use fsGroup in MGM, reduce init container (!48) · Merge requests · eos / eos-charts

Ryan Taylor requested to merge use-fsgroup into devel Mar 30, 2023

For now this is an incremental improvement that removes one initContainer for the MGM. It combines all mkdir operations in one container that runs with runAsUser: 2 (thus creating the required subdirs with the right user ownership), and sets fsGroup: 2 for the MGM pod (thus ensuring that the group of files in mounted volumes is correct). This also removes the need for any chowning, which also speeds up MGM startup.

I compared the ownership of all files in the /var/eos and /var/log/eos volumes before and after. The only difference is that some files or directories which were (accidentally?) created with root:daemon ownership are now daemon:daemon. This fixes a small possible risk that the unprivileged daemon might not be able to write to a location where it should.

I think this is as much as can be (easily) done for #83 for now, and it will either help or be required for !47 (closed)

Edited Mar 31, 2023 by Ryan Taylor

use fsGroup in MGM, reduce init container

Merge request reports