Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenShift compatibility #710

Open
hanygirgis opened this issue Nov 12, 2024 · 6 comments
Open

OpenShift compatibility #710

hanygirgis opened this issue Nov 12, 2024 · 6 comments

Comments

@hanygirgis
Copy link

I'm trying to deploy GrimoireLab on OpenShift (using the supplied Kubernetes scripts), but I'm getting security errors.

For example, when tyring to deploy the esnode Statefulset (in file 12-es-sts-deployment.yml), I had to remove IPC_LOCK and SYS_RESOURCE capabilities, and disable the privilaged more to get it to run. After that, I get the following error :

od esnode-0 in StatefulSet esnode failed error: pods "esnode-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001020000, 1001029999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1001020000, 1001029999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount,

Do you have any suggestions on how to get it to run on OpenShift ?
@sduenas
Copy link
Member

sduenas commented Nov 12, 2024

Hi @hanygirgis . I've never tried OpenShift before. There's an open PR to deploy the platform on Kubernetes with Helm. If it's possible, I recommend to use this method (or use it as the baseline) because it's more updated to the current infra supported by the project.

You can find the PR here: #707

@hanygirgis
Copy link
Author

All right, thanks. I'll try out the Helm approach in this PR.

@sduenas
Copy link
Member

sduenas commented Nov 12, 2024

Keep us posted about if it works or not, so we can know about it.

@Eroyi
Copy link

Eroyi commented Nov 13, 2024

My chart hasn't been tested on OpenShift. OpenShift has enhanced its security capabilities therefore you may encounter several issues related to securityContext.

Also, I recommend using OpenSearch instead of Elasticsearch. The kibana that grimoirelab used is strictly required an outdated elasticsearch-6.8.6.

If you are trying my chart, please remove the appConfig.security map in charts/openshift-node/values.yaml.

@sduenas
Copy link
Member

sduenas commented Nov 13, 2024

Just for the record, GrimoireLab can be used with OpenSearch. We have a [docker compose] (https://github.com/chaoss/grimoirelab/blob/master/docker-compose/docker-compose-opensearch.yml) for that matter. The dashboards for opensearch can be imported manually from here.

You can also use Bitergia Analytics, which is built on top of GrimoireLab an uses, by default, OpenSearch dashboard with the security layer.

@hanygirgis
Copy link
Author

OK, I'll switch to OpenSearch and give it a shot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sduenas @hanygirgis @Eroyi