openstack/openstack-helm-infra
Code Issues Proposed changes

Run rabbitmq container with rabbitmq user

Browse Source 
This change makes rabbitmq container run with the rabbitmq user
instead of the root user. As the rabbitmq user doesn't have write
access to '/run' directory, the templates are updated to use the
'/tmp' directory instead which the rabbitmq user has write access
to.

Change-Id: Ia35c3f741fefe3172c93bb042bf8d26bf7672cfc
This commit is contained in:
BARTRA, RICK 2019-04-26 15:43:00 -04:00 committed by anthony.bellino
parent 20dafdaddb
commit f5df62d836
4 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rabbitmq/templates/bin/_rabbitmq-liveness.sh.tpl
View File

@ -18,7 +18,7 @@ limitations under the License.
set -e set -e
if [ -f /run/rabbit-disable-liveness-probe ]; then if [ -f /tmp/rabbit-disable-liveness-probe ]; then
exit 0 exit 0
else else
exec rabbitmqctl status exec rabbitmqctl status

2
rabbitmq/templates/bin/_rabbitmq-readiness.sh.tpl
View File

@ -18,7 +18,7 @@ limitations under the License.
set -e set -e
if [ -f /run/rabbit-disable-readiness ]; then if [ -f /tmp/rabbit-disable-readiness ]; then
exit 1 exit 1
else else
exec rabbitmqctl status exec rabbitmqctl status

6
rabbitmq/templates/bin/_rabbitmq-start.sh.tpl
View File

@ -49,7 +49,7 @@ POD_INCREMENT=$(echo "${MY_POD_NAME}" | awk -F '-' '{print $NF}')
if ! [ "${POD_INCREMENT}" -eq "0" ] && ! [ -d "/var/lib/rabbitmq/mnesia" ] ; then if ! [ "${POD_INCREMENT}" -eq "0" ] && ! [ -d "/var/lib/rabbitmq/mnesia" ] ; then
echo 'This is not the 1st rabbit pod & has not been initialised' echo 'This is not the 1st rabbit pod & has not been initialised'
# disable liveness probe as it may take some time for the pod to come online. # disable liveness probe as it may take some time for the pod to come online.
touch /run/rabbit-disable-liveness-probe touch /tmp/rabbit-disable-liveness-probe
POD_NAME_PREFIX="$(echo "${MY_POD_NAME}" | awk 'BEGIN{FS=OFS="-"}{NF--; print}')" POD_NAME_PREFIX="$(echo "${MY_POD_NAME}" | awk 'BEGIN{FS=OFS="-"}{NF--; print}')"
for TARGET_POD in $(seq 0 +1 $((POD_INCREMENT - 1 ))); do for TARGET_POD in $(seq 0 +1 $((POD_INCREMENT - 1 ))); do
END=$(($(date +%s) + 900)) END=$(($(date +%s) + 900))
@ -70,7 +70,7 @@ if ! [ "${POD_INCREMENT}" -eq "0" ] && ! [ -d "/var/lib/rabbitmq/mnesia" ] ; the
# Start RabbitMQ, but disable readiness from being reported so the pod is not # Start RabbitMQ, but disable readiness from being reported so the pod is not
# marked as up prematurely. # marked as up prematurely.
touch /run/rabbit-disable-readiness touch /tmp/rabbit-disable-readiness
rabbitmq-server & rabbitmq-server &
# Wait for server to start, and reset if it does not # Wait for server to start, and reset if it does not
@ -93,7 +93,7 @@ if ! [ "${POD_INCREMENT}" -eq "0" ] && ! [ -d "/var/lib/rabbitmq/mnesia" ] ; the
# Shutdown the inital server # Shutdown the inital server
rabbitmqctl shutdown rabbitmqctl shutdown
rm -fv /run/rabbit-disable-readiness /run/rabbit-disable-liveness-probe rm -fv /tmp/rabbit-disable-readiness /tmp/rabbit-disable-liveness-probe
fi fi
exec rabbitmq-server exec rabbitmq-server

2
rabbitmq/values.yaml
View File

@ -70,7 +70,7 @@ pod:
runAsUser: 0 runAsUser: 0
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
rabbitmq: rabbitmq:
runAsUser: 0 runAsUser: 999
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
cluster_wait: cluster_wait:
pod: pod: