Bug: Chart has expectations that should be overriden (running as root)

[samip5]

The chart or more exactly volume-permissions init-container has the expectation that it runs as root.

This needs a way to not have such an expectation without the ability to disable it.

Running with the following securityContext:

  securityContext:
      runAsNonRoot: true
      runAsUser: 568
      runAsGroup: 65534
      fsGroup: 65534
      fsGroupChangePolicy: OnRootMismatch

'/deployed-configs/map-gen-settings.json' -> '/factorio/configs/map-gen-settings.json'
'/deployed-configs/map-settings.json' -> '/factorio/configs/map-settings.json'
'/deployed-configs/server-adminlist.json' -> '/factorio/configs/server-adminlist.json'
'/deployed-configs/server-banlist.json' -> '/factorio/configs/server-banlist.json'
'/deployed-configs/server-settings.json' -> '/factorio/configs/server-settings.json'
'/deployed-configs/server-whitelist.json' -> '/factorio/configs/server-whitelist.json'
'/rcon-pw/rconpw' -> '/factorio/configs/rconpw'
chmod: changing permissions of '/factorio/configs': Operation not permitted
chmod: changing permissions of '/factorio/configs/map-gen-settings.json': Operation not permitted
chmod: changing permissions of '/factorio/configs/map-settings.json': Operation not permitted
chmod: changing permissions of '/factorio/configs/rconpw': Operation not permitted
chmod: changing permissions of '/factorio/configs/server-adminlist.json': Operation not permitted
chmod: changing permissions of '/factorio/configs/server-banlist.json': Operation not permitted
failed to change mode of '/factorio/configs' from 2777 (rwxrwsrwx) to 2777 (rwxrwsrwx)
chmod: changing permissions of '/factorio/configs/server-whitelist.json': Operation not permitted
failed to change mode of '/factorio/configs/map-gen-settings.json' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
failed to change mode of '/factorio/configs/map-settings.json' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
failed to change mode of '/factorio/configs/rconpw' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
failed to change mode of '/factorio/configs/server-adminlist.json' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
failed to change mode of '/factorio/configs/server-banlist.json' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
failed to change mode of '/factorio/configs/server-whitelist.json' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
mode of '/factorio/configs/server-settings.json' changed from 0644 (rw-r--r--) to 0777 (rwxrwxrwx)

This results in the init-container exiting with non-successful status and thus the pod will not start.

[SQLJames]

This was something that might have come up from https://github.com/SQLJames/factorio-server-charts/pull/69/files when the nfs permissions were addressed, I dont think you need to run as root but the user is required as it runs as the docker user that was specified. Please see the release notes. If you could test using that user it might resolve this issue.

[samip5]

Unfortunately seems to make no difference.

k logs -n games factorio-6564575d4-nb4wr -c volume-permissions-serversettingsconfig
'/deployed-configs/map-gen-settings.json' -> '/factorio/configs/map-gen-settings.json'
'/deployed-configs/map-settings.json' -> '/factorio/configs/map-settings.json'
'/deployed-configs/server-adminlist.json' -> '/factorio/configs/server-adminlist.json'
'/deployed-configs/server-banlist.json' -> '/factorio/configs/server-banlist.json'
'/deployed-configs/server-settings.json' -> '/factorio/configs/server-settings.json'
'/deployed-configs/server-whitelist.json' -> '/factorio/configs/server-whitelist.json'
'/rcon-pw/rconpw' -> '/factorio/configs/rconpw'
chmod: changing permissions of '/factorio/configs': Operation not permitted
chmod: changing permissions of '/factorio/configs/map-gen-settings.json': Operation not permitted
failed to change mode of '/factorio/configs' from 2777 (rwxrwsrwx) to 2777 (rwxrwsrwx)
failed to change mode of '/factorio/configs/map-gen-settings.json' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
failed to change mode of '/factorio/configs/map-settings.json' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
failed to change mode of '/factorio/configs/rconpw' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
failed to change mode of '/factorio/configs/server-adminlist.json' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
failed to change mode of '/factorio/configs/server-banlist.json' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
failed to change mode of '/factorio/configs/server-whitelist.json' from 0777 (rwxrwxrwx) to 0777 (rwxrwxrwx)
chmod: changing permissions of '/factorio/configs/map-settings.json': Operation not permitted
chmod: changing permissions of '/factorio/configs/rconpw': Operation not permitted
chmod: changing permissions of '/factorio/configs/server-adminlist.json': Operation not permitted
chmod: changing permissions of '/factorio/configs/server-banlist.json': Operation not permitted
chmod: changing permissions of '/factorio/configs/server-whitelist.json': Operation not permitted
mode of '/factorio/configs/server-settings.json' changed from 0644 (rw-r--r--) to 0777 (rwxrwxrwx)

https://github.com/samip5/k8s-cluster/blob/f78c5851d83c838b379c2da437505c3c37ed5782/k8s/nebula/apps/games/factorio/app/hr.yaml#L46L51

[samip5]

Had to manually in the already existing pvc to chown them properly, otherwise it wouldn't work. I think there should be a way to disable the chmod part of that.

[Kariton]

i am currently working on mutible charts to seperate sidecars in individual deployments and add "plugins".
one thing i implemented is securityContext for all container and pods.
i've removed the chown entirely which works for my k8s deployment (rke2) and use podSecurityContext and securityContext

podSecurityContext:
  runAsUser: 845
  runAsGroup: 845
  fsGroup: 845

all sidecars (config-init, mod-download, save-import, port-fixer) run with these:

    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 845

but the factorio server itself does not work with read only fs.
stuff like this https://github.com/factoriotools/factorio-docker/blob/master/docker/files/docker-entrypoint.sh#L65 does not work on read only fs.
so its is:

    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: false
    runAsNonRoot: true
    runAsUser: 845

i thought i would submit my charts as "new" ones to this repo.
so the known factorio-server-charts stays and the new one would be factorio-server additionally with:

• mapshot # render save for web view (new)
• rcon-api # rcon rest api (part of current chart)
• factorigo # discord bot (new)

but there is also a catch:
it is a requirement to use a ReadWriteMany PV when also using mapshot or factorigo because they need to access the factorio data. (ReadWriteOnce is still supported for the factorio-server)
mapshot needs to read the savegame.
factoriogo needs to read the console.log and with the companion mod the script-output directory.

i want to open a dedicated discussion about it to better know how and if this would be accepted.
but i think this info does fit into this issue as well.

still need to cleanup the charts and finalize stuff before going public.
another thing is the mapshot container.
i may need to publish my own one.
need to see what will happen with https://github.com/martydingo/factorio-mapshot-docker
because i have also done some work there to improve the container for the mapshot deployment.

but everything is already working (at least on my cluster) and i migrated my factorio deployments to those charts.