Creating the custom security context constraint for Db2 Warehouse
The Db2
Warehouse service requires a custom
security context constraint (SCC).
Default SCC for SMP databases
When you create a Db2
Warehouse SMP instance, an SCC named
<NAMESPACE>-c-db2wh-<INSTANCE_ID>-scc
is created automatically.
The contents of the SCC depend on whether you change the node settings to allow
Db2U to make unsafe sysctl
changes.
You do not change the node settings
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
volumes:
- '*'
You change the node settings to allow Db2U to make unsafe sysctl changes
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
allowedUnsafeSysctls:
- kernel.shmmni
- kernel.shmmax
- kernel.shmall
- kernel.sem
- kernel.msgmni
- kernel.msgmax
- kernel.msgmnb
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
volumes:
- '*'
Default SCC for MPP databases
When you create a Db2
Warehouse MPP instance, an SCC named
<NAMESPACE>-c-db2wh-<INSTANCE_ID>-scc
is created automatically.
The contents of the SCC depend on whether you change the node settings to allow
Db2U to make unsafe sysctl
changes.
You do not change the node settings
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: false
allowHostPID: false
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
volumes:
- '*'
You change the node settings to allow Db2U to make unsafe sysctl changes
allowHostDirVolumePlugin: false
allowHostIPC: true
allowHostNetwork: false
allowHostPID: false
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
volumes:
- '*'
Extended description of the allowed capabilities
- FOWNER
- Bypasses permission checks on operations that normally require the file system UID of the process to match the UID of the file (for example, chmod(2), utime(2)), excluding those operations that are covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH.
- SETGID
- Necessary to run Db2 Warehouse engine processes with escalated group privileges.
- SETUID
- Necessary to run Db2 Warehouse engine processes with escalated user privileges.
- CHOWN
- Necessary to run chown to change ownership of files/directories in persistent volumes.
- DAC_OVERRIDE
- Bypasses permission checks for file read, write, and execute.
- SYS_RESOURCE
- Allows manipulation of reservations, memory allocations, and resource limits. Maximum memory allocation is still constrained by the memory cgroup (memcg) limit, which cannot be overridden by this sys-capability. The Db2 Warehouse database engine needs this sys-capability to increase the resource limits (IE.ulimits).
- IPC_OWNER
- Bypasses permission checks for operations on IPC objects. Even when the IPC kernel parameters are set to maximum values on the hosts/worker nodes, the Db2 Warehouse engine still tries to dynamically throttle those values. This system capability is provided in addition to sharing IPC namespace with the host.
- SYS_NICE
- Allows changing process priorities. Because each container has its own PID namespace, this capability applies to that container only. The Db2 Warehouse database engine relies on process thread prioritization to ensure that Work Load Management (WLM) and Fast Communications Manager (FCM) processing is prioritized over generic agent work.
- FSETID
- Prevents the clearing of the setuid and setgid mode bits when a file is modified.
- SETFCAP
- Used to set capabilities on files.
- SETPCAP
- Used to set capabilities on processes.
- SYS_CHROOT
- Necessary to use the chroot command.
- KILL
- Bypasses permission checks for sending signals. Necessary for signal handling during process management.
- AUDIT_WRITE
- Required to write records to the kernel auditing log when SELinux is enabled.