Comments (6)
I created a distinct issue #990 for this.
from acs-deployment.
Thanks, I am going to close this then. 👍🏻
from acs-deployment.
Hello, unfortunately the current way to add custom properties is to override JAVA_OPTS
entirely via values (make sure to keep default one for better compatibility)
There is an ongoing effort to simplify this common use case for the next release, which will provide support for providing a custom configmap/secret as a source for properties.
Let me know if you have additional concerns.
from acs-deployment.
Thank you for the swift response! I'll look at overriding JAVA_OPTS.
Additional concerns are unrelated to alfresco-global.properties. My first deployment failed because:
- several Ingress resources have an annotation to set their class to
nginx
. This annotationNot all of them can change the value. I would rather have the annotation completely optional, at least the class name should be configurable because the IngressClass is a cluster resource and not bound to a namespace, so conflicts are to be expected especially with a name as widespread asnginx
. - several Pods require higher privileges to run. I'm forced to relax some Security Context Constraints to allow them to run. It would be much easier to adopt Alfresco in our clusters if it runs with something like OpenShift default
restricted-v2
[1] profile.
from acs-deployment.
- several Ingress resources have an annotation to set their class to
nginx
. This annotationNot all of them can change the value. I would rather have the annotation completely optional, at least the class name should be configurable because the IngressClass is a cluster resource and not bound to a namespace, so conflicts are to be expected especially with a name as widespread asnginx
.
that's another concern we are trying to address soon, right know we are not really supporting any other ingress than ingress-nginx
- several Pods require higher privileges to run. I'm forced to relax some Security Context Constraints to allow them to run. It would be much easier to adopt Alfresco in our clusters if it runs with something like OpenShift default
restricted-v2
[1] profile.
we are aware of this issue with the share image/pod, but I don't recall for any others, could help if you can provide additional details for them.
from acs-deployment.
we are aware of this issue with the share image/pod, but I don't recall for any others, could help if you can provide additional details for them.
Sure. With default SCC settings, an attempt to deploy the Helm chart of Code Ready Container / OpenShift local 4.13 results in the following issues.
W0821 07:57:17.613177 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": runAsNonRoot != true (container "alfresco-content-services" must not set securityContext.runAsNonRoot=false)
W0821 07:57:17.631141 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.631141 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "activemq" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.635153 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.635572 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "alfresco-control-center" must set securityContext.allowPrivilegeEscalation=false), seccompProfile (pod or container "alfresco-control-center" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.639977 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.643660 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.643660 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.655524 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-search" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.782326 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "wait-db-ready", "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.841770 1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "postgresql" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "postgresql" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "postgresql" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "postgresql" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
from acs-deployment.
Related Issues (20)
- Alfresco Engine Container High Throughput HOT 2
- Issue with Sharing PVCs in ACS Community HOT 7
- When database.external=true, the repository deployment is missing volumes HOT 1
- deployment-repository.yml in Helm has no fs initContainer HOT 2
- installation helm : error shared secret for solr HOT 3
- Can't deploy ACS with helm chart on kubernetes 1.25 cluster HOT 4
- User search failed in Share HOT 1
- Setting database to external is trying to use the capabilities from a dependency Postgresql chart HOT 6
- 5.4.0-SNAPSHOT is failing installing due to search dependency helper HOT 3
- Repostiory extraVolumeMounts is never used in the REPO deployment HOT 4
- Issue with community docker-compose and jceks keystore HOT 1
- Image pull failed for alfresco-search-service HOT 5
- Problem with external NFS data when volume data alfready exist HOT 4
- Problem connecting to oracle 19c database HOT 1
- adding pod annotations to the Repo Deployment HOT 1
- Possible path traversal vulnerability on Share container HOT 4
- solr6's schema.xml always rollback to the original HOT 2
- Creating renditions for previous versions broke the restore operation HOT 3
- OpenShift Security Context Constraints mismatch HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acs-deployment.