Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(docker): read only root filesystem support #11877

Merged
1 commit merged into from
Mar 2, 2023
Merged

feat(docker): read only root filesystem support #11877

1 commit merged into from
Mar 2, 2023

Conversation

megglos
Copy link
Contributor

@megglos megglos commented Mar 1, 2023
edited
Loading

Description

This declares /tmp as a VOLUME in the Dockerfile which makes sure this path is always backed by a volume. As of now spring(tomcat), rocksDb and zeebe itself (hot backup compression) write to /tmp. Given that the hot backup could potentially write larger chunks of data to it I generally think a volume is a reasonable default.

Given that now all directories written to are declared as volumes a read only root filesystem can be enabled without any further setup needed. A test is added to ensure this works going forward.

I would go for backporting this to previous stable versions for alignment and ease of use.

I also verified it works on k8s

apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
  - name: test
    image: gcr.io/zeebe-io/zeebe:sb-pr-11877
    securityContext:
      runAsUser: 1000
      readOnlyRootFilesystem: true

Which previously failed with write permission errors.

Related issues

closes #11876

Not all items need to be done depending on the issue and the pull request.

Code changes:

  • The changes are backwards compatibility with previous versions
  • If it fixes a bug then PRs are created to backport the fix to the last two minor versions. You can trigger a backport by assigning labels (e.g. backport stable/1.3) to the PR, in case that fails you need to create backports manually.

Testing:

  • There are unit/integration tests that verify all acceptance criterias of the issue
  • New tests are written to ensure backwards compatibility with further versions
  • The behavior is tested manually
  • The change has been verified by a QA run
  • The impact of the changes is verified by a benchmark

@github-actions
Copy link
Contributor

github-actions bot commented Mar 1, 2023

Test Results

   997 files  ±    0     997 suites  ±0   1h 42m 43s ⏱️ - 8m 30s
8 033 tests +255  8 023 ✔️ +255  10 💤 ±0  0 ±0 
8 230 runs  +255  8 220 ✔️ +255  10 💤 ±0  0 ±0 

Results for commit 6a876ba. ± Comparison against base commit ae6dbfc.

This pull request removes 389 and adds 644 tests. Note that renamed tests count towards both. 
DmnEvaluationTest If successfully evaluated, the output ‑ Should return a message pack output[6] value={x=1, y=true, z=[1, 2, 3]}
io.camunda.zeebe.engine.processing.bpmn.activity.OutputMappingTest ‑ shouldApplyOutputMapping[0: io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@2771e501]
io.camunda.zeebe.engine.processing.bpmn.activity.OutputMappingTest ‑ shouldApplyOutputMapping[1: io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@3a7abd4]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=BUSINESS_RULE_TASK, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@5d4af473, variables={}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=CALL_ACTIVITY, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@486d1868, variables={}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=END_EVENT, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@6dd50380, variables={}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=EVENT_BASED_GATEWAY, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@18d8da77, variables={correlationKey=value}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=EVENT_SUB_PROCESS, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@5653429e, variables={}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=EXCLUSIVE_GATEWAY, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@9423344, variables={}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=INTERMEDIATE_CATCH_EVENT, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@78c9c38a, variables={correlationKey=value}]]
…

DmnEvaluationTest If successfully evaluated, the output ‑ Should return a message pack output[6] value={z=[1, 2, 3], y=true, x=1}
io.camunda.zeebe.engine.processing.bpmn.activity.OutputMappingTest ‑ shouldApplyOutputMapping[0: io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@1dc9aba0]
io.camunda.zeebe.engine.processing.bpmn.activity.OutputMappingTest ‑ shouldApplyOutputMapping[1: io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@382fba37]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=BUSINESS_RULE_TASK, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@272cec71, variables={}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=CALL_ACTIVITY, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@639c5ab4, variables={}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=END_EVENT, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@61b11d35, variables={}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=EVENT_BASED_GATEWAY, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@63ead376, variables={correlationKey=value}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=EVENT_SUB_PROCESS, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@5c883b3f, variables={}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=EXCLUSIVE_GATEWAY, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@5834298c, variables={}]]
io.camunda.zeebe.engine.processing.processinstance.CreateProcessInstanceSupportedElementTest ‑ testProcessInstanceCanStartAtElementType[Scenario[type=INTERMEDIATE_CATCH_EVENT, modelInstance=io.camunda.zeebe.model.bpmn.impl.BpmnModelInstanceImpl@a47a011, variables={correlationKey=value}]]
…

@megglos megglos marked this pull request as ready for review March 2, 2023 07:53
@megglos megglos requested a review from npepinpe March 2, 2023 07:53
npepinpe
npepinpe approved these changes Mar 2, 2023
View reviewed changes
Copy link
Member

@npepinpe npepinpe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! The main change I can see in k8s is that instead of mounting /tmp to the overlay filesystem, it's now mounted in its own isolated filesystem.

