[bitnami/moodle] cron configurationas non-root in moodle helm chart

[fle108]

Which chart: birnami/moodle:latest

Describe the bug since i migrated on helm for moodle i obtain a warning at pod startup :

moodle 15:24:49.82 WARN  ==> Skipping cron configuration for Moodle because of running as a non-root user
moodle 15:24:49.83 INFO  ==> ** Moodle setup finished! **

moodle 15:24:49.84 WARN  ==> Cron will not be started because of running as a non-root user
moodle 15:24:49.85 INFO  ==> ** Starting Apache **

To Reproduce Steps to reproduce the behavior:

1. prepare values file with tag:latest, Externaldb infos, moodle user credentials, ingress name and site name infos
2. install helm : helm install moodle01 -f values.yaml bitnami/moodle
3. execute following on logs: kubectl logs moodle01-xxxxxxxx --follow
4. See warning:

   
   moodle 15:24:49.82 WARN  ==> Skipping cron configuration for Moodle because of running as a non-root user
   moodle 15:24:49.83 INFO  ==> ** Moodle setup finished! **

moodle 15:24:49.84 WARN ==> Cron will not be started because of running as a non-root user moodle 15:24:49.85 INFO ==> Starting Apache

**Expected behavior**
starting moodle pod/container with no warning about cron

**Version of Helm and Kubernetes**:

- Output of `helm version`:

version.BuildInfo{Version:"v3.4.1", GitCommit:"c4e74854886b2efe3321e185578e6db9be0a6e29", GitTreeState:"clean", GoVersion:"go1.14.11"}

- Output of `kubectl version`:

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:52:00Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.10", GitCommit:"62876fc6d93e891aa7fbe19771e6a6c03773b0f7", GitTreeState:"clean", BuildDate:"2020-10-16T20:43:34Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}

**Additional context**
this moodle instance is migration from bare metal installation in order to go on kubernetes helm template.
I extracted PgSQL database and converted it to mysql 5.7 (not so easy), i recovered moodledata directory and pushed it to persistentVolume.
I upgraded it all from 3.6.3 to 3.10. 
everything works fine except this warning about  non-root cron

[andresbono]

Hi @fle108, these warnings are expected if you are running the containers as non-root. Please see this note: https://github.com/bitnami/charts/tree/master/bitnami/moodle#to-800

The Bitnami Container Image for MoodleTM was updated to support "non-root" user approach, however, it is not enabled by default. The container still runs as the root user and the Apache daemon is started as the daemon user, due to running Cron as a service, which requires running as root.

If you want to run with a non-root user, you need to set podSecurityContext.enabled=true and containerSecurity.context.enabled=true. In addition to that, you will also need to change the default Apache HTTP ports to run as a non-privileged user by setting containerPorts.http and containerPorts.https to a non-privileged port number (higher than 1024, i.e. 8080 and 8443, respectively). Note that, when running as a non-root user, Cron will not supported and therefore scheduled tasks will not be enabled for MoodleTM.

That default behavior changed in a later version of the chart, so if you want to run cron, you will need to specify that explicitly:

$ helm install moodle bitnami/moodle --set containerSecurityContext.runAsUser=0
$ kubectl logs moodle-64bf8c9869-mkf2d | grep -i cron
moodle 16:40:24.52 INFO  ==> ** Starting cron **

[fle108]

thank you , it works well with runAsUser: 0 and fsGroup: 0 as explained in https://github.com/bitnami/bitnami-docker-moodle/issues/148 too

I just had to repostion rights on /bitnami/moodle/ and /bitnami/moodledata/ to daemon:root in place of 1001 to avoid apache errors.

chown -R daemon:root /bitnami/moodle/
chown -R daemon:root /bitnami/moodledata/

[MahletHailu]

Hi @fle108,

I ran to the same issue of cron jobs not running when deploying LMS container as non-root user. Then I tried to resolve the issue as you mentioned. Here are my settings:

podSecurityContext: enabled: true fsGroup: 0 containerSecurityContext: enabled: true runAsUser: 0 runAsNonRoot: true

Now I get an error because config.php isn't writtable. "Fatal error: $CFG->dataroot is not writable, admin has to fix directory permissions! Exiting."

What is the best way to fix this permission issue or set required permissions from the helm chart?

Thanks!

[fle108]

It seems you have to change rights on your folder :

chown -R daemon:root /bitnami/moodle/ chown -R daemon:root /bitnami/moodledata/

Do it manually after folders are created and retry your deployment. It's not very clean as workaround, but it works.

[renepardon]

thank you , it works well with runAsUser: 0 and fsGroup: 0 as explained in bitnami/bitnami-docker-moodle#148 too

I just had to repostion rights on /bitnami/moodle/ and /bitnami/moodledata/ to daemon:root in place of 1001 to avoid apache errors.

chown -R daemon:root /bitnami/moodle/
chown -R daemon:root /bitnami/moodledata/

Thank you very much - fsGroup I forgot but this also helped me to get the cronjob working in matomo chart.

[sd-f]

Without root user, I did it like this using a job and the remote cron via web (https://docs.moodle.org/403/en/Cron#Remote_cron). Watch out there are warnings about the future removal of that feature in moodle.

apiVersion: batch/v1
kind: CronJob
metadata:
  name: moodle-job
  namespace: moodle
spec:
  schedule: "* * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
            - name: moodle-job
              image: bitnami/os-shell
              imagePullPolicy: IfNotPresent
              command:
                - /bin/sh
                - -ec
                - "curl -v http://moodle/admin/cron.php?password=xxx"
          restartPolicy: Never
  concurrencyPolicy: Forbid

if anyone else stumbles on to this again.

[DBatten-COH]

I didn't want to break the security. Took me a while but my solution was to use the bitnami/kubectl image in a Kubernetes cronjob Created a service account moodle-cron .. gave it rights to list pods and pods/exec create run a shell script on a PVC to run kubectl exec into the moodle pod and run the the php cron

apiVersion: batch/v1
kind: CronJob
metadata:
  name: moodle-php-cron
  namespace: moodle
spec:
  schedule: "* * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
            - name: moodle-cron
              image: ALocalRegistry:5000/moodle/kubectl
              securityContext:
                allowPrivilegeEscalation: false
                capabilities:
                  drop:
                  - ALL
                privileged: false
                readOnlyRootFilesystem: true
                runAsGroup: 1001
                runAsNonRoot: true
                runAsUser: 1001
                seLinuxOptions: {}
                seccompProfile:
                  type: RuntimeDefault
              command:  ["/bitnami/cron/moodle-cron.sh"]
              volumeMounts:
                - name: moodle-data
                  mountPath: /bitnami/cron
                  subPath: cron
          restartPolicy: OnFailure
          serviceAccountName: moodle-cron
          volumes:
            - name: moodle-data
              persistentVolumeClaim:
                claimName: moodledata

cat moodle-cron.sh 
#!/bin/bash
kubectl --server=https://${KUBERNETES_SERVICE_HOST} --token=`cat /var/run/secrets/kubernetes.io/serviceaccount/token` --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
  exec -n moodle moodle-5986fdb544-g9ksb  -- \
  /bin/bash -c "/opt/bitnami/php/bin/php /bitnami/moodle/admin/cli/cron.php" >> /bitnami/cron/moodle-cron.log 2>&1