Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SYS_RESOURCE security context capability if not set #147

Merged
merged 4 commits into from
Aug 22, 2019
Merged

Add SYS_RESOURCE security context capability if not set #147

merged 4 commits into from
Aug 22, 2019

Conversation

robskillington
Copy link
Collaborator

@robskillington robskillington commented May 26, 2019
edited
Loading

This will add SYS_RESOURCE to the security context if not set to ensure the M3DB image is able to call the setrlimit syscall for RLIMIT_NOFILE when it needs to raise the hard and soft open FDs limit to the value of fs.nr_open when they are not the same.

Fixes #137.

@codecov
Copy link

codecov bot commented May 28, 2019
edited
Loading

Codecov Report

Merging #147 into master will increase coverage by 0.07%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #147      +/-   ##
==========================================
+ Coverage    74.3%   74.38%   +0.07%     
==========================================
  Files          28       28              
  Lines        1950     1956       +6     
==========================================
+ Hits         1449     1455       +6     
  Misses        383      383              
  Partials      118      118

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ded8858...186c64a. Read the comment docs.

schallert
schallert reviewed May 28, 2019
View reviewed changes
pkg/k8sops/statefulset.go Outdated
}
}
if !hasCapabilitySysResource {
specSecurityCtx.Capabilities.Add =
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll have to only add this if the user hasn't set a securitycontext at all. If they've set one we can't modify it, as they may have PodSecurityPolicies that prevent capabilities from being added, in which case they'd have no way to use the operator. Or we can add another flag to not add it.

I personally like only setting it if there's not an SC already

@schallert schallert force-pushed the r/add-sys-resource-capability branch from a309423 to 99f1d6b Compare August 22, 2019 21:23
@schallert schallert merged commit 3d43802 into master Aug 22, 2019
@schallert schallert deleted the r/add-sys-resource-capability branch August 22, 2019 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schallert schallert schallert left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Need to run ulimit -n 3000000 before running m3dbnode
2 participants
@robskillington @schallert