Closed emon5122 closed 1 year ago
Hi,
The entropy pool message is just a warning for old kernel before 5.15, it is a message to point users to documentation to understand why the automatic generation of the gpg server-key might be slow.
The error you face means you don't have permission to write the serverkey_private.asc apparently. Without more information on your deployment, we can't assess if this qualifies as a bug. How are you deploying to Kubernetes?
Manifest below @dlen
apiVersion: apps/v1
kind: Deployment
metadata:
generation: 1
labels:
app: passbolt
app.kubernetes.io/instance: passbolt
name: passbolt
namespace: passbolt
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: passbolt
tier: frontend
strategy:
type: Recreate
template:
metadata:
labels:
app: passbolt
tier: frontend
spec:
containers:
- command:
- /usr/bin/wait-for.sh
- '-t'
- '0'
- 'mariadb:3306'
- '--'
- /docker-entrypoint.sh
env:
- name: APP_FULL_BASE_URL
valueFrom:
configMapKeyRef:
key: APP_FULL_BASE_URL
name: passbolt-configmap
optional: false
- name: DATASOURCES_DEFAULT_USERNAME
valueFrom:
secretKeyRef:
key: MYSQL_USER
name: passbolt-secret
optional: false
- name: DATASOURCES_DEFAULT_PASSWORD
valueFrom:
secretKeyRef:
key: MYSQL_PASSWORD
name: passbolt-secret
optional: false
- name: DATASOURCES_DEFAULT_DATABASE
valueFrom:
configMapKeyRef:
key: DB_NAME
name: passbolt-configmap
optional: false
- name: DATASOURCES_DEFAULT_HOST
valueFrom:
configMapKeyRef:
key: DB_HOST
name: passbolt-configmap
optional: false
- name: EMAIL_TRANSPORT_DEFAULT_HOST
valueFrom:
secretKeyRef:
key: EMAIL_TRANSPORT_DEFAULT_HOST
name: passbolt-secret
optional: false
- name: EMAIL_TRANSPORT_DEFAULT_PORT
valueFrom:
secretKeyRef:
key: EMAIL_TRANSPORT_DEFAULT_PORT
name: passbolt-secret
optional: false
- name: EMAIL_TRANSPORT_DEFAULT_USERNAME
valueFrom:
secretKeyRef:
key: EMAIL_TRANSPORT_DEFAULT_USERNAME
name: passbolt-secret
optional: false
- name: EMAIL_TRANSPORT_DEFAULT_PASSWORD
valueFrom:
secretKeyRef:
key: EMAIL_TRANSPORT_DEFAULT_PASSWORD
name: passbolt-secret
optional: false
- name: EMAIL_TRANSPORT_DEFAULT_TLS
valueFrom:
secretKeyRef:
key: EMAIL_TRANSPORT_DEFAULT_TLS
name: passbolt-secret
optional: false
- name: EMAIL_DEFAULT_FROM
valueFrom:
secretKeyRef:
key: EMAIL_DEFAULT_FROM
name: passbolt-secret
optional: false
image: 'passbolt/passbolt:latest-ce'
imagePullPolicy: IfNotPresent
name: passbolt
ports:
- containerPort: 80
name: passbolt
protocol: TCP
resources:
limits:
cpu: '1'
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/passbolt/gpg
name: passbolt-gpg-persistent-storage
- mountPath: /etc/passbolt/jwt
name: passbolt-jwt-persistent-storage
dnsPolicy: ClusterFirst
nodeSelector:
beta.kubernetes.io/arch: amd64
restartPolicy: Always
terminationGracePeriodSeconds: 30
volumes:
- name: passbolt-gpg-persistent-storage
persistentVolumeClaim:
claimName: passbolt-gpg
- name: passbolt-jwt-persistent-storage
persistentVolumeClaim:
claimName: passbolt-jwt
Hi again!
This one is easy I think! Volumes in kubernetes are mounted as root:root so you need to provide permissions to www-data on you volume passbolt-gpg-persistent-storage.
There are many strategies to do this. You could use an init container or you could overwrite the entrypoint to make a chown before the container starts. Basically you need to chown the /etc/passbolt/gpg that is mounted as root by default. The permissions come from the volume passbolt-gpg-persistent-storage.
If you need more assistance on this I suggest you open an issue on our community forum https://community.passbolt.com
Hope it helps!
Thanks, @dlen for the speedy response. Working like a charm with an init container. Sharing below if anyone ever faces the same issue.
initContainers:
- name: gpg-folder-permissions
image: busybox
command: ["sh", "-c", "chmod -R 777 /etc/passbolt/gpg"]
volumeMounts:
- name: passbolt-gpg-persistent-storage
mountPath: /etc/passbolt/gpg
If this works, it is what @dlen was indicating:
command: ["sh", "-c", "chown -R www-data:www-data /etc/passbolt/gpg"]
garrettboone unfortunately that didn't work for me. I was getting a crashbackloop maybe because there was no www-data user or group in that image. I knew giving 777 was not any good idea and especially for a password manager but I couldn't handle that better.
@emon5122 maybe user nginx
?
Yes @garrettboone, Perfect.
initContainers:
- name: gpg-folder-permissions
image: nginx
command: ["bin/sh"]
args: ["-c", "chown -R www-data:www-data /etc/passbolt/gpg"]
volumeMounts:
- name: passbolt-gpg-persistent-storage
mountPath: /etc/passbolt/gpg
Using Environment:
Kubernetes
Logs below:
Not sure what is it asking for. Any help is appreciated.