From 541d8662b24ab31f0a704a5c12fca2ab250fa72b Mon Sep 17 00:00:00 2001 From: Mihail Radkov Date: Mon, 1 Jul 2024 17:46:31 +0300 Subject: [PATCH] GDB-10462: Updated cluster jobs to always use the temp folder - Updated all cluster jobs to explicitly use `/tmp` as a working directory to avoid permission errors due to the default security context's `readOnlyRootFilesystem` when the container has a starting folder different from `/tmp`. - Updated all utility scripts to use temporary files under `/tmp` for the same reason. - Prepared for version 11.0.1 --- CHANGELOG.md | 10 +++ Chart.yaml | 2 +- files/scripts/graphdb.sh | 18 ++++-- files/scripts/update-cluster.sh | 63 ++++++++++++------- templates/graphdb/statefulset.yaml | 1 + templates/jobs/job-create-cluster.yaml | 1 + templates/jobs/job-patch-cluster.yaml | 1 + .../jobs/job-provision-repositories.yaml | 1 + templates/jobs/job-scale-down-cluster.yaml | 1 + templates/jobs/job-scale-up-cluster.yaml | 1 + templates/proxy/statefulset.yaml | 1 + 11 files changed, 69 insertions(+), 31 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c17049..892cdbd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # GraphDB Helm chart release notes +## Version 11.0.1 + +GraphDB Helm 11.0.1 is a patch release that includes bug fixes. + +### Fixed + +- Updated all cluster jobs to explicitly use `/tmp` as a working directory to avoid permission errors due to the default security + context's `readOnlyRootFilesystem` when the container has a starting folder different from `/tmp`. +- Updated all utility scripts to use temporary files under `/tmp` for the same reason. + ## Version 11.0.0 Version 11 of the chart addresses a bunch of legacy issues and aims to provide much better user experience and reliability. diff --git a/Chart.yaml b/Chart.yaml index 446ece5..d925896 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -5,7 +5,7 @@ apiVersion: v2 name: graphdb description: GraphDB is a highly efficient, scalable and robust graph database with RDF and SPARQL support. type: application -version: 11.0.0 +version: 11.0.1 appVersion: 10.6.4 kubeVersion: ^1.26.0-0 home: https://graphdb.ontotext.com/ diff --git a/files/scripts/graphdb.sh b/files/scripts/graphdb.sh index ed4afde..906a83e 100755 --- a/files/scripts/graphdb.sh +++ b/files/scripts/graphdb.sh @@ -5,25 +5,29 @@ set -o nounset set -o pipefail function createCluster { - waitAllNodes $1 + local node_count=$1 local configLocation=$2 local timeout=$3 + local response + + waitAllNodes "$node_count" echo "Creating cluster" - curl -o response.json -isSL -m "${timeout}" -X POST \ + response=$(mktemp) + curl -o "$response" -isSL -m "${timeout}" -X POST \ -d @"$configLocation" \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ --header 'Content-Type: application/json' \ --header 'Accept: */*' \ "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/cluster/config" - if grep -q 'HTTP/1.1 201' "response.json"; then + if grep -q 'HTTP/1.1 201' "$response"; then echo "Cluster creation successful!" - elif grep -q 'Cluster already exists.\|HTTP/1.1 409' "response.json" ; then + elif grep -q 'Cluster already exists.\|HTTP/1.1 409' "$response" ; then echo "Cluster already exists" else echo "Cluster creation failed, received response:" - cat response.json + cat "$response" echo exit 1 fi @@ -59,11 +63,13 @@ function waitAllNodes { } function createRepositoryFromFile { - waitAllNodes $1 + local node_count=$1 local repositoriesConfigsLocation=$2 local timeout=60 local success=true + waitAllNodes "$node_count" + echo "Creating repositories" for filename in ${repositoriesConfigsLocation}/*.ttl; do repositoryName=$(grep "rep:repositoryID" "${filename}" | sed -ne 's/rep:repositoryID "//p' | sed -ne 's/" ;//p' | sed -ne 's/^[[:space:]]*//p') diff --git a/files/scripts/update-cluster.sh b/files/scripts/update-cluster.sh index fd0400f..c21283e 100644 --- a/files/scripts/update-cluster.sh +++ b/files/scripts/update-cluster.sh @@ -7,23 +7,26 @@ set -o pipefail function patchCluster { local configLocation=$1 local timeout=$2 + local response - echo "Patching cluster" waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" - curl -o patchResponse.json -isSL -m "$timeout" -X PATCH \ + + echo "Patching cluster" + response=$(mktemp) + curl -o "$response" -isSL -m "$timeout" -X PATCH \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ -d @"$configLocation" \ "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config" - if grep -q 'HTTP/1.1 200' "patchResponse.json"; then + if grep -q 'HTTP/1.1 200' "$response"; then echo "Patch successful" - elif grep -q 'Cluster does not exist.\|HTTP/1.1 412' "patchResponse.json" ; then + elif grep -q 'Cluster does not exist.\|HTTP/1.1 412' "$response" ; then echo "Cluster does not exist" else echo "Cluster patch failed, received response:" - cat patchResponse.json + cat "$response" echo exit 1 fi @@ -36,6 +39,7 @@ function removeNodes { # DNS suffix in the form of namespace.svc.cluster.local local dns_suffix dns_suffix=$(awk '/search/{print $2}' /etc/resolv.conf) + local response echo "Cluster reported: $currentNodes current nodes" echo "Cluster is expected to have: $expectedNodes nodes" @@ -53,28 +57,30 @@ function removeNodes { exit 0 fi - echo "Scaling the cluster down" for ((i = expectedNodes; i < currentNodes; i++)) do nodes=${nodes}\"${GRAPHDB_POD_NAME}-$i.${GRAPHDB_SERVICE_NAME}.${dns_suffix}:${GRAPHDB_SERVICE_RPC_PORT}\" if [ $i -lt $(expr $currentNodes - 1) ]; then nodes=${nodes}\, fi done - nodes=\{\"nodes\":\[${nodes}\]\} + waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" - curl -o clusterRemove.json -isSL -m 15 -X DELETE \ + + echo "Scaling the cluster down" + response=$(mktemp) + curl -o "$response" -isSL -m 15 -X DELETE \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ -d "${nodes}" \ "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config/node" - if grep -q 'HTTP/1.1 200' "clusterRemove.json"; then + if grep -q 'HTTP/1.1 200' "$response"; then echo "Scaling down successful." else echo "Issue scaling down:" - cat clusterRemove.json + cat "$response" echo exit 1 fi @@ -88,6 +94,7 @@ function addNodes { # DNS suffix in the form of namespace.svc.cluster.local local dns_suffix dns_suffix=$(awk '/search/{print $2}' /etc/resolv.conf) + local response echo "Cluster reported: $currentNodes current nodes" echo "Cluster is expected to have: $expectedNodes nodes" @@ -98,34 +105,36 @@ function addNodes { exit 0 fi - echo "Scaling the cluster up" for ((i = currentNodes; i < expectedNodes; i++)) do nodes=${nodes}\"${GRAPHDB_POD_NAME}-$i.${GRAPHDB_SERVICE_NAME}.${dns_suffix}:${GRAPHDB_SERVICE_RPC_PORT}\" if [ $i -lt $(expr $expectedNodes - 1) ]; then nodes=${nodes}\, fi done - nodes=\{\"nodes\":\[${nodes}\]\} + waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" - curl -o clusterAdd.json -isSL -m "${timeout}" -X POST \ + + echo "Scaling the cluster up" + response=$(mktemp) + curl -o "$response" -isSL -m "${timeout}" -X POST \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ -d "${nodes}" \ "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config/node" - if grep -q 'HTTP/1.1 200' "clusterAdd.json"; then + if grep -q 'HTTP/1.1 200' "$response"; then echo "Scaling successful." - elif grep -q 'Mismatching fingerprints\|HTTP/1.1 412' "clusterAdd.json"; then + elif grep -q 'Mismatching fingerprints\|HTTP/1.1 412' "$response"; then echo "Issue scaling:" - cat clusterAdd.json + cat "$response" echo echo "Manual clear of the mismatched repositories will be required to add the node" exit 1 else echo "Issue scaling:" - cat clusterAdd.json + cat "$response" echo exit 1 fi @@ -134,18 +143,20 @@ function addNodes { function deleteCluster { waitService "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/repositories" - curl -o response.json -isSL -m 15 -X DELETE \ + local response + response=$(mktemp) + curl -o "$response" -isSL -m 15 -X DELETE \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ --header 'Accept: */*' \ "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/cluster/config?force=false" - if grep -q 'HTTP/1.1 200' "response.json"; then + if grep -q 'HTTP/1.1 200' "$response"; then echo "Cluster deletion successful!" - elif grep -q 'Node is not part of the cluster.\|HTTP/1.1 412' "response.json" ; then + elif grep -q 'Node is not part of the cluster.\|HTTP/1.1 412' "$response" ; then echo "No cluster present." else echo "Cluster deletion failed, received response:" - cat response.json + cat "$response" echo exit 1 fi @@ -153,13 +164,17 @@ function deleteCluster { function getNodeCountInCurrentCluster { local node_address="http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}" + waitService "${node_address}/rest/repositories" - curl -o clusterResponse.json -isSL -m 15 -X GET \ + + local response + response=$(mktemp) + curl -o "$response" -isSL -m 15 -X GET \ --header 'Content-Type: application/json' \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ --header 'Accept: */*' \ "${node_address}/rest/cluster/config" - grep -o "${GRAPHDB_SERVICE_NAME}" "clusterResponse.json" | grep -c "" + grep -o "${GRAPHDB_SERVICE_NAME}" "$response" | grep -c "" } function waitService { @@ -169,7 +184,7 @@ function waitService { local max_attempts=100 until curl --output /dev/null -fsSL -m 5 -H "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" --silent --fail "${address}"; do - if [[ ${attempt_counter} -eq ${max_attempts} ]];then + if [[ ${attempt_counter} -eq ${max_attempts} ]]; then echo "Max attempts reached" exit 1 fi diff --git a/templates/graphdb/statefulset.yaml b/templates/graphdb/statefulset.yaml index e291aaf..013b9e5 100644 --- a/templates/graphdb/statefulset.yaml +++ b/templates/graphdb/statefulset.yaml @@ -225,6 +225,7 @@ spec: {{- with .Values.initContainerResources }} resources: {{ toYaml . | nindent 12 }} {{- end }} + workingDir: /tmp command: [ "bash", "-c" ] args: - | diff --git a/templates/jobs/job-create-cluster.yaml b/templates/jobs/job-create-cluster.yaml index 7e20dc0..8b2f83a 100644 --- a/templates/jobs/job-create-cluster.yaml +++ b/templates/jobs/job-create-cluster.yaml @@ -66,6 +66,7 @@ spec: - name: cluster-config mountPath: /tmp/cluster-config/cluster-config.json subPath: {{ .Values.cluster.config.configmapKey }} + workingDir: /tmp command: ["bash"] args: - "/tmp/utils/graphdb.sh" diff --git a/templates/jobs/job-patch-cluster.yaml b/templates/jobs/job-patch-cluster.yaml index 897c300..13d4036 100644 --- a/templates/jobs/job-patch-cluster.yaml +++ b/templates/jobs/job-patch-cluster.yaml @@ -70,6 +70,7 @@ spec: - name: cluster-config mountPath: /tmp/cluster-config/cluster-config.json subPath: {{ .Values.cluster.config.configmapKey }} + workingDir: /tmp command: ["bash"] args: - "/tmp/utils/update-cluster.sh" diff --git a/templates/jobs/job-provision-repositories.yaml b/templates/jobs/job-provision-repositories.yaml index 1762b01..e4c656d 100644 --- a/templates/jobs/job-provision-repositories.yaml +++ b/templates/jobs/job-provision-repositories.yaml @@ -65,6 +65,7 @@ spec: mountPath: /tmp/utils - name: repositories-config mountPath: /tmp/repositories-config + workingDir: /tmp command: ["bash"] args: - "/tmp/utils/graphdb.sh" diff --git a/templates/jobs/job-scale-down-cluster.yaml b/templates/jobs/job-scale-down-cluster.yaml index 0476c72..6771114 100644 --- a/templates/jobs/job-scale-down-cluster.yaml +++ b/templates/jobs/job-scale-down-cluster.yaml @@ -65,6 +65,7 @@ spec: mountPath: /tmp - name: graphdb-utils mountPath: /tmp/utils + workingDir: /tmp command: ["bash"] args: - "/tmp/utils/update-cluster.sh" diff --git a/templates/jobs/job-scale-up-cluster.yaml b/templates/jobs/job-scale-up-cluster.yaml index 693b05d..f3f82ad 100644 --- a/templates/jobs/job-scale-up-cluster.yaml +++ b/templates/jobs/job-scale-up-cluster.yaml @@ -66,6 +66,7 @@ spec: mountPath: /tmp - name: graphdb-utils mountPath: /tmp/utils + workingDir: /tmp command: ["bash"] args: - "/tmp/utils/update-cluster.sh" diff --git a/templates/proxy/statefulset.yaml b/templates/proxy/statefulset.yaml index dd553a4..6547a31 100644 --- a/templates/proxy/statefulset.yaml +++ b/templates/proxy/statefulset.yaml @@ -183,6 +183,7 @@ spec: mountPath: /tmp/graphdb/graphdb-extra-secret.properties subPath: {{ .Values.proxy.configuration.extraProperties.secretKey }} {{- end }} + workingDir: /tmp command: [ "bash", "-c" ] args: - |