Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ReadOnlyRootFilesystem support #661

Merged
merged 6 commits into from
Jul 19, 2024
Merged

Conversation

burmanm
Copy link
Contributor

@burmanm burmanm commented May 29, 2024

What this PR does:
Adds new Spec field: ReadOnlyRootFilesystem that adds necessary new volumes and disables MCAC (since it can't work in this system).

See required PR to get it working (smoke_test_read_only_fs uses image based on this PR): k8ssandra/management-api-for-apache-cassandra#491

Which issue(s) this PR fixes:
Fixes #196
Fixes #199
Fixes #210

Checklist

  • Changes manually tested
  • Automated Tests added/updated
  • Documentation added/updated
  • CHANGELOG.md updated (not required for documentation PRs)
  • CLA Signed: DataStax CLA

@burmanm
Copy link
Contributor Author

burmanm commented May 29, 2024

This PR requires modified management-api to start. Here's a YAML to test..

apiVersion: cassandra.datastax.com/v1beta1
kind: CassandraDatacenter
metadata:
  name: dc1
  annotations:
    cassandra.datastax.com/readonly-fs: "true"
spec:
  clusterName: cluster1
  serverType: cassandra
  serverVersion: "4.1.4"
  serverImage: michaelburman290/cass-management-api:4.1.4
  managementApiAuth:
    insecure: {}
  size: 2
  storageConfig:
      cassandraDataVolumeClaimSpec:
        storageClassName: standard
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
  racks:
    - name: r1
    - name: r2
  podTemplateSpec:
    spec:
      containers:
        - name: "cassandra"
          securityContext:
            readOnlyRootFilesystem: true
      securityContext:
        runAsUser: 12345
        runAsGroup: 0
        runAsNonRoot: true
  config:
    jvm-server-options:
      initial_heap_size: "512m"
      max_heap_size: "512m"
      additional-jvm-opts:
        - "-Dcassandra.system_distributed_replication_per_dc=1"

@burmanm burmanm marked this pull request as ready for review May 31, 2024 15:38
@burmanm burmanm requested a review from a team as a code owner May 31, 2024 15:38
@burmanm burmanm changed the title Experimental ReadOnlyRootFilesystem support ReadOnlyRootFilesystem support Jul 16, 2024
Copy link
Contributor

@adejanovski adejanovski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as expected 👍

… cassandra container to run in ReadOnlyRootFilesystem securityContext
…so we can set it to true by default later), add verification that MCAC is disabled when used with readOnlyRootFilesystem
@burmanm burmanm merged commit cf277bc into k8ssandra:master Jul 19, 2024
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants