Owls 91448 - Prevent insecure file system warnings by ensuring files are at a minimum of umask 027 and handle Openshift platform. #2533
Conversation
…ed by the Operator in default and Openshift environment.
…m for all domain types.
| private static final List<String> RESERVED_NAMES = Arrays.asList( | ||
| DOMAIN_UID, DOMAIN_NAME, DOMAIN_HOME, NODEMGR_HOME, SERVER_NAME, SERVICE_NAME, | ||
| ADMIN_NAME, AS_SERVICE_NAME, ADMIN_PORT, ADMIN_PORT_SECURE, ADMIN_SERVER_PORT_SECURE, | ||
| LOG_HOME, SERVER_OUT_IN_POD_LOG, DATA_HOME, ACCESS_LOG_IN_LOG_HOME, DYNAMIC_CONFIG_OVERRIDE); | ||
| LOG_HOME, SERVER_OUT_IN_POD_LOG, DATA_HOME, ACCESS_LOG_IN_LOG_HOME, DYNAMIC_CONFIG_OVERRIDE, CLOUD_PLATFORM); |
There was a problem hiding this comment.
Is this going to cause operator upgrade rolling side effect ?
There was a problem hiding this comment.
I believe it will not cause the rolling side effect, I'll run the upgrade to confirm.
There was a problem hiding this comment.
I have verified that rolling doesn't happen during upgrade when kubernetesPlatform helm variable is not present. I add the KUBERNETES_PLATFORM environment variable to server pods only when kubernetesPlatform is set in the helm values.
| if [[ ! -z ${CLOUD_PLATFORM} && ${CLOUD_PLATFORM} == "Openshift" ]]; then | ||
| # Operator running on Openshift platform - change file permissions in the DOMAIN_HOME dir to give | ||
| # group same permissions as user . | ||
| chmod -R g=u ${DOMAIN_HOME} || return 1 |
There was a problem hiding this comment.
Should we also do it for non mii case? Or this is left as an exercise for the user when they create the domain?
There was a problem hiding this comment.
I originally suggested that we handle the non-MII cases, but I have a similar concern. In detail:
For one, a recursive file traversal of the entire domain-home seems like it could be prohibitively expensive, especially as it's done for every pod cycle.
For DII in particular, maybe this can this occur solely when the image is created (and be left up to the customer)?
And for DiPV, if we must do something automatic, can it be limited to occur only in the introspector, and, even then, only the first time the introspector sees the domain?
There was a problem hiding this comment.
I agreed, doing it in the introspector (before zipping up the domain) is a better place. Do we really need -R or is the check only for bin directory?
There was a problem hiding this comment.
Also, have we explored doing it in WDT also, it won't solve existing domain or one created with older WDT though?
There was a problem hiding this comment.
Sorry, one more question. Does the new was check provide any guidance on JKS keystore files? Best practice is user read only.
There was a problem hiding this comment.
I'll set up a meeting to go over this. As per the requirements in JIRA OWLS-91448, we should NOT use chmod -R g=u for Model-in-image domain unless the environment is OpenShift. My understanding from JIRA was that, DII case will be handled in image tool and it's customers responsibility to do it for domain-on-pv.
There was a problem hiding this comment.
I have made the changes to perform the chmod -R g=u ${DOMAIN_HOME} in the introspector for model-in-image domain and to perform chmod -R g=u ${DOMAIN_HOME} in startServer.sh script for domain-home-in-image. My understanding is that we should not be doing chmod -R for the domain-on-pv domains since those changes will be persistent.
There was a problem hiding this comment.
If the image tool is going to handle DII then why does startServer need to? (You wrote "DII case will be handled in image tool " and "I have made the changes to perform ... chmod -R g=u ${DOMAIN_HOME} in startServer.sh script for domain-home-in-image.")
There was a problem hiding this comment.
My comment "DII case will be handled in the image tool" on 9/13 was based on my previous understanding. However, in the standup meeting discussion on Tuesday 9/14, Derek and Robert Patrick suggested to also do chmod -R u=g ${DOMAIN_HOME} for DII in the operator.
kubernetes/charts/weblogic-operator/templates/_operator-dep.tpl
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I see changes to two Java files, but no unit tests for those changes.
