removed init container for Postgres DB pod

* The init container was used to workaround an issue with hugepages which seems to be solved. * After removing it, there is no need for privileged container and for DB scc Signed-off-by: Danny Zaken <[email protected]>
noobaa · Mar 17, 2024 · bb8bb50 · bb8bb50
1 parent 489d361
commit bb8bb50
Show file tree

Hide file tree

Showing 8 changed files with 163 additions and 346 deletions.
diff --git a/deploy/internal/configmap-postgres-initdb.yaml b/deploy/internal/configmap-postgres-initdb.yaml
@@ -5,40 +5,6 @@ metadata:
   labels:
     app: noobaa
 data:
-  initdb.sh: |
-          # If the config file is present, the DB is initiazed
-          # and we're out of here
-          export PGDATA=$HOME/data/userdata
-          if [ -f $PGDATA/postgresql.conf ]; then
-            echo postgresql.conf file is found
-            exit 0
-          fi
-
-          # Wrap the postgres binary, force huge_pages=off for initdb
-          # see https://bugzilla.redhat.com/show_bug.cgi?id=1946792
-          p=/opt/rh/rh-postgresql12/root/usr/bin/postgres
-
-          # Latest RH images moved the postgres binary
-          # from /opt/rh/rh-postgresql12/root/usr/bin/postgres to /usr/bin/postgres
-          # see https://bugzilla.redhat.com/show_bug.cgi?id=2051249
-          if [ ! -x $p ]; then
-            p=/usr/bin/postgres
-          fi
-
-          mv $p $p.orig
-          echo exec $p.orig \"\$@\" -c huge_pages=off > $p
-          chmod 755 $p
-
-          # The NooBaa DB runs with UID 10001 GID 0
-          sed -i -e 's/^\(postgres:[^:]\):[0-9]*:[0-9]*:/\1:10001:0:/' /etc/passwd
-
-          # Init the DB and exit once the DB is ready to run
-          sed -i -e 's/^exec.*$/exit 0/' \
-                 -e 's/^pg_ctl\sstart.*/pg_ctl start || true/'                                   \
-                    /usr/bin/run-postgresql
-          su postgres -c "bash -x /usr/bin/run-postgresql"
-
-            
   dumpdb.sh: |
           set -e
           sed -i -e 's/^\(postgres:[^:]\):[0-9]*:[0-9]*:/\1:10001:0:/' /etc/passwd

diff --git a/deploy/internal/statefulset-db.yaml b/deploy/internal/statefulset-db.yaml
@@ -21,36 +21,36 @@ spec:
       serviceAccountName: noobaa-db
       terminationGracePeriodSeconds: 60
       containers:
-      #--------------------#
-      # DATABASE CONTAINER #
-      #--------------------#
-      - name: db
-        image: NOOBAA_DB_IMAGE
-        command:
-        - bash
-        - -c
-        - /opt/rh/rh-mongodb36/root/usr/bin/mongod --port 27017 --bind_ip_all --dbpath /data/mongo/cluster/shard1
-        resources:
-          requests:
-            cpu: "2"
-            memory: "4Gi"
-          limits:
-            cpu: "2"
-            memory: "4Gi"
-        volumeMounts:
+        #--------------------#
+        # DATABASE CONTAINER #
+        #--------------------#
         - name: db
-          mountPath: /data
-      securityContext: 
+          image: NOOBAA_DB_IMAGE
+          command:
+            - bash
+            - -c
+            - /opt/rh/rh-mongodb36/root/usr/bin/mongod --port 27017 --bind_ip_all --dbpath /data/mongo/cluster/shard1
+          resources:
+            requests:
+              cpu: "2"
+              memory: "4Gi"
+            limits:
+              cpu: "2"
+              memory: "4Gi"
+          volumeMounts:
+            - name: db
+              mountPath: /data
+      securityContext:
         runAsUser: 10001
         runAsGroup: 0
   volumeClaimTemplates:
-  - metadata:
-      name: db
-      labels:
-        app: noobaa
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 50Gi
+    - metadata:
+        name: db
+        labels:
+          app: noobaa
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 50Gi
diff --git a/deploy/internal/statefulset-postgres-db.yaml b/deploy/internal/statefulset-postgres-db.yaml
@@ -19,92 +19,47 @@ spec:
         noobaa-db: postgres
     spec:
       serviceAccountName: noobaa-db
-      initContainers:
-      #-----------------#
-      # INIT CONTAINERS #
-      #-----------------#
-      - name: initialize-database
-        image: NOOBAA_DB_IMAGE
-        env:
-          - name: POSTGRESQL_DATABASE
-            value: nbcore
-          - name: LC_COLLATE
-            value: C
-          - name: POSTGRESQL_USER
-            valueFrom:
-              secretKeyRef:
-                key: user
-                name: noobaa-db
-          - name: POSTGRESQL_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                key: password
-                name: noobaa-db
-        command:
-        - sh
-        - -x
-        - /init/initdb.sh
-        securityContext:
-          runAsUser: 0
-          runAsGroup: 0
-        resources:
-          requests:
-            cpu: "500m"
-            memory: "500Mi"
-          limits:
-            cpu: "500m"
-            memory: "500Mi"
-        volumeMounts:
-        - name: db
-          mountPath: /var/lib/pgsql
-        - name: noobaa-postgres-initdb-sh-volume
-          mountPath: /init
       containers:
-      #--------------------#
-      # Postgres CONTAINER #
-      #--------------------#
-      - name: db
-        image: NOOBAA_DB_IMAGE
-        env:
-          - name: POSTGRESQL_DATABASE
-            value: nbcore
-          - name: LC_COLLATE
-            value: C
-          - name: POSTGRESQL_USER
-            valueFrom:
-              secretKeyRef:
-                key: user
-                name: noobaa-db
-          - name: POSTGRESQL_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                key: password
-                name: noobaa-db
-        imagePullPolicy: "IfNotPresent"
-        ports:
-          - containerPort: 5432
-        resources:
-          requests:
-            cpu: "500m"
-            memory: "4Gi"
-          limits:
-            cpu: "500m"
-            memory: "4Gi"
-        volumeMounts:
-          - name: db
-            mountPath: /var/lib/pgsql
-          - name: noobaa-postgres-config-volume
-            mountPath: /opt/app-root/src/postgresql-cfg
-          - name: noobaa-postgres-initdb-sh-volume
-            mountPath: /init
+        #--------------------#
+        # Postgres CONTAINER #
+        #--------------------#
+        - name: db
+          image: NOOBAA_DB_IMAGE
+          env:
+            - name: POSTGRESQL_DATABASE
+              value: nbcore
+            - name: LC_COLLATE
+              value: C
+            - name: POSTGRESQL_USER
+              valueFrom:
+                secretKeyRef:
+                  key: user
+                  name: noobaa-db
+            - name: POSTGRESQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: noobaa-db
+          imagePullPolicy: "IfNotPresent"
+          ports:
+            - containerPort: 5432
+          resources:
+            requests:
+              cpu: "500m"
+              memory: "4Gi"
+            limits:
+              cpu: "500m"
+              memory: "4Gi"
+          volumeMounts:
+            - name: db
+              mountPath: /var/lib/pgsql
+            - name: noobaa-postgres-config-volume
+              mountPath: /opt/app-root/src/postgresql-cfg
       volumes:
-      - name: noobaa-postgres-config-volume
-        configMap:
-          name: noobaa-postgres-config
-      - name: noobaa-postgres-initdb-sh-volume
-        configMap:
-          name: noobaa-postgres-initdb-sh
-      securityContext: 
+        - name: noobaa-postgres-config-volume
+          configMap:
+            name: noobaa-postgres-config
+      securityContext:
         runAsUser: 10001
         runAsGroup: 0
         fsGroup: 0

diff --git a/deploy/role_db.yaml b/deploy/role_db.yaml
@@ -3,11 +3,11 @@ kind: Role
 metadata:
   name: noobaa-db
 rules:
-- apiGroups:
-  - security.openshift.io
-  resourceNames:
-  - noobaa-db
-  resources:
-  - securitycontextconstraints
-  verbs:
-  - use
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - noobaa-db
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
diff --git a/deploy/scc_db.yaml b/deploy/scc_db.yaml
@@ -2,17 +2,14 @@ apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
   name: noobaa-db
-allowPrivilegeEscalation: true
+allowPrivilegeEscalation: false
 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
 allowPrivilegedContainer: false
 readOnlyRootFilesystem: false
-allowedCapabilities:
-- SETUID
-- SETGID
 fsGroup:
   type: RunAsAny
 runAsUser: