Comments (17)
@tarka @mbach04 still it may make sense to add securityContext.runsAsUser. I guess in a lot of enterprise clusters pod security policies enforce this. Please note, I am not talking about the app itself (yes, Jira runs as a dedicated user) but a container. I have opened a feature request some time ago.
from data-center-helm-charts.
Hi,
The application does not run as root, but as a dedicated user; the root privileges are dropped as part of entrypoint startup. This can be seen by exec
ing into the pod:
# kubectl exec -ti jira-0 -- bash
root@jira-0:/var/atlassian/application-data/jira# ps axu
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 2508 608 ? Ss Jul20 0:21 /usr/bin/tini -- /entrypoint.py
root 6 0.0 0.0 7500 3368 ? S Jul20 0:00 /bin/su jira -c /opt/atlassian/jira/bin/start-jira.sh -fg
jira 8 0.0 3.3 6476944 536608 ? Ssl Jul20 22:45 /opt/java/openjdk/bin/java -Djava.util.logging.config.file=/opt/atlassian/jira/conf/logging.properties -Djava.util.
root 117 0.3 0.0 7244 3948 pts/0 Ss 03:14 0:00 bash
root 124 0.0 0.0 8904 3292 pts/0 R+ 03:14 0:00 ps axu
root@jira-0:/var/atlassian/application-data/jira#
You can see the logic in the docker image repository: https://bitbucket.org/atlassian-docker/docker-shared-components/src/4282e5197509f3144108169be8b32c674ec39679/image/entrypoint_helpers.py#lines-106
Regards,
Steve
from data-center-helm-charts.
I explain it to my security personnel as well, but always point to this:
To preserve strict permissions for certain configuration files, this container starts as root to perform bootstrapping before running Jira under a non-privileged user account. If you wish to start the container as a non-root user, please note that Tomcat configuration will be skipped and a warning will be logged. You may still apply custom configuration in this situation by mounting a custom server.xml file directly to /opt/atlassian/jira/conf/server.xml
https://hub.docker.com/r/atlassian/jira-software
I think this is more of a container fix than a helm chart deployment fix.
For example, Twistlock picks up this finding regardless since the container user is root.
from data-center-helm-charts.
@bordenit good point. With that being said though, I think it won't hurt having SecurityContext fully configurable and flexible. This is one of the issues I have immediately run into when deploying to OpenShift where security context constraints are strict out of the box.
from data-center-helm-charts.
@bianchi2 Good point as well. SecurityContext settings are common configurable helm values.
from data-center-helm-charts.
@bordenit we are planning to tackle https://github.com/atlassian-labs/data-center-helm-charts/issues/80 soon to provide more flexibility. Would that be sufficient for your use case?
Changing the container to non-root will be more work on the image side.
from data-center-helm-charts.
@nanux have not tested it, but seems like it would be an improvement/mitigation.
from data-center-helm-charts.
@bordenit , @mbach04, Do you think the enhancement in This PR (SecurityContext) can be used as a solution and mitigating this issue regarding security concerns?
from data-center-helm-charts.
Hi all, on account of there now being a mechanism in place for configuring the SecurityContext
(see discussion and PR mentioned here) Im closing this issue for now. If there are still concerns on this front we can re-open it.
from data-center-helm-charts.
Hello , May I know what is the solution to it .. I am still having trouble since we can only deploy non root images into our k8s clusters. I tried by adding fsgroup and runAsUser fields to SecurityContext .. with that its failing (while adding DB configuration . Caused by: java.lang.IllegalStateException: java.io.IOException: Read-only file system
from data-center-helm-charts.
@vraghun you may want to check permissions in your shared-home directory (looks like Jira can't write to dbconfig.xml?). Also, when running as non root, set https://github.com/atlassian/data-center-helm-charts/blob/main/src/main/charts/jira/values.yaml#L753 to true
from data-center-helm-charts.
Thanks for the response . Actually the shared-volume should be accessible by jira user. I tried to create a test file in the shared-volume directory.
jira@jira-poc-0:/var/atlassian/application-data/shared-home$ pwd
/var/atlassian/application-data/shared-home
jira@jira-poc-0:/var/atlassian/application-data/shared-home$ touch test
jira@jira-poc-0:/var/atlassian/application-data/shared-home$ ls -l test
-rw-r--r--. 1 jira jira 0 Apr 23 04:36 test
jira@jira-poc-0:/var/atlassian/application-data/shared-home$
I made the generateByHelm: true , but still seeing the errors .
2024-04-23 04:31:35,573+0000 main ERROR [o.apache.jasper.EmbeddedServletOptions] The scratchDir you specified: [/opt/atlassian/jira/work/Catalina/localhost/ROOT] is unusable.
2024-04-23 04:31:35,679+0000 main INFO [c.a.jira.startup.DefaultJiraLauncher] Stopping launchers
2024-04-23 04:31:35,790+0000 main ERROR [o.a.c.c.C.[Catalina].[localhost].[/]] Exception sending context destroyed event to listener instance of class [com.atlassian.jira.startup.LauncherContextListener]
java.lang.NullPointerException
at com.atlassian.jira.startup.ClusteringLauncher.stop(ClusteringLauncher.java:142)
I am trying to fix scratchDir error as per https://confluence.atlassian.com/jirakb/jira-server-throws-unable-to-create-directory-for-deployment-error-on-startup-389781040.html , but not able change permission for $JIRA_INSTALL directory , Because I logged in with non root user ( that is only permit in our k8s clusters ) .
jira@jira-poc-0:$ ls -ld /opt/atlassian/jira/$ cd /opt/atlassian/jira/
dr-xr-x---. 1 jira root 4096 Mar 26 03:55 /opt/atlassian/jira/
jira@jira-poc-0:
jira@jira-poc-0:/opt/atlassian/jira$ df -h .
Filesystem Size Used Avail Use% Mounted on
overlay 307G 9.1G 286G 4% /
jira@jira-poc-0:/opt/atlassian/jira$
from data-center-helm-charts.
Can you share your securityContext? You need to make sure that it's run as jira user.
from data-center-helm-charts.
Here is my statefulSet :
Source: jira/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: jira-poc
labels:
helm.sh/chart: jira-1.16.1
app.kubernetes.io/name: jira
app.kubernetes.io/instance: jira-poc
app.kubernetes.io/version: "9.4.10"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
serviceName: jira-poc
selector:
matchLabels:
app.kubernetes.io/name: jira
app.kubernetes.io/instance: jira-poc
template:
metadata:
annotations:
checksum/config-jvm: df119c0a2faa360aede67387268925c03493cdece0db2853e27504a18a11beb2
labels:
app.kubernetes.io/name: jira
app.kubernetes.io/instance: jira-poc
spec:
serviceAccountName: jira-poc
terminationGracePeriodSeconds: 30
hostAliases:
securityContext:
fsGroup: 2001
runAsGroup: 2001
runAsUser: 2001
initContainers:
- name: nfs-permission-fixer
image: alpine:3.19
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 0 # make sure we run as root so we get the ability to change the volume permissions
resources:
limits:
cpu: 400m
memory: 1Gi
requests:
cpu: 150m
memory: 512Mi
volumeMounts:
- name: shared-home
mountPath: "/shared-home"
command: ["sh", "-c", "(chgrp 2001 /shared-home; chmod g+w /shared-home)"]
containers:
- name: jira
image: "atlassian/jira-software:9.4.10"
imagePullPolicy: IfNotPresent
env:
- name: ATL_TOMCAT_SCHEME
value: "https"
- name: ATL_TOMCAT_SECURE
value: "true"
- name: ATL_TOMCAT_PORT
value: "8080"
- name: ATL_FORCE_CFG_UPDATE
value: "true"
- name: ATL_DB_TYPE
value: "mysql8"
- name: ATL_DB_DRIVER
value: "com.mysql.cj.jdbc.Driver"
- name: ATL_JDBC_URL
value: "jdbc:mysql://<dbhost>/<dbname>"
- name: ATL_JDBC_USER
valueFrom:
secretKeyRef:
name: db-credentials
key: username
- name: ATL_JDBC_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password
- name: CLUSTERED
value: "true"
- name: JIRA_NODE_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: EHCACHE_LISTENER_HOSTNAME
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: EHCACHE_LISTENER_PORT
value: "40001"
- name: EHCACHE_OBJECT_PORT
value: "40011"
- name: SET_PERMISSIONS
value: "true"
- name: JIRA_SHARED_HOME
value: "/var/atlassian/application-data/shared-home"
- name: JVM_SUPPORT_RECOMMENDED_ARGS
valueFrom:
configMapKeyRef:
key: additional_jvm_args
name: jira-poc-jvm-config
- name: JVM_MINIMUM_MEMORY
valueFrom:
configMapKeyRef:
key: min_heap
name: jira-poc-jvm-config
- name: JVM_MAXIMUM_MEMORY
valueFrom:
configMapKeyRef:
key: max_heap
name: jira-poc-jvm-config
- name: JVM_RESERVED_CODE_CACHE_SIZE
