containers icon indicating copy to clipboard operation
containers copied to clipboard
verified publisher icon bitnami

[bitnami/elasticsearch] do not fail if asked to chown read-only files

Open ianroberts opened this issue 11 months ago • 17 comments

Description of the change

Add || true to chown commands that operate recursively on folders that are expected to be mounted into the container from volumes or bind mounts, so that the chown does not cause a fatal error if any of the target directories or their children are mounted read-only.

Benefits

Currently when running as root the elasticsearch container will fail to start if any folder under /opt/bitnami/elasticsearch/config is mounted from a read-only filesystem. In particular this happens in the corresponding bitnami Helm chart, where the TLS certificates for Elasticsearch are mounted in from a Kubernetes secret. This change means that such cases are no longer fatal errors - the files in the read-only filesystems will not of course have their ownership changed, but there's not really anything better we can do if the filesystem is read-only.

Possible drawbacks

If a mounted filesystem should have been read-write but was mounted read-only by mistake, it would previously have caused a fatal error, prompting the user to change their configuration; this change will make that a no-op so they might not notice.

Applicable issues

  • fixes #77525

Additional information

This fix should probably be applied before https://github.com/bitnami/charts/pull/31960 is merged.

ianroberts avatar Feb 17 '25 13:02 ianroberts

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

github-actions[bot] avatar Mar 06 '25 01:03 github-actions[bot]

Still relevant.

ianroberts avatar Mar 06 '25 07:03 ianroberts

Very sensible suggestions, I've implemented them and rebased on the latest main branch.

ianroberts avatar Mar 11 '25 12:03 ianroberts

  • You added both || : and -f option for chown, which is redundant. The option -f suppresses both error exit-code and messages, while the || : would supress the exit code.

My first attempt just used the -f but it turns out that -f suppresses the messages but does not on its own affect the exit code. So I added the || : (now || true) as well to actually fix the issue.

ianroberts avatar Mar 12 '25 09:03 ianroberts

Still waiting for final review.

ianroberts avatar Mar 22 '25 07:03 ianroberts

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

github-actions[bot] avatar Apr 07 '25 01:04 github-actions[bot]

Not stale, still waiting for final approval by @migruiz4

ianroberts avatar Apr 07 '25 06:04 ianroberts

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

github-actions[bot] avatar Apr 23 '25 01:04 github-actions[bot]

Not stale. I addressed the review comments six weeks ago on 11th March but my fixes are still awaiting final approval. Please could someone look at this soon as I have another PR on the helm chart that is blocked waiting for this one.

ianroberts avatar Apr 23 '25 08:04 ianroberts

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

github-actions[bot] avatar May 09 '25 01:05 github-actions[bot]

Not stale. I addressed the review comments six weeks ago on 11th March but my fixes are still awaiting final approval. Please could someone look at this soon as I have another PR on the helm chart that is blocked waiting for this one.

Eight weeks.

@carrodher if @migruiz4 is no longer available to handle this, would you be able to assign someone else?

ianroberts avatar May 09 '25 07:05 ianroberts

Sorry for the delay, this PR was somehow out of our radar. Could you please move the changes to the elasticsearch/9/debian-12 folder, which is the one available in Bitnami at this moment? Thanks

carrodher avatar May 15 '25 08:05 carrodher

Rebased, but the delay is slightly unfortunate if it means there will never be a fixed container released for any Elasticsearch in the 8.x series 😞

ianroberts avatar May 15 '25 09:05 ianroberts

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

github-actions[bot] avatar May 31 '25 01:05 github-actions[bot]

Not stale - rebased as requested, awaiting final review.

ianroberts avatar May 31 '25 06:05 ianroberts

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

github-actions[bot] avatar Jun 17 '25 01:06 github-actions[bot]

Rebased a month ago as requested, still waiting for approval and merge.

ianroberts avatar Jun 17 '25 07:06 ianroberts

Hope this gets priority soon, and #31960 as well. Not having auto reload on certificate renewal is a critical problem.

docker-creator avatar Jun 25 '25 06:06 docker-creator

Do you know when an image including this fix is likely to be available on Docker hub? I need to update https://github.com/bitnami/charts/pull/31960 with the fixed image tag before that one can be merged.

ianroberts avatar Jun 28 '25 09:06 ianroberts

The fix was included in the latest released image bitnami/elasticsearch:9.0.3-debian-12-r1

migruiz4 avatar Jul 02 '25 07:07 migruiz4