1

I want to create temporary files in my spring boot application. I build images using JIB and deploy them in kubernetes. When I tried to create temporary files I received an error because container was started by non root user.

Now I'm looking for workaround to allow my application saves files inside an image's file system. I've seen this extension for JIB which provides possibility to change ownership of directory. I've tried many times with different configs to implement it by myself but all my tries failed. And here it is my config which also doesn't work as well:

jib {
    from.image = "..."
    to.image = "..."
    container {
        user = '1000'
    }
    extraDirectories {
        paths {
            path {
                from = 'export'
                into = '/app/export'
            }
        }
    }

    pluginExtensions {
        pluginExtension {
            implementation = 'com.google.cloud.tools.jib.gradle.extension.ownership.JibOwnershipExtension'
            configuration {
                rules {
                    rule {
                        glob = 'app/export/**'
                        ownership = '1000'
                    }
                }
            }
        }
    }
}

Is there a more handy way to reach my goal or I missed something important in my config?

UPD: Jib version is 3.2.0

Chanseok Oh
  • 3,920
  • 4
  • 23
  • 63
NikMashei
  • 371
  • 1
  • 7
  • 19

1 Answers1

1

I was not able to make it work when using path.into for extraDirectories. I suspect this is a bug (or current technical limitation) of Jib.

That said, what worked for me is, instead of setting path.into, to structure the extra directory with the desired layout. For example, with the following directory structure,

<project root>/jib-extra/app/export

you would have

    extraDirectories.paths = ['jib-extra']

    pluginExtensions {
        pluginExtension {
            implementation = 'com.google.cloud.tools.jib.gradle.extension.ownership.JibOwnershipExtension'
            configuration {
                rules {
                    rule {
                        // must be absolute path starting with '/'
                        glob = '/app/export'
                        ownership = '1000'
                    }
                    // if you have files under /app/export
                    rule {
                        glob = '/app/export/**'
                        ownership = '1000'
                    }
                }
            }

Lastly, I think mounting a volume at runtime could be another option in your case?

Chanseok Oh
  • 3,920
  • 4
  • 23
  • 63
  • Thanks for your reply! It looks like I'm still misunderstanding something. Gradle builds an image with no problem, but I don't see a folder `/app/export/' inside my container. – NikMashei Feb 03 '22 at 20:09
  • Did you create an empty directory `jib-extra/app/export` locally (assuming you set `jib-extra` as a Jib extra directory)? – Chanseok Oh Feb 03 '22 at 22:17
  • Oh, I missed that moment and create only `jib-extra` directory. Does it mean that I can easily write files into `/app/export` directory even user is not root? – NikMashei Feb 03 '22 at 22:43
  • If the container runs as user 1000 (you should verity if) and `/app/export` is owned by 1000, the running process in the container should be able to write files there. – Chanseok Oh Feb 03 '22 at 22:45
  • Directory is owned by 1000, but container is running as user `www-data`. But locally all is fine, both process and directory are owned by 1000. – NikMashei Feb 03 '22 at 23:10
  • Seems like I have to change `securityContext` in kubernetes manifest and use user 1000 instead of 33 (value by default in our company kubernetes templates). I'm really hope that security team are not going to murder me)) – NikMashei Feb 03 '22 at 23:18
  • thanks for your help and your time! Finally, I can save temp files to specified folder! – NikMashei Feb 04 '22 at 11:00
  • You may have the directory owned by 33, if that is fixed. Also, I wonder if you have considered mounting a writable volume as I said in the link. – Chanseok Oh Feb 04 '22 at 13:20