I’m trying to build an Elastic search Kubernetes Series Charm. Elasticsearch needs a bigger file descriptor limit than the default one, setting this limit in a docker image is supported but unfortunately not in Kubernetes as this Issue describes: https://github.com/kubernetes/kubernetes/issues/3595
So after creating my own docker image and adapting my spec_template I get the follwing error when I try to deploy the charm:
ubuntu@osm2:~/canonical-osm/charms/layers$ kubectl -n osm logs elasticsearch-k8s-0
bin/custom-entrypoint.sh: line 5: ulimit: open files: cannot modify limit: Operation not permitted
Parting from my limited kubernetes knowledge it seems to me that the securityContext options aren’t taking effect. Is what I’m trying to achieve even possible with the current state of kubernetes charms?
Dockerfile:
FROM docker.elastic.co/elasticsearch/elasticsearch-oss:6.4.2
WORKDIR /usr/share/elasticsearch
USER root
COPY configs/elasticsearch.yml config/
COPY custom-entrypoint.sh bin/
VOLUME /usr/share/elasticsearch/data
RUN chown elasticsearch:elasticsearch config/elasticsearch.yml config/log4j2.properties bin/custom-entrypoint.sh && \
chmod 0750 bin/custom-entrypoint.sh
CMD ["/bin/bash","bin/custom-entrypoint.sh"]
custom-entrypoint.sh:
#!/bin/bash
set -e
ulimit -n 65536
ulimit -u 2048
#Set memlock limit
ulimit -l unlimited
#Call original entrypoint script
#Maybe su elasticsearch bin/es-docker "$@"
exec /docker-entrypoint.sh "${@}"
Recent 2.5 releases support security context at a container level (which I think is what you want).
2.6 beta 1 supports security context for the pod.
What you have looks syntactically valid. Can you use kubectl to inspect the deployed pod just to make sure that the container spec is being correctly set up by Juju to have the specified security context?