resticprofile
resticprofile copied to clipboard
creativeprojects
Support supercronic as scheduler
I am trying to run Resticprofile on Openshift.
Our compliance (enforced by kyverno) requires us to run payloads with unprivileged user permissions and no privilege escalation, which seem to make it impossible to run crond inside an alpine container. The same is true for systemd.
supercronic on the other hand runs cronjobs for the current user (including unprivileged users), its file format is basically the know cron format.
Please add support for supercronic, so that users that find themselves in a situation where they need to meet specific compliance challenges can use this wonderful tool as well :)
As far as I understand supercronic needs a crontab file.
When you configure resticprofile with:
global:
scheduler: crond
It expects an executable to manage the crontab file, its interface is:
crontab -l > crontab.txt
cat new-crontab.txt | crontab -
So with a small adapter like /bin/crontab you should be able to use supersonic:
#!/bin/sh
CRONTAB=/opt/crontab.txt
if [ "$1" == "-l" ] && [ -f "$CRONTAB" ] ; then
cat "$CRONTAB"
elif [ "$1" == "-" ] ; then
cat - > "$CRONTAB"
fi
We could also add support to specify a crontab file since all is already in place we just use the crontab binary to select the correct file depending on the context.
Relying on crontab might provide two challenges for us:
- I am not sure if setting the suid flag on the
crontabbinary will run on OpenShift with our restricted policies. - We are mandated to use read-only file systems, so we would need to be able to set the target path.
A solution where we could freely specify the target location for the generated contab file, would allow storing the file on an ephemeral volume.
If I am not mistaken, this would allow generating the contab file content with resticprofile -c /path/to/profile schedule and then exec supercronic /path/to/generated/crontab to hand over to supercronic and benefit from scheduled job execution.
I should have read you first comment completely.
The wrapper replaces the crontab binary, so I don't need to set a suid flag and won't run into problems with the read-only file system.
I can work with that :)
I still feel it might be nice to have direct support for supercronic on the long run, so that people can benefit from it out of the box.
Thank you for your quick response!
We could also add support to specify a crontab file since all is already in place we just use the crontab binary to select the correct file depending on the context.
The crontab binary is also sending a signal to crond to reload the configuration files. If we save a crontab directly we'll need to do it ourselves 😉
Btw. I'm updating the crond support:
- New: Can be used on any OS with a crontab file (
scheduler: "crontab:/path/to/generated/crontab") - the scheduler must then be started manually but that is easy in containers as the file is accepted by multiple solutions (including supersonic). What you wrote should work then:resticprofile -c /path/to/profile schedule && exec supercronic /path/to/generated/crontab). - Works as it currently does on linux using the
crontabbinary to manage the crontab. - Will also continue to support the workaround described above.