I started a benchmark, though I don't really expect any performance difference, but just to be safe 👍

@github-actions
Copy link
Contributor

github-actions bot commented Mar 2, 2023

Setup

Deployed to measurement-4311871032

camunda-platform:
  zeebe:
    image:
      repository: gcr.io/zeebe-io/zeebe
      tag: meg-11876-read-only-fs-benchmark-6a876ba
  zeebe-gateway:
    image:
      repository: gcr.io/zeebe-io/zeebe
      tag: meg-11876-read-only-fs-benchmark-6a876ba
global:
  image:
    tag: meg-11876-read-only-fs-benchmark-6a876ba

Measurement before

Process Instance Execution Time: p99=2.389 p90=0.815 p50=0.226
Throughput: 148.508 PI/s
Grafana

Chaos injection

Deployed chaos network-latency-5

Measurement after

Process Instance Execution Time: p99=3.756 p90=2.136 p50=0.824
Throughput: 73.306 PI/s
Grafana

Details

See https://github.com/camunda/zeebe/actions/runs/4311871032

@megglos
Copy link
Contributor Author

megglos commented Mar 2, 2023

bors r+

@ghost
Copy link

ghost commented Mar 2, 2023

Build succeeded:

@ghost ghost merged commit d0a9107 into main Mar 2, 2023
@ghost ghost deleted the meg-11876-read-only-fs branch March 2, 2023 10:46
@backport-action backport-action mentioned this pull request Mar 2, 2023
Merged
@backport-action
Copy link
Collaborator

Successfully created backport PR for stable/8.0:

@backport-action backport-action mentioned this pull request Mar 2, 2023
Merged
@backport-action
Copy link
Collaborator

Successfully created backport PR for stable/8.1:

ghost pushed a commit that referenced this pull request Mar 2, 2023
@megglos
merge: #11888
2d95270 
11888: [Backport stable/8.1] feat(docker): read only root filesystem support r=megglos a=backport-action

# Description
Backport of #11877 to `stable/8.1`.

relates to #11876

Co-authored-by: Meggle (Sebastian Bathke) <sebastian.bathke@camunda.com>
ghost pushed a commit that referenced this pull request Mar 2, 2023
@megglos
merge: #11887
7aae2dc 
11887: [Backport stable/8.0] feat(docker): read only root filesystem support r=megglos a=backport-action

# Description
Backport of #11877 to `stable/8.0`.

relates to #11876

Co-authored-by: Meggle (Sebastian Bathke) <sebastian.bathke@camunda.com>
ghost pushed a commit that referenced this pull request Mar 2, 2023
@megglos
merge: #11887
60b2a4d 
11887: [Backport stable/8.0] feat(docker): read only root filesystem support r=megglos a=backport-action

# Description
Backport of #11877 to `stable/8.0`.

relates to #11876

Co-authored-by: Meggle (Sebastian Bathke) <sebastian.bathke@camunda.com>
ghost pushed a commit that referenced this pull request Mar 2, 2023
@megglos
merge: #11887
7dc0268 
11887: [Backport stable/8.0] feat(docker): read only root filesystem support r=megglos a=backport-action

# Description
Backport of #11877 to `stable/8.0`.

relates to #11876

Co-authored-by: Meggle (Sebastian Bathke) <sebastian.bathke@camunda.com>
@megglos megglos added the version:8.1.9 Marks an issue as being completely or in parts released in 8.1.9 label Mar 13, 2023
github-merge-queue bot pushed a commit that referenced this pull request Aug 9, 2024
@RomanJRW
chore(ci): automatically add support and security labels to issues (#…
c536faa 
…11877)

relates to #11860
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@npepinpe npepinpe npepinpe approved these changes

Assignees
No one assigned
Labels
benchmark version:8.1.9 Marks an issue as being completely or in parts released in 8.1.9
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Docker: Allow running zeebe with a read-only root filesystem
4 participants
@megglos @backport-action @npepinpe @deepthidevaki