fix(batch): windows does not support readonlyRootFilesystem #29145
Conversation
github-actions
bot
added
star-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
msambol
changed the title
|
Exemption request: I don't believe an integration test is needed for this fix. |
aws-cdk-automation
added
pr-linter/exemption-requested
|
@msambol I'm not sure this actually fixes #29140, because the generated CF template includes the readOnlyRootFilesystem even when the attribute is not present in the code, so looks like it's setting a default value when it's present. I think a change is also needed somewhere else to prevent the attribute to be generated. |
|
@msambol BTW, thanks a lot for your help on this issue! :) |
|
I probably would modify here to this.readonlyRootFilesystem = is_windows() ? undefined : props.readonlyRootFilesystem ?? false; This will make sure Plus add a check here - if os is windows and |
| // readonlyRootFilesystem isn't applicable to Windows, see https://kubernetes.io/docs/concepts/windows/intro/ | ||
| if (this.isWindows(operatingSystemFamily)) { | ||
| containerDef.readonlyRootFilesystem = undefined; | ||
| } |
There was a problem hiding this comment.
@pahud operatingSystemFamily isn't available in the constructor so I had to remove it here from the final rendering.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
github-actions
bot
added
the
effort/medium
| @@ -1087,6 +1092,13 @@ export class EcsFargateContainerDefinition extends EcsContainerDefinitionBase im | |||
| operatingSystemFamily: this.fargateOperatingSystemFamily?._operatingSystemFamily, | |||
| }, | |||
| }; | |||
|
|
|||
| // readonlyRootFilesystem isn't applicable to Windows, see https://kubernetes.io/docs/concepts/windows/intro/ | |||
| if (this.fargateOperatingSystemFamily?.isWindows()) { | |||
There was a problem hiding this comment.
Can we do this as a ternary operation in the above containerDef? Or do we need things to render first before we can apply this?
There was a problem hiding this comment.
I think I could change this line to use undefined instead of false ?
this.readonlyRootFilesystem = props.readonlyRootFilesystem ?? undefined; <– was false
That would change the default value but that shouldn't matter because the default was false ? Then I can remove quite a bit of this code.
There was a problem hiding this comment.
@msambol If we set this.readonlyRootFilesystem from false to undefined, I am unsure what the consequences of that might be. I assume undefined will omit the value vs false setting this directly.
Now I think about it, I like the default being undefined but only if the service defaults to false when the property is not provided. Let me poke someone from the team that might know more to see what you suggest here will have wider side affects we might want to avoid.
There was a problem hiding this comment.
@msambol So one thing I missed, we can't update the this.readonlyRootFilesystem because that may break customers you expected the default value to be false. So I think we have to do it in the way you have it. If we can simplify it with a ternary in the containerDef I think that is helpful but not strictly required.
There was a problem hiding this comment.
makes sense... I updated the PR.
aws-cdk-automation
removed
the
pr/needs-community-review
| * Returns true if the operating system family is Windows | ||
| */ | ||
| public isWindows(): boolean { | ||
| return this._operatingSystemFamily?.toLowerCase().startsWith('windows') ? true : false; |
There was a problem hiding this comment.
@jfuss changed this to a ternary
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Here's from the k8s docs: ``` securityContext.readOnlyRootFilesystem - not possible on Windows; write access is required for registry & system processes to run inside the container ``` Closes aws#29140. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Here's from the k8s docs:
Closes #29140.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license