[ANIL]
Added following new unit tests in JobHelperTest.java and PodHelperTestBase.java -
whenOperatorHasKubernetesPlatformConfigured_introspectorPodSpecHasKubernetesPlatformEnvVariable
whenNotConfigured_KubernetesPlatform_introspectorPodSpecHasNoKubernetesPlatformEnvVariable
whenOperatorHasKubernetesPlatformConfigured_createdPodSpecContainerHasKubernetesPlatformEnvVariable
whenNotConfigured_KubernetesPlatform_createdPodSpecContainerHasNoKubernetesPlatformEnvVariable
…tead of startServer.sh.
…ssions for different domain types.
ankedia
changed the title
documentation/staging/content/userguide/platforms/environments.md
Outdated
Show resolved
Hide resolved
documentation/staging/content/userguide/platforms/environments.md
Outdated
Show resolved
Hide resolved
documentation/staging/content/userguide/platforms/environments.md
Outdated
Show resolved
Hide resolved
documentation/staging/content/userguide/managing-operators/using-helm.md
Outdated
Show resolved
Hide resolved
| @@ -116,3 +116,6 @@ see [OpenShift]({{<relref "/userguide/platforms/environments#openshift">}}). | |||
| #### Using a dedicated namespace | |||
|
|
|||
| When the user that installs an individual instance of the operator does not have the required privileges to create resources at the Kubernetes cluster level, a dedicated namespace can be used for the operator instance and all the WebLogic domains that it manages. For more details about the `dedicated` setting, please refer to [Operator Helm configuration values]({{< relref "/userguide/managing-operators/using-helm#operator-helm-configuration-values" >}}). | |||
|
|
|||
| #### Set the Helm chart property `kubernetesPlatorm` to `OpenShift` | |||
| Beginning with operator version 4.0, set the operator `kubernetesPlatform` Helm chart property to `OpenShift`. This property accommodates OpenShift security requirements. For more information, see [Operator Helm configuration values]({{<relref "/userguide/managing-operators/using-helm#operator-helm-configuration-values">}}). | |||
There was a problem hiding this comment.
I think that we should backport this change to 3.3.2. @mriccell, do you agree?
There was a problem hiding this comment.
Changed to "Beginning with operator version 3.3.2".
| This could be either the `anyuid` SCC or a custom one that you define for user/group `1000`. For more information, see [OpenShift]({{<relref "/security/openshift.md">}}) in the Security section. | ||
| To accommodate OpenShift security requirements: | ||
| - For security requirements to run WebLogic in OpenShift, see the [OpenShift chapter]({{<relref "/security/openshift.md">}}) in the Security section. | ||
| - Beginning with operator version 4.0, specify the `kubernetesPlatorm` Helm chart property with value `OpenShift`. For more information, see [Operator Helm configuration values]({{<relref "/userguide/managing-operators/using-helm#operator-helm-configuration-values">}}). |
There was a problem hiding this comment.
As above, I think that this change should go in to 3.3.2.
There was a problem hiding this comment.
Changed to "Beginning with operator version 3.3.2".
…o backport the change to 3.3.2.
…are at a minimum of umask 027 and handle Openshift platform. (#2533) * Prevent insecure file system warnings by ensuring files are at a minimum of umask 027 and handle Openshift platform.
Added a helm variable with name
cloudPlatformto detect the Openshift platform.For the default (not Openshift) platforms, this change makes sure that files in DOMAIN_HOME dir are at a minimum of umask 027. For this, it (a) restricts the execute permission for shell scripts to user-only, (b) removes group write and execute permissions on boot.properties and (c) preserves permissions when extracting the files from zip file.
For the operator running on OpenShift, this change adds a system property to WLS startup to disable umask 027 checks (all domain styles). For Model-in-image domain on Openshift, it also uses
chmod -R g=u {domain home}to give group the same permission as the user for files in DOMAIN_HOME dir.