valueFrom:
configMapKeyRef:
key: reserved_code_cache
name: jira-poc-jvm-config
ports:
- name: http
containerPort: 8080
protocol: TCP
- name: ehcache
containerPort: 40001
protocol: TCP
- name: ehcacheobject
containerPort: 40011
protocol: TCP
securityContext:
runAsUser: 2001
resources:
limits:
cpu: 500m
memory: 2Gi
requests:
cpu: 250m
memory: 812Mi
volumeMounts:
- name: local-home
mountPath: "/var/atlassian/application-data/jira"
- name: local-home
mountPath: "/opt/atlassian/jira/logs"
subPath: "log"
- name: shared-home
mountPath: "/var/atlassian/application-data/shared-home"
- name: server-xml
mountPath: /opt/atlassian/jira/conf/server.xml
subPath: server.xml
- name: temp
mountPath: /opt/atlassian/jira/temp
- name: shared-home
mountPath: "/opt/atlassian/jira/lib/mysql-connector-j-8.3.0.jar"
subPath: "p1-plugins/mysql-connector-j-8.3.0.jar"
lifecycle:
preStop:
exec:
command: ["sh", "-c", "/shutdown-wait.sh"]
volumes:
- name: shared-home
nfs:
path: /export/jira-poc
server: jira-fss-mt-68-poc.test.iad1.test.com
- name: server-xml
configMap:
name: jira-poc-server-config
items:
- key: server.xml
path: server.xml
- name: temp
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: local-home
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "standard"
resources:
requests:
storage: 50Gi
from data-center-helm-charts.
@vraghun looks ok to me. It's not clear what's happening without full logs from /var/atlassian/application-data/jira/log
UPDATE. You seem to define securityContext twice - on pod and container level. Drop the container securityContext.
from data-center-helm-charts.
@bianchi2 , Actually the problem was with the DB . JIRA expects the DB to be empty. Re-creating the DB solved my issue. But I am curious what if my pod gone , will I loose the dbconfig.yaml file again because the db details I have given in the UI not through values.yaml .
and also how to restore my old jira data to new DB .. because the JIRA expecting new DB
from data-center-helm-charts.
dbconfig.xml is generated if it doesn't exist, and it's saved in a volume.
from data-center-helm-charts.
Related Issues (20)
- [Suggestion] - Add resource requests and limits for init-containers HOT 1
- [Breaking - Changes] - podAnnotations don't support Datadog labels anymore HOT 5
- [Suggestion] - Handling database and/or storage recovery HOT 1
- [Suggestion] - Flag to remove setup ingress in Confluence helm chart HOT 3
- [Suggestion] - monitoring.jmxExporterCustomConfig does not work if exposeJmxMetrics is set to true HOT 1
- [Suggestion] - Security Vulnerabilities on v8.5.2 and Helm Chart Doesn't Support v8.5.3 HOT 3
- [Suggestion] - Support Kubernetes StatefulSetStartOrdinal feature gate .spec.ordinals.start HOT 5
- [Suggestion] - Upgrade to Fluentbit HOT 2
- [Suggestion] - BlockList additions to Confluence JMX Exporter config HOT 8
- [Suggestion] - Don't assign pod annotations to test pods HOT 4
- [Suggestion] - internalProxies line should be removed when there is no proxyInternalIps value in tomcatConfig HOT 9
- [Suggestion] - Make examples in the Bitbucket DC Chart more clear HOT 3
- [Suggestion] - Remove confluence shared home from synchrony volumes when creating a dedicated synchrony volume HOT 1
- [Suggestion] - Use different labels for jmx-exporter service HOT 15
- Installation problem after license HOT 3
- [Suggestion] - Use image from values.yaml for all tests containers images HOT 4
- [Suggestion] - Shared home should not be removed from synchrony [revert request for #745] HOT 2
- [Suggestion] - Add chmod to import-cert init-container script when running as non-root HOT 2
- [Suggestion] Enable HTTPS connection to the Bamboo server HOT 2
- [Suggestion] - Defining tomcatconfig.proxyName should override ingress.host HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from data-center-helm-charts.