  # marked as up prematurely.
-  touch /run/rabbit-disable-readiness
+  touch /tmp/rabbit-disable-readiness
  rabbitmq-server &

  # Wait for server to start, and reset if it does not
@ -93,7 +93,7 @@ if ! [ "${POD_INCREMENT}" -eq "0" ] && ! [ -d "/var/lib/rabbitmq/mnesia" ] ; the
  # Shutdown the inital server
  rabbitmqctl shutdown

-  rm -fv /run/rabbit-disable-readiness /run/rabbit-disable-liveness-probe
+  rm -fv /tmp/rabbit-disable-readiness /tmp/rabbit-disable-liveness-probe
 fi

 exec rabbitmq-server
--- a/rabbitmq/values.yaml
+++ b/rabbitmq/values.yaml
@ -70,7 +70,7 @@ pod:
          runAsUser: 0
          readOnlyRootFilesystem: true
        rabbitmq:
-          runAsUser: 0
+          runAsUser: 999
          readOnlyRootFilesystem: false
    cluster_wait:
      pod: