[bitnami/mediawiki] Upgrade mediawiki helm package 20.0.2 and having a file permission denied issue

[iain-ilearner]

Name and Version

bitnami/mediawiki 20.0.2

What architecture are you using?

amd64

What steps will reproduce the bug?

There seems to be an equivalent issue for mediawiki that affected wordpress in issue #24590

helm upgrade wiki oci://registry-1.docker.io/bitnamicharts/mediawiki 

Are you using any custom parameters or values?

values.yaml:

    extraVolumes:
      - name: custom-htaccess
        configMap:
          name: wiki-htaccess-configmap
          items:
            - key: mediawiki-htaccess.conf
              path: mediawiki-htaccess.conf

What do you see instead?

cp: cannot create regular file '/opt/bitnami/apache/conf/./vhosts/00_status-vhost.conf': Permission denied
cp: cannot create regular file '/opt/bitnami/apache/conf/./vhosts/mediawiki-https-vhost.conf': Permission denied
cp: cannot create regular file '/opt/bitnami/apache/conf/./vhosts/mediawiki-vhost.conf': Permission denied

[juan131]

Hi @iain-ilearner

As you can see in the link below, new major version of the Mediawiki chart includes some security enhancements:

• https://github.com/bitnami/charts/tree/main/bitnami/mediawiki#to-2000

The new security defaults for Mediawiki containers set restrictive rules such as using read-only filesystems. This is a great feature to prevent a series of attacks but it also sets some challenges for the application to work on such a restrictive environment.

Could you please share the extraVolumeMounts section you're using? It's very likely that you're overwriting volume mount below that it's required for providing to Bitnami Mediawiki initializations scripts capabilities to write in the /opt/bitnami/apache/conf directory.

• https://github.com/bitnami/charts/blob/main/bitnami/mediawiki/templates/deployment.yaml#L224-L226

[iain-ilearner]

Could you please share the extraVolumeMounts section you're using?

Sure thing, it's here:

extraVolumeMounts:
  - mountPath: /opt/bitnami/apache/conf/vhosts/htaccess
    name: custom-htaccess

Is this not the supported way to add supplemental apache conf?

I guess I was trying to replicate bitmani/vms style config.

[juan131]

Hi @iain-ilearner

Could you try mounting your custom mediawiki-htaccess.conf at /opt/bitnami/apache/conf.default/vhosts/htaccess instead? Check these values as example:

extraVolumes:
  - name: custom-htaccess
    configMap:
      name: wiki-htaccess-configmap
      items:
        - key: mediawiki-htaccess.conf
          path: mediawiki-htaccess.conf
extraVolumeMounts:
  - mountPath: /opt/bitnami/apache/conf.default/vhosts/htaccess
    name: custom-htaccess
extraDeploy:
  - apiVersion: v1
    kind: ConfigMap
    metadata:
      name: wiki-htaccess-configmap
    data:
      mediawiki-htaccess.conf: |
        <Directory "/opt/bitnami/mediawiki/cache">
          Require all denied
        </Directory>
        <Directory "/opt/bitnami/mediawiki/images">
          <IfModule headers_module>
          Header set X-Content-Type-Options nosniff
          </IfModule>
          <IfModule php7_module>
          php_flag engine off
          </IfModule>
          <IfModule php_module>
          php_flag engine off
          </IfModule>
        </Directory>

[iain-ilearner]

Thanks very much for the suggestion. I have now had time to test the new config and can confirm putting the htaccess file at /opt/bitnami/apache/conf.default/vhosts/htaccess works and allows the pod to start without any issues.

[juan131]

Awesome @iain-ilearner ! I proceed to close the issue but please don't hesitate to let us know if you require further help.