diff --git a/AWS/ecs-fargate/README.md b/AWS/ecs-fargate/README.md index 8b65db6..2540698 100644 --- a/AWS/ecs-fargate/README.md +++ b/AWS/ecs-fargate/README.md @@ -54,10 +54,30 @@ ![alt text](images/image-2.png) +### User and permissions changes + +Starting from CloudBeaver v25.0 process inside the container now runs as the ‘dbeaver’ user (‘UID=8978’), instead of ‘root’. +If a user with ‘UID=8978’ already exists in your environment, permission conflicts may occur. +Additionally, the default Docker volumes directory’s ownership has changed. +Previously, the volumes were owned by the ‘root’ user, but now they are owned by the ‘dbeaver’ user (‘UID=8978’). + +### Upgrade from version ≤ 25.0.0 to 25.2.0+ (volume-ownership migration) + +If you are on ≤ 25.0.0, **do not** jump directly to 25.2.0 or later. +First upgrade to 25.1.0, let the stack start once, then upgrade to your desired 25.x.0 tag. + +**Reason:** +25.1.0 still starts as `root` and automatically chowns every files in the volumes to ‘dbeaver’ user (‘UID=8978’). +From 25.2.0 onward the container itself runs only as `dbeaver`, so the volumes must already belong to that UID/GID. + ### Version update -1. Navigate to the `cloudbeaver-deploy/AWS/ecs-fargate` directory. +1. Navigate to `cloudbeaver-deploy` directory. + +2. Run command `git checkout %version%`. + +3. Navigate to the `cloudbeaver-deploy/AWS/ecs-fargate` directory. -2. Specify the desired version in `variables.tf` in the `cloudbeaver_version` variable. +4. Specify the desired version in `variables.tf` in the `cloudbeaver_version` variable. -3. Run `terraform apply` to upgrade the ECS cluster and complete the deployment. +5. Run `terraform apply` to upgrade the ECS cluster and complete the deployment. diff --git a/AWS/ecs-fargate/main.tf b/AWS/ecs-fargate/main.tf index 5514154..16d6c37 100644 --- a/AWS/ecs-fargate/main.tf +++ b/AWS/ecs-fargate/main.tf @@ -60,6 +60,7 @@ resource "aws_ecs_task_definition" "cloudbeaver-task" { name = "${var.task_name}" image = "${var.cloudbeaver_image_source}/${var.cloudbeaver_image_name}:${var.cloudbeaver_version}" essential = true + user = "8978:8978" environment = local.updated_cloudbeaver_env logConfiguration = { "logDriver": "awslogs" diff --git a/README.md b/README.md index b50705e..0903cc4 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,68 @@ If a user with ‘UID=8978’ already exists in your environment, permission con Additionally, the default Docker volumes directory’s ownership has changed. Previously, the volumes were owned by the ‘root’ user, but now they are owned by the ‘dbeaver’ user (‘UID=8978’). +### Upgrade from version ≤ 25.0.0 to 25.2.0+ (volume-ownership migration) + +If you are on ≤ 25.0.0, **do not** jump directly to 25.2.0 or later. +First upgrade to 25.1.0, let the stack start once, then upgrade to your desired 25.x.0 tag. + +**Reason:** +25.1.0 still starts as `root` and automatically chowns every files in the volumes to ‘dbeaver’ user (‘UID=8978’). +From 25.2.0 onward the container itself runs only as `dbeaver`, so the volumes must already belong to that UID/GID. + +Minimal steps: + +1. Pull and run 25.1.0 once (does the chown) +``` +git checkout 25.1.0 +Set the version in your .env file to 25.1.0 +docker compose pull +docker compose up -d +docker compose down # stop it after the first successful start +``` + +2. Pull and run your target 25.2.0+ image +``` +git checkout 25.2.0 (or later version) +Change the version in .env to your target 25.2.0+ tag +docker compose pull +docker compose up -d +``` + +### Bind-volume configuration + +**Use this section only if you want to replace Docker-managed volumes with host-side bind mounts.