userSandboxes set to true even if configured as false

ibm-messaging / mq-container-mft

Samples for integrating MQ MFT in Cloud scenarios

13 stars 12 forks source link

userSandboxes set to true even if configured as false #13

Closed goffinet closed 1 year ago

goffinet commented 1 year ago

Hello, When I try to fix the userSandboxes property to false for agent.properties it seems it adds automatically the agent.properties at true (https://github.com/ibm-messaging/mq-container-mft/blob/7769ed3e86514c20a401ac88575423fca5adc52c/cmd/runagent/agentconfig.go#L617) :

userSandboxes=true is writed when bridge agent is not configured, Why ?

#Thu Jan 12 09:49:23 GMT 2023
agentQMgr=AGENT1
agentQMgrPort=1414
agentDesc=
agentQMgrHost=qmgr.example.com
agentQMgrChannel=CHANNEL.NAME
agentName=AGENT1
logCapture=true
maxRestartCount=0
agentSslCipherSpec=ECDHE_RSA_AES_128_CBC_SHA256
agentSslTrustStore=/mqfte/agenttls.p12
agentSslTrustStoreCredentialsFile=/mqfte/MQMFTCredentials.xml
enableQueueInputOutput=true
commandPath=/mqft/commands
userSandboxes=false
agentQMgrAuthenticationCredentialsFile=/mnt/mftdata/mqft/config/QMGR/agents/AGENT1/agentcredentials.xml
userSandboxes=true

How can I disable UserSandboxes with the json configmap file ? Thank you for your support.

ShashikanthRaoT commented 1 year ago

Hello,

Thank you for raising this issue.

Yes, UserSandbox is always set to true. The intention behind is to restrict the directories the agent can access on the container file system. Please let me know if you have are having issues with the default setting.

Thank you

goffinet commented 1 year ago

Hello, Thank you for your quick reply.

Yes, we have issues with this default setting.

When UserSanbox is enabled, we get an error for writing to a queue :

BFGTR0072E: The transfer failed to complete due to the exception : BFGIO0216E: An attempt to write to queue "QUEUE_NAME@QMGR" by user "mqm" has been denied.

We use the icr.io/ibm-messaging/mqmft:latest in an Openshift deployment and are obliged to modify the agent.properties after a rollout, to stop and restart the agent inside the container.

We are looking for a way to properly disable this setting. But it seems that we have to change the code of mq-container-mft/cmd/runagent/agentconfig.go.

Can you help us?

Best regards,

ShashikanthRaoT commented 1 year ago

Hello, Thank you for the reply. I shall look into the issue. Are you able to use the provided code to build your own custom container image?

Thank you

goffinet commented 1 year ago

Hello. Yes, we are able to build our own custom image but we do not want to lose the official IBM support for the MQ MQFT product on Openshift. It should be better for us if the official IBM image can be flexible with this parameter. Best regards,

ShashikanthRaoT commented 1 year ago

Thank you.

Just want to let you know, the image published on icr.io/ibm-messaging/mqmft is a "developer" only image, hence no support is provided. For deploying in production, you will need to build your own image. Any issues found with the agent running inside the container will be supported via the regular IBM support channels.

Hope this helps

Best Regards

goffinet commented 1 year ago

Thank you for you support. Best regards.