During the upgrade of SonarQube from version 10.6.1 to 10.7.0, the process failed due to an issue with the init-fs container. The logs from the init-fs container show errors related to changing ownership of files in the /tmp/custom-certs directory, which is mounted as a read-only file system.
Error logs from init-fs container:
chown: changing ownership of '/tmp/custom-certs/...': Read-only file system
Relevant section of values.yaml:
edition: "community"
persistence:
enabled: true
size: 15Gi
volumes:
- name: certificates
secret:
secretName: certificates
mounts:
- name: certificates
mountPath: /tmp/custom-certs
readOnly: false # This is ineffective since secrets are always read-only.
securityContext:
enabled: true
initFs:
enabled: true
securityContext:
privileged: false
runAsUser: 0
runAsGroup: 0
capabilities:
add: ["CHOWN"]
The issue stems from the fact that Kubernetes secrets are always mounted as read-only, but the Helm chart tries to change the ownership using chown in the init-fs container. The command causing the error is likely:
chown -R 1000:0 /tmp/custom-certs
It seems there may be a misconfiguration in the Helm chart, particularly in the sonarqube-sonarqube-init-fs ConfigMap.
You can check the relevant Helm chart configuration here: