Troubles implementing Passbolt CE on Openshift 4.10

Hi everyone here, don’t know if this is the correct place to find some guidance…

I’m currently trying to run passbolt community (latest) on OCP 4.10.x (openshift)
So far, i created pvc for mariadb, a deployment of mariadb and a service to expose the db to the other pod. When trying to implement the deployment of passbolt it fails and starts restarting itself to the end…

#mariadb pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
    name: passbolt-pvc-clim
    namespace: passbolt
spec:
  accessModes: [ "ReadWriteOnce" ]
  storageClassName: medium
  resources:
    requests:
      storage: 20Gi
---
# service db
apiVersion: v1
kind: Service
metadata:
  name: passbolt-db
  namespace: passbolt
spec:
  ports:
  - port: 3306
  selector:
    app: passbolt-db
  type: ClusterIP
---
# mariadb
apiVersion: apps/v1
kind: Deployment
metadata:
  name: passbolt-db
  namespace: passbolt
spec:
  selector:
    matchLabels:
      app: passbolt-db
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: passbolt-db
    spec:
      containers:
      - image: registry.redhat.io/rhel8/mariadb-103@sha256:ea962f43a266ea7a4d3bd51c21541df25fa34c4ff8f36ac583b5b12730488028
        name: db
        env:
        - name: MYSQL_DATABASE
          valueFrom:
            secretKeyRef:
              name: passbolt-envs
              key: MYSQL_DATABASE
        - name: MYSQL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: passbolt-envs
              key: MYSQL_PASSWORD
        - name: MYSQL_RANDOM_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: passbolt-envs
              key: MYSQL_RANDOM_ROOT_PASSWORD
        - name: MYSQL_USER
          valueFrom:
            secretKeyRef:
              name: passbolt-envs
              key: MYSQL_USER
        ports:
        - containerPort: 3306
          name: passbolt-db
---
# passbolt
apiVersion: apps/v1
kind: Deployment
metadata:
  name: passbolt-web
  namespace: passbolt
  labels:
    app: passbolt-web
spec:
  replicas: 1
  selector:
    matchLabels:
      app: passbolt-web
  template:
    metadata:
      labels:
        app: passbolt-web
    spec:
      containers:
      - name: web
        image: passbolt/passbolt:latest-ce
        env:
        - name: EMAIL_DEFAULT_FROM_NAME
          value: NAME
        - name: EMAIL_DEFAULT_FROM
          value: MAIL
        - name: EMAIL_TRANSPORT_DEFAULT_HOST
          value: IP
        - name: EMAIL_TRANSPORT_DEFAULT_PORT
          value: PORT
        - name: APP_FULL_BASE_URL
          value: passbolt.local
        - name: DATASOURCES_DEFAULT_HOST
          value: passbolt-db.passbolt.svc.cluster.local
        - name: DATASOURCES_DEFAULT_USERNAME
          valueFrom:
            secretKeyRef:
              name: passbolt-envs
              key: MYSQL_USER
        - name: DATASOURCES_DEFAULT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: passbolt-envs
              key: MYSQL_PASSWORD
        - name: DATASOURCES_DEFAULT_DATABASE
          valueFrom:
            secretKeyRef:
              name: passbolt-envs
              key: MYSQL_DATABASE
        command: ["/usr/bin/wait-for.sh", "-t", "0", "passbolt-db.passbolt.svc.cluster.local:3306", "--", "/docker-entrypoint.sh"]
        ports:
        - containerPort: 443

When seeing logs of the POD of passbolt-web it prints:

wait-for.sh: waiting for passbolt-db.passbolt.svc.cluster.local:3306 without a timeout
wait-for.sh: passbolt-db.passbolt.svc.cluster.local:3306 is available after 0 seconds
Password: su: Authentication failure

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Thanks in advance, and sorry if something is wrong.
N

Hi @knowledge1st :wave: and welcome to passbolt community forum :handshake:

You won’t be able to run our main image on openshift as there is a su command ran in the entrypoint. And it is not allowed with openshift :confused:

We also have non-root images, maybe can you give a try to them ?

Cheers,

Hi there @_jc!

Just tried with the non-root image (passbolt/passbolt:latest-ce-non-root) and i’m getting this output on the container insde the pod…
Is it fixable?

wait-for.sh: waiting for passbolt-db.passbolt.svc.cluster.local:3306 without a timeout
wait-for.sh: passbolt-db.passbolt.svc.cluster.local:3306 is available after 0 seconds
gpg: WARNING: unsafe ownership on homedir '/var/lib/passbolt/.gnupg'
gpg: failed to create temporary file '/var/lib/passbolt/.gnupg/.#lk0x0000560dbe5945d0.passbolt-web-58f7cc4bfb-w8892.14': Permission denied
gpg: keyblock resource '/var/lib/passbolt/.gnupg/pubring.kbx': Permission denied
gpg: failed to create temporary file '/var/lib/passbolt/.gnupg/.#lk0x0000560dbe58f8a0.passbolt-web-58f7cc4bfb-w8892.14': Permission denied
gpg: can't connect to the agent: Permission denied
gpg: agent_genkey failed: No agent running
gpg: key generation failed: No agent running

Thanks in advance!

Welcome in Openshift world :confused:

GNUPGHOME environment variable is set to /var/lib/passbolt/.gnupg but you cannot use this PATH because of openshift restrictions. And if you try to set another path (/var/www/,gnupg), there is chances you cannot write into because of some hardening done in rootless image.

There is unfortunately no immediate solution, as a custom passbolt docker image has to be built to run it on openshift.

As I already worked with openshift, I started a passbolt distroless side-project (link here) with these restrictions in mind but there is some remaining stuff to do to make this work with openshift.

passbolt is a all-in-one image with nginx, php and a cronjob included, I guess separated nginx and php containers are also required for openshift.

Cheers,

Hi again,

Another solution should be to set the Security Context Contraints (SCC) to anyuid, you should be able to run the container as root user, but this goes against openshift philosophy and is strongly not recommended for production environments.

Cheers,