Removed unnecessary change of group ownership in chmod initContainer

[hvaghani221]

Instead of modifying permissions of the entire pod/container directory, modify only logs file.

A file access control list (ACL) can provide permissions to a specific user or group without modifying the user/group owner of the file.
So, there is no need to change the group owner here:

splunk-otel-collector-chart/helm-charts/splunk-otel-collector/templates/daemonset.yaml

Lines 147 to 149 in f5f6df8

	chgrp -Rv {{ $agent.securityContext.runAsGroup | default 20000 }} /var/lib/docker/containers;
	chmod -R g+rxs /var/lib/docker/containers;
	setfacl -n -Rm d:g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx /var/lib/docker/containers;

[dmitryax]

This is an init container which applies chown one time only, any new pods created after that won't get the right owner flags.

[dmitryax]

I don't think we can apply this change

[hvaghani221]

This is an init container which applies chown one time only, any new pods created after that won't get the right owner flags.

right! I'll close the PR

[hvaghani221]

@dmitryax

splunk-otel-collector-chart/helm-charts/splunk-otel-collector/templates/daemonset.yaml

Lines 147 to 149 in d104bb8

	chgrp -Rv {{ $agent.securityContext.runAsGroup | default 20000 }} /var/lib/docker/containers;
	chmod -R g+rxs /var/lib/docker/containers;
	setfacl -n -Rm d:g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 20000 }}:rx /var/lib/docker/containers;

Is there any specific reason we need to change the group of all files inside the container directory?
I think we can avoid that and use setfacl without changing the original group.

[dmitryax]

Is there any specific reason we need to change the group of all files inside the container directory?
I think we can avoid that and use setfacl without changing the original group.

I'm not sure. @rockb1017, who introduced this, maybe can answer. Feel free to play with this and see if it's really required

[hvaghani221]

I tested these changes in minikube, EKS and AKS. It is working there. In there,

• Group owner is kept as root
• initContainer applies default ACL in pod directory. So, when a new pod is created, it will automatically inherit the parent's ACL

For some reason, it is not working in openshift(cri).

• If I manually create a file or directory in /var/log/pods, it inherits the ACL
• If I create a pod, the pod directory inherits ACL but the actual log file doesn't inherit, so it is not accessible to the non-root user

EDIT: Same behaviour is mentioned here https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/advanced-configuration.md#running-the-container-in-non-root-user-mode

[dmitryax]

@harshit-splunk does it break this functionality openshift?

[hvaghani221]

@harshit-splunk does it break this functionality openshift?

it doesn't work with the current implementation either for openshift. It only gives read access to existing pod files. Agent will not have read access to newly created pods.

[dmitryax]

Sounds good. @harshit-splunk can you please make the statement that it doesn't work in cri-o more clear here, not just didn't work during testing