openstack/openstack-helm
Code Issues Proposed changes

Merge "Fix nova-compute-ssh init to execute as runAsUser"

Browse Source
This commit is contained in:
Zuul 2022-01-18 13:07:23 +00:00 committed by Gerrit Code Review
commit 0d627521ca
5 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nova/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Nova description: OpenStack-Helm Nova
name: nova name: nova
version: 0.2.25 version: 0.2.26
home: https://docs.openstack.org/nova/latest/ home: https://docs.openstack.org/nova/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
sources: sources:

13
nova/templates/bin/_ssh-init.sh.tpl
View File

@ -16,10 +16,13 @@ limitations under the License.
set -ex set -ex
mkdir -p ~nova/.ssh export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
chown -R nova:nova ~nova/.ssh export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
cat > ~nova/.ssh/config <<EOF mkdir -p ${NOVA_USER_HOME}/.ssh
chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
Host * Host *
StrictHostKeyChecking no StrictHostKeyChecking no
UserKnownHostsFile /dev/null UserKnownHostsFile /dev/null
@ -27,5 +30,5 @@ Host *
IdentitiesOnly yes IdentitiesOnly yes
EOF EOF
cp /tmp/nova-ssh/* ~nova/.ssh/ cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
chmod 600 ~nova/.ssh/id_rsa chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa

16
nova/templates/daemonset-compute.yaml
View File

@ -104,6 +104,7 @@ spec:
mountPath: /var/lib/nova mountPath: /var/lib/nova
- name: pod-shared - name: pod-shared
mountPath: /tmp/pod-shared mountPath: /tmp/pod-shared
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.conf.ceph.enabled }} {{- if .Values.conf.ceph.enabled }}
- name: ceph-perms - name: ceph-perms
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -119,6 +120,7 @@ spec:
mountPath: /tmp mountPath: /tmp
- name: etcceph - name: etcceph
mountPath: /etc/ceph mountPath: /etc/ceph
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if empty .Values.conf.ceph.cinder.keyring }} {{- if empty .Values.conf.ceph.cinder.keyring }}
- name: ceph-admin-keyring-placement - name: ceph-admin-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -141,6 +143,7 @@ spec:
subPath: key subPath: key
readOnly: true readOnly: true
{{ end }} {{ end }}
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }} {{ end }}
- name: ceph-keyring-placement - name: ceph-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -169,6 +172,7 @@ spec:
mountPath: /etc/ceph/ceph.conf.template mountPath: /etc/ceph/ceph.conf.template
subPath: ceph.conf subPath: ceph.conf
readOnly: true readOnly: true
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }} {{ end }}
{{- if eq .Values.console.console_kind "novnc"}} {{- if eq .Values.console.console_kind "novnc"}}
- name: nova-compute-vnc-init - name: nova-compute-vnc-init
@ -187,6 +191,7 @@ spec:
readOnly: true readOnly: true
- name: pod-shared - name: pod-shared
mountPath: /tmp/pod-shared mountPath: /tmp/pod-shared
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }} {{ end }}
{{- if eq .Values.console.console_kind "spice"}} {{- if eq .Values.console.console_kind "spice"}}
- name: nova-compute-spice-init - name: nova-compute-spice-init
@ -205,6 +210,7 @@ spec:
readOnly: true readOnly: true
- name: pod-shared - name: pod-shared
mountPath: /tmp/pod-shared mountPath: /tmp/pod-shared
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }} {{ end }}
{{- if ( has "tungstenfabric" .Values.network.backend ) }} {{- if ( has "tungstenfabric" .Values.network.backend ) }}
- name: tungstenfabric-compute-init - name: tungstenfabric-compute-init
@ -217,15 +223,19 @@ spec:
mountPath: /opt/plugin mountPath: /opt/plugin
- name: tf-plugin-bin - name: tf-plugin-bin
mountPath: /opt/plugin/bin mountPath: /opt/plugin/bin
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- end }} {{- end }}
{{- if .Values.network.ssh.enabled }} {{- if .Values.network.ssh.enabled }}
- name: nova-compute-ssh-init - name: nova-compute-ssh-init
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
terminationMessagePath: /var/log/termination-log terminationMessagePath: /var/log/termination-log
env: env:
- name: SSH_PORT - name: SSH_PORT
value: {{ .Values.network.ssh.port | quote }} value: {{ .Values.network.ssh.port | quote }}
- name: NOVA_USER_UID
value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
command: command:
- /tmp/ssh-init.sh - /tmp/ssh-init.sh
volumeMounts: volumeMounts:
@ -241,14 +251,13 @@ spec:
mountPath: /tmp/ssh-init.sh mountPath: /tmp/ssh-init.sh
subPath: ssh-init.sh subPath: ssh-init.sh
readOnly: true readOnly: true
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- end }} {{- end }}
containers: containers:
- name: nova-compute - name: nova-compute
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
securityContext:
privileged: true
env: env:
{{- if .Values.conf.ceph.enabled }} {{- if .Values.conf.ceph.enabled }}
- name: CEPH_CINDER_USER - name: CEPH_CINDER_USER
@ -431,8 +440,6 @@ spec:
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
securityContext:
privileged: true
env: env:
- name: KEY_TYPES - name: KEY_TYPES
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }} value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
@ -455,6 +462,7 @@ spec:
subPath: ssh-start.sh subPath: ssh-start.sh
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }} {{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp

4
nova/values.yaml
View File

@ -2155,8 +2155,10 @@ pod:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
privileged: true privileged: true
nova_compute_ssh: nova_compute_ssh:
readOnlyRootFilesystem: true
privileged: true privileged: true
runAsUser: 0
nova_compute_ssh_init:
runAsUser: 0
nova_api_metadata_init: nova_api_metadata_init:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
allowPrivilegeEscalation: false allowPrivilegeEscalation: false

1
releasenotes/notes/nova.yaml
View File

@ -46,4 +46,5 @@ nova:
- 0.2.23 Add option to enable extra wait for cell-setup-init - 0.2.23 Add option to enable extra wait for cell-setup-init
- 0.2.24 Fix nova-bootstrap job labels - 0.2.24 Fix nova-bootstrap job labels
- 0.2.25 Add check for compute nodes - 0.2.25 Add check for compute nodes
- 0.2.26 Fix _ssh-start.sh.tpl to copy the ssh keys to the user on the security context
... ...