1

This is with OpenShift Container Platform 4.3.

Consider this Dockerfile.

FROM eclipse-mosquitto

# Create folders
USER root

RUN mkdir -p /mosquitto/data /mosquitto/log

# mosquitto configuration
USER mosquitto

# This is crucial to me
COPY --chown=mosquitto:mosquitto ri45.conf /mosquitto/config/mosquitto.conf

EXPOSE 1883

And, this is my Deployment YAML.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mosquitto-broker
spec:
  selector:
    matchLabels:
      app: mosquitto-broker
  template:
    metadata:
      labels:
        app: mosquitto-broker
    spec:
      containers:
        - name: mosquitto-broker
          image: org/repo/eclipse-mosquitto:1.0.1
          imagePullPolicy: Always
          resources:
            limits:
              memory: "128Mi"
              cpu: "500m"
          volumeMounts:
            - name: mosquitto-data
              mountPath: /mosquitto/data
            - name: mosquitto-log
              mountPath: /mosquitto/log
          ports:
            - name: mqtt
              containerPort: 1883
      volumes:
        - name: mosquitto-log
          persistentVolumeClaim:
            claimName: mosquitto-log
        - name: mosquitto-data
          persistentVolumeClaim:
            claimName: mosquitto-data

When I do a oc create -f with the above YAML, I get this error, 2020-06-02T07:59:59: Error: Unable to open log file /mosquitto/log/mosquitto.log for writing. Maybe this is a permissions error; can't tell. Anyway, going by the eclipse/mosquitto Dockerfile, I see that mosquitto is a user with UID and GID of 1883. So, I added the securityContext as described here.

securityContext:
  fsGroup: 1883

When I do a oc create -f with this modification, I get this error - securityContext.securityContext.runAsUser: Invalid value: 1883: must be in the ranges: [1002120000, 1002129999].

This approach of adding an initContainer to set permissions on volume does not work for me because, I have to be root to do that.

So, how do I enable the Eclipse mosquitto container to write to /mosquitto/log successfully?

cogitoergosum
  • 2,309
  • 4
  • 38
  • 62

1 Answers1

3

There are multiple things to address here.

First off, you should make sure that you really want to bake a configuration file into your container image. Typically, configuration files are added via ConfigMaps or Secrets, as the configuration in cloud-native applications should typically come from the environment (OpenShift in your case).

Secondly, it seems that you are logging into a PersistentVolume, which is also a terrible practice, as the best practice would be to log to stdout. Of course, having application data (transaction logs) on a persistent volume makes sense.

As for your original question (that should no longer be relevant given the two points above), the issue can be approached using SecurityContextContraints (SCCs): Managing Security Context Constraints

So to resolve your issue you should use / create a SCC with runAsUser set correctly.

Simon
  • 4,251
  • 2
  • 24
  • 34
  • 1
    The logging problem can be fixed with `log_dest stdout` in the config file. But you'll still need permission to write the mosquitto persistent file for the sessions and retained messages. – hardillb Jun 02 '20 at 07:48
  • Unfortunately, that is not an option. In fact, now, for some reason, `log_timestamp_format` is not even recognized by the `mosquitto` Docker image! This is the image I built with the base Dockerfile. – cogitoergosum Jun 02 '20 at 13:21