Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

replsets.podSecurityContext doesn't work #1648

Open
drblack666 opened this issue Sep 10, 2024 · 3 comments
Open

replsets.podSecurityContext doesn't work #1648

drblack666 opened this issue Sep 10, 2024 · 3 comments
Labels
bug

Comments

@drblack666
Copy link

drblack666 commented Sep 10, 2024
edited
Loading

Report

Sysctls values in the option replsets.podSecurityContext causes the pod to get stuck in CrashLoopBackOff state.

More about the problem

I need to change sysctls params, so I added podSecurityContext to the replsets section:

replsets:
...
  podSecurityContext:
      sysctls:
      - name: net.ipv4.tcp_fin_timeout
        value: "30"

After these changes pod got stuck in the CrashLoopBackOff state.
I also tried adding some other options to podSecurityContext with the same result (in pod I can see this user root:x:0:0:root:/root:/bin/bash):

      runAsUser: 0
      runAsGroup: 0

I use perconalab/percona-server-mongodb-operator:1.16.0 and crVersion is 1.16.0

Steps to reproduce

  1. Add sysctls parameter in replsets.podSecurityContext section
  2. Watch pod with mongodb restart in a loop with CrashLoopBackOff status

Versions

Operator (perconalab/percona-server-mongodb-operator:1.16.0 and crVersion is 1.16.0)

Anything else?

Kubernetes version v1.29.7
@drblack666 drblack666 added the bug label Sep 10, 2024
@hors
Copy link
Collaborator

hors commented Sep 13, 2024

hi @drblack666 I have tested "podSecurityContext" with psmdb operator 1.17.0 and it works for me. As you can see in example I changed uid and group from 1001 to 1002.

drwxrwsr-x 7 root 1002  4096 Sep 13 13:03 .
drwxr-xr-x 3 root root  4096 Jul 23 11:15 ..
-rw------- 1 1002 1002    50 Sep 13 13:03 WiredTiger
-rw------- 1 1002 1002    21 Sep 13 13:03 WiredTiger.lock
-rw------- 1 1002 1002  1165 Sep 13 13:03 WiredTiger.turtle
-rw------- 1 1002 1002  4096 Sep 13 13:03 WiredTiger.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 WiredTigerHS.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 _mdb_catalog.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 collection-0--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 collection-10--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 collection-12--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 collection-2--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 collection-4--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 collection-6--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 collection-8--1503061144547796825.wt
drwx--S--- 2 1002 1002  4096 Sep 13 13:03 diagnostic.data
-rw------- 1 1002 1002  4096 Sep 13 13:03 index-1--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 index-11--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 index-13--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 index-3--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 index-5--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 index-7--1503061144547796825.wt
-rw------- 1 1002 1002  4096 Sep 13 13:03 index-9--1503061144547796825.wt
drwx--S--- 2 1002 1002  4096 Sep 13 13:03 journal
drwx--S--- 2 1002 1002  4096 Sep 13 13:03 key.db
drwxrws--- 2 root 1002 16384 Sep 13 13:03 lost+found
drwxr-sr-x 3 1002 1002  4096 Sep 13 13:03 mongod-data
-rw------- 1 1002 1002     2 Sep 13 13:03 mongod.lock
-rw------- 1 1002 1002    33 Sep 13 13:03 psmdb_telemetry.data
-rw------- 1 1002 1002  4096 Sep 13 13:03 sizeStorer.wt
-rw------- 1 1002 1002   114 Sep 13 13:03 storage.bson
bash-4.4$ id
uid=1002 gid=0(root) groups=0(root),1002
bash-4.4$ ps -aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
1002           1  2.9  1.0 972692 161004 ?       SLsl 13:03   0:01 mongod --bind_ip_all --auth --dbpath=/data/db --port=27017 --replSet=rs0 --storageEngi
1002         183  0.0  0.0  35232  4424 pts/0    Ss   13:03   0:00 bash
1002         394  0.0  0.0  47740  3512 pts/0    R+   13:04   0:00 ps -aux

It works for me as well.

  podSecurityContext:
      sysctls:
      - name: net.ipv4.tcp_fin_timeout
        value: "30"

I used GKE 1.30.

bash-4.4$ sysctl net.ipv4.tcp_fin_timeout
net.ipv4.tcp_fin_timeout = 30

As I know not all containers runtimes support changing sysctls via podSecurityContext.

@hors
Copy link
Collaborator

hors commented Sep 19, 2024

Hi @drblack666, do you have any additional questions? Can we close this task?

@drblack666
Copy link
Author

Unfortunatly, I can't check it right now because I don't use GKE and my k8s is 1.29 and psmdb operator 1.16. I'll try this later, hopefully update will help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hors @drblack666