From 5ae50bd491ed4499f31598b0e4096eec68d73cc6 Mon Sep 17 00:00:00 2001 From: Codex Date: Mon, 11 May 2026 18:37:15 -0500 Subject: [PATCH] fix(telephony): init container runs as root to chown hostPath /tmp/tts-audio The fix-data-perms init container chowns /data (PVC) and /shared-tts (hostPath /tmp/tts-audio on rke2-agent1) to uid 1654 so the non-root telephony-web app can write Piper TTS .sln16 files. Without an explicit container-level securityContext override, the init container inherits pod-level runAsNonRoot:true / runAsUser:1654 and fails with 'chown: /shared-tts: Operation not permitted' the first time the hostPath comes up root-owned after a node reboot. Outage 2026-05-11 23:00 UTC: telephony-web in Init:CrashLoopBackOff for 9 hours (100+ restarts) until init container was bumped to runAsUser:0. Live cluster patched in the same operation; this commit makes the fix durable in git so ArgoCD sync preserves it. See Notes memory: feedback_hostpath_initcontainer_chown_perms Co-Authored-By: Claude Opus 4.7 (1M context) --- apps/telephony/telephony.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/apps/telephony/telephony.yaml b/apps/telephony/telephony.yaml index 4aa97a4..4ca4de3 100644 --- a/apps/telephony/telephony.yaml +++ b/apps/telephony/telephony.yaml @@ -127,10 +127,13 @@ spec: initContainers: - name: fix-data-perms image: busybox:latest - # Also chown /shared-tts (hostPath /tmp/tts-audio) so the non-root - # app user (uid 1654) can write Piper .sln16 files that Asterisk - # reads at /var/lib/asterisk/sounds/tts. World-readable (755) is - # fine — Asterisk runs as a different uid in the other pod. + # Must run as root to chown the hostPath /tmp/tts-audio that may be + # root-owned after node reboot. Pod-level runAsNonRoot:true would + # otherwise inherit and chown would fail with EPERM (see Notes memory + # feedback_hostpath_initcontainer_chown_perms). + securityContext: + runAsUser: 0 + runAsNonRoot: false command: ["sh", "-c", "chown -R 1654:1654 /data && chown 1654:1654 /shared-tts && chmod 0755 /shared-tts"] volumeMounts: - name: telephony-data