diff --git a/docker/cmsweb-alma9-base/Dockerfile b/docker/cmsweb-alma9-base/Dockerfile new file mode 100644 index 000000000..a67cd322c --- /dev/null +++ b/docker/cmsweb-alma9-base/Dockerfile @@ -0,0 +1,13 @@ +FROM cern/alma9-base:latest + +# Install EPEL repository (required for voms, fetch-crl and CA-related packages) +RUN dnf -y install epel-release && dnf -y upgrade && dnf clean all + +# Upgrade packages from the base image and install CMSWEB required packages +RUN dnf -y install fetch-crl cern-get-certificate CERN-CA-certs ca-certificates && dnf clean all + +# Required OS packages +RUN dnf -y install vim less procps python3-pycurl pip && dnf clean all +RUN ln -s /usr/bin/python3 /usr/bin/python + +RUN update-ca-trust diff --git a/docker/pypi/alma-base/Dockerfile b/docker/pypi/alma-base/Dockerfile index 1b2148e9b..830c16e77 100644 --- a/docker/pypi/alma-base/Dockerfile +++ b/docker/pypi/alma-base/Dockerfile @@ -1,4 +1,26 @@ +FROM registry.cern.ch/cmsweb/cmsweb-base as cmsweb-base +FROM registry.cern.ch/cmsweb/exporters as exporters FROM almalinux:latest -MAINTAINER Valentin Kuznetsov vkuznet@gmail.com -RUN yum install -y curl-minimal libcurl-minimal vim python3-pycurl pip sudo less \ - && yum clean all && rm -rf /var/cache/yum +MAINTAINER Alan Malta alan.malta@cern.ch + +# base image stuff: certificates, monitoring, exporters, etc +RUN mkdir /etc/grid-security +COPY --from=cmsweb-base /etc/grid-security/certificates /etc/grid-security/certificates +COPY --from=cmsweb-base /etc/grid-security/vomsdir /etc/grid-security/vomsdir +COPY --from=cmsweb-base /etc/vomses /etc/vomses +COPY --from=exporters /data/cmsweb-ping /usr/bin/cmsweb-ping +COPY --from=exporters /data/process_exporter /usr/bin/process_exporter +COPY --from=exporters /data/cpy_exporter /usr/bin/cpy_exporter + +# Required OS packages +RUN dnf -y upgrade && \ + dnf -y install --skip-broken curl libcurl && \ + dnf -y install sudo vim less procps python3-pycurl pip && \ + dnf clean all +RUN ln -s /usr/bin/python3 /usr/bin/python + +ENV WDIR=/data +ADD run.sh $WDIR/run.sh +ADD monitor.sh $WDIR/monitor.sh +ADD manage $WDIR/manage +WORKDIR /data \ No newline at end of file diff --git a/docker/pypi/alma-base/errors.txt b/docker/pypi/alma-base/errors.txt deleted file mode 100644 index 70e1e2973..000000000 --- a/docker/pypi/alma-base/errors.txt +++ /dev/null @@ -1,14 +0,0 @@ -Step 3/3 : RUN yum install -y curl vim python3 pip sudo less && yum clean all && rm -rf /var/cache/yum - ---> Running in 77dbadded671 -AlmaLinux 9 - AppStream 12 MB/s | 9.1 MB 00:00 -AlmaLinux 9 - BaseOS 12 MB/s | 4.7 MB 00:00 -AlmaLinux 9 - Extras 47 kB/s | 17 kB 00:00 -Package python3-3.9.18-1.el9_3.x86_64 is already installed. -Package less-590-2.el9_2.x86_64 is already installed. -Error: - Problem: problem with installed package curl-minimal-7.76.1-26.el9_3.2.x86_64 - - package curl-minimal-7.76.1-26.el9_3.2.x86_64 from @System conflicts with curl provided by curl-7.76.1-26.el9_3.2.x86_64 from baseos - - package curl-minimal-7.76.1-26.el9.x86_64 from baseos conflicts with curl provided by curl-7.76.1-26.el9_3.2.x86_64 from baseos - - package curl-minimal-7.76.1-26.el9_3.2.x86_64 from baseos conflicts with curl provided by curl-7.76.1-26.el9_3.2.x86_64 from baseos - - cannot install the best candidate for the job -(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages) diff --git a/docker/pypi/alma-base/manage b/docker/pypi/alma-base/manage new file mode 100755 index 000000000..3a329465f --- /dev/null +++ b/docker/pypi/alma-base/manage @@ -0,0 +1,101 @@ +#!/bin/bash +##H Usage: manage ACTION [ATTRIBUTE] [SECURITY-STRING] +##H +##H Available actions: +##H help show this help +##H version get current version of the service +##H status show current service's status +##H restart (re)start the service +##H start (re)start the service +##H stop stop the service + +# common settings to prettify output +echo_e=-e +COLOR_OK="\\033[0;32m" +COLOR_WARN="\\033[0;31m" +COLOR_NORMAL="\\033[0;39m" + +# service settings +srv=`echo $USER | sed -e "s,_,,g" | sed -e "s,t0req,t0_req,g"` +LOGDIR=/data/srv/logs/$srv +AUTHDIR=/data/srv/current/auth/$srv +STATEDIR=/data/srv/state/$srv +CFGDIR=/data/srv/current/config/$srv +CFGFILE=$CFGDIR/config.py +# some MS services uses different config naming convention, therefore we'll +# adjust CFGFILE assingment +for c in monitor output ruleCleaner transferor unmerged; do + if [ -f $CFGDIR/config-${c}.py ]; then + CFGFILE=$CFGDIR/config-${c}.py + fi +done + +# necessary env settings for all WM services +export PYTHONPATH=$PYTHONPATH:/etc/secrets:/data/srv/current/config/$srv +export X509_USER_KEY=$AUTHDIR/dmwm-service-key.pem +export X509_USER_CERT=$AUTHDIR/dmwm-service-cert.pem +export REQMGR_CACHE_DIR=$STATEDIR +export WMCORE_CACHE_DIR=$STATEDIR + +# by default Rucio relies on /opt/rucio/etc/config.cfg +# if necessary we may setup RUCIO_HOME which should provide this location +# but in k8s we mount rucio config.cfg under /opt/rucio/etc area + +usage() +{ + cat $0 | grep "^##H" | sed -e "s,##H,,g" +} + +start_srv() +{ + wmc-httpd -r -d $STATEDIR -l "$LOGDIR/$srv-`hostname -s`.log" $CFGFILE +} + +stop_srv() +{ + local pid=`ps auxwww | egrep "wmc-httpd" | grep -v grep | awk 'BEGIN{ORS=" "} {print $2}'` + echo "Stop $srv service... ${pid}" + if [ -n "${pid}" ]; then + kill -9 ${pid} + fi +} + +status_srv() +{ + local pid=`ps auxwww | egrep "wmc-httpd" | grep -v grep | awk 'BEGIN{ORS=" "} {print $2}'` + if [ -z "${pid}" ]; then + echo "$srv service is not running" + return + fi + if [ ! -z "${pid}" ]; then + echo $echo_e "$srv service is ${COLOR_OK}RUNNING${COLOR_NORMAL}, PID=${pid}" + ps -f -wwww -p ${pid} + else + echo $echo_e "$srv service is ${COLOR_WARN}NOT RUNNING${COLOR_NORMAL}" + fi +} + +# Main routine, perform action requested on command line. +case ${1:-status} in + start | restart ) + stop_srv + start_srv + ;; + + status ) + status_srv + ;; + + stop ) + stop_srv + ;; + + help ) + usage + ;; + + * ) + echo "$0: unknown action '$1', please try '$0 help' or documentation." 1>&2 + exit 1 + ;; +esac diff --git a/docker/pypi/alma-base/monitor.sh b/docker/pypi/alma-base/monitor.sh new file mode 100755 index 000000000..d2b22a343 --- /dev/null +++ b/docker/pypi/alma-base/monitor.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +echo -e "\nTrying to start process_exporter..." +# start process exporter +configs="config config-monitor config-output config-transferor config-ruleCleaner config-unmerged" +for p in $configs; do + if [ -f /etc/secrets/${p}.py ]; then + echo " Using configuration file: /etc/secrets/${p}.py" + pat="wmc-httpd.*$p" + pid=`ps axjfwww | grep "$pat" | grep -v grep | grep -v process_monitor | grep -v " 1 " | awk '{print $1}'` + if [ -n "$pid" ]; then + app=`grep ^main.application /etc/secrets/${p}.py | grep -v application_dir | sed -e 's,#.*,,g' | awk '{split($0,a,"="); print a[2]}' | sed -e "s, ,,g" -e 's,",,g' -e "s,-,_,g"` + echo " Using PID: $pid and app name: '$app'" + if [ -n "$app" ]; then + prefix=${app} + port=`grep main.port /etc/secrets/${p}.py | sed -e 's,#.*,,g' | awk '{split($0,a,"="); print a[2]}' | sed -e "s, ,,g"` + address=":1${port}" + echo " Starting process_exporter with prefix ${prefix} on ${address}" + nohup process_exporter -pid $pid -prefix $prefix -address "$address" 2>&1 1>& ${prefix}.log < /dev/null & + #cpyAddr=`echo ${address} | sed "s,8,9,g"` + #echo "Start cpy_exporter on ${cpyAddr}" + #nohup cpy_exporter -address "$address" 2>&1 1>& cpy_${prefix}.log < /dev/null & + fi + fi + fi +done diff --git a/docker/pypi/alma-base/run.sh b/docker/pypi/alma-base/run.sh new file mode 100755 index 000000000..e884abec2 --- /dev/null +++ b/docker/pypi/alma-base/run.sh @@ -0,0 +1,86 @@ +#!/bin/bash +# script to start ReqMgr2 + +srv=`echo $USER | sed -e "s,_,,g"` +STATEDIR=/data/srv/state/$srv +LOGDIR=/data/srv/logs/$srv +AUTHDIR=/data/srv/current/auth/$srv +CONFIGDIR=/data/srv/current/config/$srv +CONFIGFILE=${CONFIGFILE:-config.py} +CFGFILE=/etc/secrets/$CONFIGFILE + +### permission update to workaround issues with mounting logs volume +sudo chown -R $USER.$USER /data + +mkdir -p $LOGDIR +mkdir -p $STATEDIR +mkdir -p $AUTHDIR +mkdir -p $CONFIGDIR +mkdir -p $AUTHDIR/../wmcore-auth + +# environment variables required to run some of the WMCore services +export REQMGR_CACHE_DIR=$STATEDIR +export WMCORE_CACHE_DIR=$STATEDIR + +# overwrite host PEM files in /data/srv area by the robot certificate +# Note that the proxy file is not required and used +if [ -f /etc/robots/robotkey.pem ]; then + sudo cp /etc/robots/robotkey.pem $AUTHDIR/dmwm-service-key.pem + sudo cp /etc/robots/robotcert.pem $AUTHDIR/dmwm-service-cert.pem + sudo chown $USER.$USER $AUTHDIR/dmwm-service-key.pem + sudo chown $USER.$USER $AUTHDIR/dmwm-service-cert.pem + sudo chmod 0400 $AUTHDIR/dmwm-service-key.pem +fi + +if [ -e $AUTHDIR/dmwm-service-cert.pem ] && [ -e $AUTHDIR/dmwm-service-key.pem ]; then + export X509_USER_CERT=$AUTHDIR/dmwm-service-cert.pem + export X509_USER_KEY=$AUTHDIR/dmwm-service-key.pem +fi + +# overwrite header-auth key file with one from secrets +if [ -f /etc/hmac/hmac ]; then + sudo cp /etc/hmac/hmac $AUTHDIR/../wmcore-auth/header-auth-key + sudo chown $USER.$USER $AUTHDIR/../wmcore-auth/header-auth-key + sudo chmod 0600 $AUTHDIR/../wmcore-auth/header-auth-key +fi + +# use service configuration files from /etc/secrets if they are present +files=`ls /etc/secrets` +for fname in $files; do + if [ -f /etc/secrets/$fname ]; then + if [ -f $CONFIGDIR/$fname ]; then + rm $CONFIGDIR/$fname + fi + sudo cp /etc/secrets/$fname $CONFIGDIR/$fname + sudo chown $USER.$USER $CONFIGDIR/$fname + if [ "$fname" == "$CONFIGFILE" ]; then + CFGFILE=$CONFIGDIR/$CONFIGFILE + fi + fi +done +files=`ls /etc/secrets` +for fname in $files; do + if [ ! -f $CONFIGDIR/$fname ]; then + sudo cp /etc/secrets/$fname $AUTHDIR/$fname + sudo chown $USER.$USER $AUTHDIR/$fname + fi +done + +export PYTHONPATH=$PYTHONPATH:/etc/secrets:$AUTHDIR/$fname + +# backward compatible changes for RPM based deployment location of aux files +if [ -d /usr/local/data ] && [ "$USER" == "_reqmgr2" ]; then + sudo mkdir -p /data/srv/current/apps/reqmgr2 + sudo ln -s /usr/local/data /data/srv/current/apps/reqmgr2 +fi + +# start the service +wmc-httpd -r -d $STATEDIR -l "$LOGDIR/$srv-`hostname -s`.log" $CFGFILE + +# start monitor.sh script +if [ -f /data/monitor.sh ]; then + /data/monitor.sh +fi + +# hack to keep the container running +tail -f /etc/hosts diff --git a/docker/pypi/reqmgr2ms-unmerged/Dockerfile b/docker/pypi/reqmgr2ms-unmerged/Dockerfile index ba0c20e87..5dbea9a68 100644 --- a/docker/pypi/reqmgr2ms-unmerged/Dockerfile +++ b/docker/pypi/reqmgr2ms-unmerged/Dockerfile @@ -1,23 +1,31 @@ -FROM registry.cern.ch/cmsweb/gfal:latest as gfal -FROM registry.cern.ch/cmsweb/dmwm-base:pypi-20230525 -MAINTAINER Valentin Kuznetsov vkuznet@gmail.com -COPY --from=gfal /data/miniconda /data/miniconda +FROM registry.cern.ch/cmsweb/pypi/alma-base:alma9-20240305 +MAINTAINER Alan Malta alan.malta@cern.ch + +# Specific MSUnmerged requirements from epel repository +RUN dnf install epel-release -y && dnf clean all && \ + dnf -y install python3-gfal2-util gfal2-plugin-http gfal2-plugin-dcap gfal2-plugin-file \ + gfal2-plugin-srm gfal2-plugin-xrootd gfal2-plugin-gridftp gfal2-plugin-sftp && \ + dnf clean all + +# Specific run.sh for MSUnmerged ENV WDIR=/data -ENV PATH $PATH:$WDIR/miniconda/bin -ENV PYTHONPATH $WDIR/miniconda/lib/python3.8/site-packages/ -# TAG to be passed at build time through `--build-arg TAG=`. Default: None -ARG TAG=None WORKDIR $WDIR ADD run.sh $WDIR/run.sh -# since we install gfal via external image we'll skip it for installation -# of reqmgr2ms-unmerged, but to satisfy dependencies we'll install them first + +# TAG to be passed at build time through `--build-arg TAG=`. Default: None +ARG TAG=None +# We already installed gfal2 via dnf, so first install only non-gfal2 service dependencies +# FIXME: it is probably best to remove it from the requirements.txt file RUN curl -ksLO https://raw.githubusercontent.com/dmwm/WMCore/$TAG/requirements.txt -RUN cat requirements.txt | grep -v gfal2 > req.txt +RUN cat requirements.txt | grep dbs3-client > req.txt +RUN cat requirements.txt | grep reqmgr2ms-unmerged | grep -v gfal2 >> req.txt RUN pip install -r req.txt -RUN pip install --no-deps reqmgr2ms-unmerged==$TAG dbs3-client +# and now install MSUnmerged itself, without any dependencies +RUN pip install --no-deps reqmgr2ms-unmerged==$TAG + +# and now setup run.sh and manage scripts accordingly RUN sed -i -e "s,-config.py,-config-unmerged.py,g" /data/run.sh RUN sed -i -e "s,config.py,config-unmerged.py,g" /data/manage -ENV WDIR=/data ENV USER=_reqmgr2ms RUN useradd ${USER} && install -o ${USER} -d ${WDIR} RUN echo "%$USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers diff --git a/docker/pypi/reqmgr2ms-unmerged/Dockerfile.deb b/docker/pypi/reqmgr2ms-unmerged/Dockerfile.deb new file mode 100644 index 000000000..ba0c20e87 --- /dev/null +++ b/docker/pypi/reqmgr2ms-unmerged/Dockerfile.deb @@ -0,0 +1,26 @@ +FROM registry.cern.ch/cmsweb/gfal:latest as gfal +FROM registry.cern.ch/cmsweb/dmwm-base:pypi-20230525 +MAINTAINER Valentin Kuznetsov vkuznet@gmail.com +COPY --from=gfal /data/miniconda /data/miniconda +ENV WDIR=/data +ENV PATH $PATH:$WDIR/miniconda/bin +ENV PYTHONPATH $WDIR/miniconda/lib/python3.8/site-packages/ +# TAG to be passed at build time through `--build-arg TAG=`. Default: None +ARG TAG=None +WORKDIR $WDIR +ADD run.sh $WDIR/run.sh +# since we install gfal via external image we'll skip it for installation +# of reqmgr2ms-unmerged, but to satisfy dependencies we'll install them first +RUN curl -ksLO https://raw.githubusercontent.com/dmwm/WMCore/$TAG/requirements.txt +RUN cat requirements.txt | grep -v gfal2 > req.txt +RUN pip install -r req.txt +RUN pip install --no-deps reqmgr2ms-unmerged==$TAG dbs3-client +RUN sed -i -e "s,-config.py,-config-unmerged.py,g" /data/run.sh +RUN sed -i -e "s,config.py,config-unmerged.py,g" /data/manage +ENV WDIR=/data +ENV USER=_reqmgr2ms +RUN useradd ${USER} && install -o ${USER} -d ${WDIR} +RUN echo "%$USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers +USER ${USER} +RUN sudo chown -R $USER.$USER $WDIR +CMD ["python3"] diff --git a/docker/pypi/reqmgr2ms-unmerged/run.sh b/docker/pypi/reqmgr2ms-unmerged/run.sh index eb110e74c..abec0557f 100755 --- a/docker/pypi/reqmgr2ms-unmerged/run.sh +++ b/docker/pypi/reqmgr2ms-unmerged/run.sh @@ -142,7 +142,7 @@ fi [[ -n $rseExpr ]] && sed -i -e "s/^[[:blank:]]*RSEEXPR.*/RSEEXPR = \"${rseExpr}\"/g" $CFGFILE # start the service -wmc-httpd -r -d $STATEDIR -l "|rotatelogs $LOGDIR/$srv-%Y%m%d-`hostname -s`.log 86400" $CFGFILE +wmc-httpd -r -d $STATEDIR -l "$LOGDIR/$srv-`hostname -s`.log" $CFGFILE # start monitor.sh script if [ -f /data/monitor.sh ]; then diff --git a/kubernetes/cmsweb/services/reqmgr2ms-unmerged-cern.yaml b/kubernetes/cmsweb/services/reqmgr2ms-unmerged-cern.yaml new file mode 100644 index 000000000..f0254c140 --- /dev/null +++ b/kubernetes/cmsweb/services/reqmgr2ms-unmerged-cern.yaml @@ -0,0 +1,222 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ms-unmer-cern-filebeat-config + namespace: dmwm + labels: + k8s-app: filebeat +data: + filebeat.yml: |- + filebeat.inputs: + - type: log + enabled: true + paths: + - /data/srv/logs/reqmgr2ms/*${MY_POD_NAME}*.log + ignore_older: 1h + scan_frequency: 10s + backoff: 5s + max_backoff: 10s + output.console: + codec.format: + string: '%{[message]} - Podname=${MY_POD_NAME}' + pretty: false + queue.mem: + events: 65536 + logging.metrics.enabled: false +--- +kind: Service +apiVersion: v1 +metadata: + name: ms-unmer-cern + namespace: dmwm +spec: + selector: + app: ms-unmer-cern + ports: + - port: 8242 + targetPort: 8242 + name: ms-unmer-cern +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: ms-unmer-cern + labels: + app: ms-unmer-cern + namespace: dmwm +data: + setup-certs-and-run.sh: | + #!/bin/bash + sudo cp /host/etc/grid-security/* /etc/grid-security + echo 'INFO Files in /etc/grid-security' + ls -lahZ /etc/grid-security + # su -c "cd /data && /data/run.sh -e '(((cms_type=real|cms_type=int)&rse_type=DISK&(tier=2|tier=3))\country=US)' " --preserve-environment _reqmgr2ms + cd /data && /data/run.sh -e '(rse=T2_CH_CERN|rse=T2_US_Wisconsin|rse=T2_US_Caltech)' +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + app: ms-unmer-cern + name: ms-unmer-cern + namespace: dmwm +spec: + selector: + matchLabels: + app: ms-unmer-cern + replicas: 1 + template: + metadata: + labels: + app: ms-unmer-cern + env: k8s #k8s# + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: "18242" + spec: + # use hostNetwork to allow communication between reqmgr2ms/reqmon/workqueue and couch +# hostNetwork: true +# dnsPolicy: ClusterFirstWithHostNet + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 2000 + containers: + - image: registry.cern.ch/cmsweb/reqmgr2ms-unmerged #imagetag + name: ms-unmer-cern + lifecycle: + postStart: + exec: + command: + - bash + - -c + - sudo chmod 0777 /data/srv/logs/reqmgr2ms; sudo chown _reqmgr2ms:_reqmgr2ms /data/srv/logs/reqmgr2ms +#PROD# resources: +#PROD# requests: +#PROD# memory: "1Gi" +#PROD# cpu: "1000m" +#PROD# limits: +#PROD# memory: "2Gi" +#PROD# cpu: "1000m" + livenessProbe: + exec: + command: + - cmsweb-ping + - "--url=http://localhost:8242/ms-unmerged/data/status" + - "--authz=/etc/hmac/hmac" + - -verbose + - "0" + initialDelaySeconds: 120 + periodSeconds: 30 + timeoutSeconds: 5 + ports: + - containerPort: 8242 + protocol: TCP + name: ms-unmer-cern + - containerPort: 18242 + protocol: TCP + name: unmerged-mon + command: + - /bin/bash + - /opt/setup-certs-and-run/setup-certs-and-run.sh + volumeMounts: + - name: rucio-secrets + mountPath: /opt/rucio/etc + readOnly: true + - name: proxy-secrets-ms-unmerged + mountPath: /etc/proxy + readOnly: true + - name: secrets + mountPath: /etc/secrets + readOnly: true + - name: robot-secrets + mountPath: /etc/robots + readOnly: true + - name: hmac-secrets + mountPath: /etc/hmac + readOnly: true + - mountPath: /host/etc/grid-security + name: etc-grid-security + readOnly: true + - name: setup-certs-and-run + mountPath: /opt/setup-certs-and-run + - name: token-secrets + mountPath: /etc/token + readOnly: true +#PROD# - name: logs +#PROD# mountPath: /data/srv/logs/reqmgr2ms + securityContext: + privileged: true +#PROD#- name: ms-unmer-cern-filebeat +#PROD# image: docker.elastic.co/beats/filebeat:7.12.0 +#PROD# args: [ +#PROD# "-c", "/etc/filebeat.yml", +#PROD# "-e", +#PROD# ] +#PROD# env: +#PROD# - name: MY_POD_NAME +#PROD# valueFrom: +#PROD# fieldRef: +#PROD# apiVersion: v1 +#PROD# fieldPath: metadata.name +#PROD# resources: +#PROD# requests: +#PROD# memory: "50Mi" +#PROD# cpu: "50m" +#PROD# volumeMounts: +#PROD# - name: logs +#PROD# mountPath: /data/srv/logs/reqmgr2ms +#PROD# - name: config +#PROD# mountPath: /etc/filebeat.yml +#PROD# readOnly: true +#PROD# subPath: filebeat.yml +#PROD# - name: data +#PROD# mountPath: /usr/share/filebeat/data +#PROD# - name: varlog +#PROD# mountPath: /var/log +#PROD# - name: varlibdockercontainers +#PROD# mountPath: /var/lib/docker/containers +#PROD# readOnly: true +#PROD# securityContext: +#PROD# allowPrivilegeEscalation: false + volumes: + - name: rucio-secrets + secret: + secretName: rucio-secrets + - name: proxy-secrets-ms-unmerged + secret: + secretName: proxy-secrets-ms-unmerged + - name: secrets + secret: + secretName: reqmgr2ms-unmerged-cern-secrets + - name: robot-secrets + secret: + secretName: robot-secrets + - name: hmac-secrets + secret: + secretName: hmac-secrets + - name: etc-grid-security + hostPath: + path: /etc/grid-security + - name: setup-certs-and-run + configMap: + name: ms-unmer-cern + - name: token-secrets + secret: + secretName: token-secrets +#PROD#- name: logs +#PROD# persistentVolumeClaim: +#PROD# claimName: logs-cephfs-claim-dmwm +#PROD#- name: varlog +#PROD# hostPath: +#PROD# path: /var/log +#PROD#- name: varlibdockercontainers +#PROD# hostPath: +#PROD# path: /var/lib/docker/containers +#PROD#- name: config +#PROD# configMap: +#PROD# defaultMode: 0640 +#PROD# name: ms-unmer-cern-filebeat-config +#PROD#- name: data +#PROD# emptyDir: {}