charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon bitnami

[bitnami/apache] htdocsConfigMap is incompatible with containerSecurityContext

Open hybby opened this issue 9 months ago • 1 comments

Name and Version

bitnami/apache 11.0.2

What architecture are you using?

arm64

What steps will reproduce the bug?

There is an option to overwrite the contents of the Apache htdocs directory with the contents of a configmap (htdocsConfigMap).

When set, Apache containers fail to come up with:

apache 09:12:49.11 INFO  ==> ** Starting Apache setup **
apache 09:12:49.22 INFO  ==> Mounting application files from '/app'
rm: cannot remove '/opt/bitnami/apache/htdocs/index.html': Read-only file system

This is due to this script in the container entrypoint:

https://github.com/bitnami/containers/blob/553a1efd8556e38d226a19dd2d2535cf9b08e756/bitnami/apache/2.4/debian-12/rootfs/opt/bitnami/scripts/apache/setup.sh#L76-L80

This conflicts with the default containerSecurityContext options:

containerSecurityContext:
...
  runAsNonRoot: true
...
  readOnlyRootFilesystem: true

Because setting htdocsConfigMap requires both writing to /opt/bitnami/apache/htdocs/ and interacting with files that have an ownership of root, both of the above must be set to false for it to work.

Is there another intended usage pattern meant for this setting, or should it be documented that its usage requires relaxation of the containerSecurityContext options?

Are you using any custom parameters or values?

Configuring htdocsConfigMap to the name of a configmap where it is unset by default.

What is the expected behavior?

The configmap should be mounted to the htdocs directory successfully while containerSecurityContext should not need altered.

What do you see instead?

I get an error:

apache 09:12:49.11 INFO  ==> ** Starting Apache setup **
apache 09:12:49.22 INFO  ==> Mounting application files from '/app'
rm: cannot remove '/opt/bitnami/apache/htdocs/index.html': Read-only file system

I need to configure the following for the configmap mounting to work:

containerSecurityContext:
  readOnlyRootFilesystem: false
  runAsNonRoot: false
  runAsUser: 0
  runAsGroup: 0

hybby avatar May 10 '24 09:05 hybby

A workaround to mount a configmap containing static HTTP file data while maintaining a read-only root filesystem is to use the extraVolume... functionality of the chart. But I'd suggest that this makes htdocsConfigMap redundant.

extraVolumes:
  - name: htdocs
    configMap:
      name: apache-http-content

extraVolumeMounts:
  - mountPath: "/opt/bitnami/apache/htdocs"
    name: htdocs

hybby avatar May 10 '24 10:05 hybby

Hi @hybby,

Thank you for reporting this issue! I have submitted this PR (https://github.com/bitnami/charts/pull/26304) which aims to fix this issue.

migruiz4 avatar May 21 '24 15:05 migruiz4