-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Start celery without uid #2923
Start celery without uid #2923
Conversation
I have to check again why I have done that. It was to remove the Does docker-compose still work without https://github.com/DefectDojo/django-DefectDojo/blob/dev/docker-compose.yml#L42 then? |
@madchap I just disabled root from the docker-compose since root is only need when celery is started with "--uid". Celery beat is started with the user defined in Dockerfile in both docker-compose and k8s. |
Doing a quick run on docker-compose, applying your change, beat exits with the following error
|
@madchap Don't forget to rebuild django image with the modified entrypoint-celery-beat.sh. _setuid is only called when "--uid" is set. docker exec -it madchap_ddojo_celerybeat_1 cat /entrypoint-celery-beat.sh? |
Indeed, I should not attempt to do too many things at once. Works now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for catching this.
https://github.com/DefectDojo/django-DefectDojo/blob/dev/helm/defectdojo/templates/celery-beat-deployment.yaml#L49-L52 could then probably be modified as well? |
I have no idea how all this k8s/helm stuff works, so cannot review this one. |
Since, securityContext is not defined for other containers (django, nginx, worker), celery-beat-deployment.yaml should do the same . If not, the container will be started as root. |
Spawned up minikube, rebuilt images removing the deployment's
@uncycler do you mind removing https://github.com/DefectDojo/django-DefectDojo/blob/dev/helm/defectdojo/templates/celery-beat-deployment.yaml#L49-L52 as part of your PR? Thanks. |
It's done. |
When celery is started with "--uid" argument, it needs root access. In docker, it superfluous since the Dockerfile.django already start the process with the good uid. This cause issue when starting celery-beat in K8s with a securityContext.