** + +Since the container now runs as a non-root user, any host directory mountedread-write must be owned by that same UID/GID. +Using the steps above guarantees seamless file-system access while retaining a secure permission scheme on the host. + +1. Create the folders and set ownership + +CloudBeaver containers (v25.2.0+) run as the `dbeaver` user (UID 8978, GID 8978). +Any host directory that is mounted read-write must therefore be owned by the same UID/GID. + +``` +# Create the directories (replace the paths with ones that suit your host) +sudo mkdir -p -m 750 /var/dbeaver/cloudbeaver/{workspace,certificates,custom,keys} + +# Give them to the container’s user and group (UID=8978, GID=8978) +sudo chown -R 8978:8978 /var/dbeaver/cloudbeaver/{workspace,certificates,custom,keys} +``` + +2. Reference the host folders in docker-compose.yml + +Replace each named volume you want to turn into a bind mount using the following template: + +``` +volumes: + : + driver: local + driver_opts: + type: none + o: bind + device: /var/dbeaver/cloudbeaver/ +``` + ### Configuring proxy server (Nginx / HAProxy) Starting from v25.1, CloudBeaver supports two types of proxy servers: Nginx and HAProxy. You can choose your preferred proxy type by setting the following variable in the .env file: @@ -163,9 +225,12 @@ podman-compose -f podman-compose.yml up -d or replace `docker-compose.yml` with `podman-compose.yml` and use `podman-compose` without compose project definition ### Updating the cluster -1. Replace the value of `CLOUDBEAVER_VERSION_TAG` in `.env` with a preferred version. If you use the tag `latest`, you don't need to do anything during this step. -2. Pull new docker images: `docker-compose pull` or `docker compose pull` -3. Restart the cluster: `docker-compose up -d` or `docker compose up -d` + +1. Navigate to `cloudbeaver-deploy` +2. Run command `git checkout %version%` +3. Replace the value of `CLOUDBEAVER_VERSION_TAG` in `.env` with a preferred version. If you use the tag `latest`, you don't need to do anything during this step. +4. Pull new docker images: `docker-compose pull` or `docker compose pull` +5. Restart the cluster: `docker-compose up -d` or `docker compose up -d` ## Kubernetes/Helm Deployment diff --git a/docker-compose-host.yml b/docker-compose-host.yml index c1e5652..5d10b9d 100644 --- a/docker-compose-host.yml +++ b/docker-compose-host.yml @@ -28,10 +28,11 @@ services: hostname: cloudbeaver network_mode: host restart: unless-stopped + user: "8978" volumes: - cloudbeaver:/opt/cloudbeaver/workspace - cloudbeaver_certs:/opt/cloudbeaver/conf/certificates/ - - trusted_cacerts:/opt/cloudbeaver/workspace/.data/custom/ + - trusted_cacerts:/opt/cloudbeaver/conf/custom/ - api_tokens:/opt/cloudbeaver/conf/keys/ environment: - CLOUDBEAVER_DB_DRIVER=${CLOUDBEAVER_DB_DRIVER} diff --git a/docker-compose.yml b/docker-compose.yml index 1a8b8a0..9ef39e4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -33,10 +33,11 @@ services: restart: unless-stopped hostname: cloudbeaver image: ${IMAGE_SOURCE:-dbeaver}/cloudbeaver-ee:${CLOUDBEAVER_VERSION_TAG} + user: "8978" volumes: - cloudbeaver:/opt/cloudbeaver/workspace - cloudbeaver_certs:/opt/cloudbeaver/conf/certificates/ - - trusted_cacerts:/opt/cloudbeaver/workspace/.data/custom/ + - trusted_cacerts:/opt/cloudbeaver/conf/custom/ - api_tokens:/opt/cloudbeaver/conf/keys/ environment: - CLOUDBEAVER_DB_DRIVER=${CLOUDBEAVER_DB_DRIVER} diff --git a/k8s/README.md b/k8s/README.md index d5bedf1..220e682 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -25,6 +25,15 @@ If a user with ‘UID=8978’ already exists in your environment, permission con Additionally, the default Docker volumes directory’s ownership has changed. Previously, the volumes were owned by the ‘root’ user, but now they are owned by the ‘dbeaver’ user (‘UID=8978’). +### Upgrade from version ≤ 25.0.0 to 25.2.0+ (volume-ownership migration) + +If you are on ≤ 25.0.0, **do not** jump directly to 25.2.0 or later. +First upgrade to 25.1.0, let the stack start once, then upgrade to your desired 25.x.0 tag. + +**Reason:** +25.1.0 still starts as `root` and automatically chowns every files in the volumes to ‘dbeaver’ user (‘UID=8978’). +From 25.2.0 onward the container itself runs only as `dbeaver`, so the volumes must already belong to that UID/GID. + ### How to run services - Clone this repo from GitHub: `git clone https://github.com/dbeaver/cloudbeaver-deploy` - `cd cloudbeaver-deploy/k8s` @@ -40,24 +49,19 @@ Previously, the volumes were owned by the ‘root’ user, but now they are owne ### Version update procedure. -- Change directory to `cloudbeaver-deploy/k8s`. +- Navigate to `cloudbeaver-deploy` +- Run command `git checkout %version%` +- Navigate to `cloudbeaver-deploy/k8s`. - Change value of `imageTag` in configuration file `values.yaml` with a preferred version. Go to next step if tag `latest` set. - Upgrade cluster: `helm upgrade cloudbeaver ./ --values ./values.yaml` ### OpenShift deployment -You need additional configuration changes - -- In `values.yaml` change the `ingressController` value to `haproxy` -- Add security context - Uncomment the following lines in `cloudbeaver.yaml` files in [templates/deployment](templates/deployment): - ```yaml - # securityContext: - # runAsUser: 1000 - # runAsGroup: 1000 - # fsGroup: 1000 - # fsGroupChangePolicy: "Always" - ``` +Containers run as user `dbeaver` (UID=8978). For OpenShift deployment: + +1. In `values.yaml` change the `ingressController` value to `haproxy` +2. Create and configure a ServiceAccount with appropriate SCC to run containers as UID=8978 +3. In `values.yaml` add `serviceAccountName` under `cloudbeaver` section ### Digital Ocean proxy configuration diff --git a/k8s/templates/deployment/cloudbeaver.yaml b/k8s/templates/deployment/cloudbeaver.yaml index 90900a6..4bed9ef 100644 --- a/k8s/templates/deployment/cloudbeaver.yaml +++ b/k8s/templates/deployment/cloudbeaver.yaml @@ -19,11 +19,15 @@ spec: {{ .Release.Name }}-private-net: "true" app: cloudbeaver spec: - # securityContext: - # runAsUser: 1000 - # runAsGroup: 1000 - # fsGroup: 1000 - # fsGroupChangePolicy: "Always" + {{- if .Values.cloudbeaver.serviceAccountName }} + serviceAccountName: {{ .Values.cloudbeaver.serviceAccountName }} + {{- end }} + securityContext: + runAsUser: 8978 + runAsGroup: 8978 + fsGroup: 8978 + runAsNonRoot: true + fsGroupChangePolicy: "OnRootMismatch" containers: - image: "{{ .Values.cloudbeaver.image }}:{{ .Values.cloudbeaver.imageTag | default .Chart.AppVersion }}" imagePullPolicy: "{{ .Values.cloudbeaver.pullPolicy }}" diff --git a/k8s/values.yaml.example b/k8s/values.yaml.example index 2f896c2..583c995 100644 --- a/k8s/values.yaml.example +++ b/k8s/values.yaml.example @@ -8,6 +8,7 @@ cloudbeaver: image: dbeaver/cloudbeaver-ee imageTag: "ea" pullPolicy: Always + # serviceAccountName - required for OpenShift deployments to run as UID=8978 # pullCredsName - name of a secret config map that contains docker repo auths # pullCredsName: regcred diff --git a/podman-compose.yml b/podman-compose.yml index 639fb95..dc5bf81 100644 --- a/podman-compose.yml +++ b/podman-compose.yml @@ -35,12 +35,13 @@ services: restart: unless-stopped hostname: cloudbeaver image: ${PODMAN_IMAGE_SOURCE:-docker.io/dbeaver}/cloudbeaver-ee:${CLOUDBEAVER_VERSION_TAG} + user: "8978" deploy: replicas: ${REPLICA_COUNT_EE:-1} volumes: - cloudbeaver:/opt/cloudbeaver/workspace:z - cloudbeaver_certs:/opt/cloudbeaver/conf/certificates/:z - - trusted_cacerts:/opt/cloudbeaver/workspace/.data/custom/:z + - trusted_cacerts:/opt/cloudbeaver/conf/custom/:z - api_tokens:/opt/cloudbeaver/conf/keys/:z environment: - CLOUDBEAVER_DB_DRIVER=${CLOUDBEAVER_DB_DRIVER}