openstack/openstack-helm
Code Issues Proposed changes

Fix nova-compute-ssh init to execute as runAsUser

Browse Source 
On _ssh-init.sh.tpl, despite one change the runAsUser for the
nova-compute container on the securityContext, the ssh keys are always
being copied into the 'nova' user's folder. This change fixes it by
getting the correct user defined on the securityContext and copying the
keys to its correct folder.

Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ia7883dc4626a295892eb4637ef717b0b1725ac89
This commit is contained in:
Thiago Brito 2022-01-07 15:59:41 -03:00
parent 12afaa53ee
commit c63b1920d5
5 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nova/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Nova description: OpenStack-Helm Nova
name: nova name: nova
version: 0.2.25 version: 0.2.26
home: https://docs.openstack.org/nova/latest/ home: https://docs.openstack.org/nova/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
sources: sources:

13
nova/templates/bin/_ssh-init.sh.tpl
View File

@ -16,10 +16,13 @@ limitations under the License.
set -ex set -ex
mkdir -p ~nova/.ssh export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
chown -R nova:nova ~nova/.ssh export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
cat > ~nova/.ssh/config <<EOF mkdir -p ${NOVA_USER_HOME}/.ssh
chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
Host * Host *
StrictHostKeyChecking no StrictHostKeyChecking no
UserKnownHostsFile /dev/null UserKnownHostsFile /dev/null
@ -27,5 +30,5 @@ Host *
IdentitiesOnly yes IdentitiesOnly yes
EOF EOF
cp /tmp/nova-ssh/* ~nova/.ssh/ cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
chmod 600 ~nova/.ssh/id_rsa chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa

16
nova/templates/daemonset-compute.yaml
View File

@ -104,6 +104,7 @@ spec:
mountPath: /var/lib/nova mountPath: /var/lib/nova
- name: pod-shared - name: pod-shared
mountPath: /tmp/pod-shared mountPath: /tmp/pod-shared
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.conf.ceph.enabled }} {{- if .Values.conf.ceph.enabled }}
- name: ceph-perms - name: ceph-perms
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -119,6 +120,7 @@ spec:
mountPath: /tmp mountPath: /tmp
- name: etcceph - name: etcceph
mountPath: /etc/ceph mountPath: /etc/ceph
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if empty .Values.conf.ceph.cinder.keyring }} {{- if empty .Values.conf.ceph.cinder.keyring }}
- name: ceph-admin-keyring-placement - name: ceph-admin-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -141,6 +143,7 @@ spec:
subPath: key subPath: key
readOnly: true readOnly: true
{{ end }} {{ end }}
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }} {{ end }}
- name: ceph-keyring-placement - name: ceph-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -169,6 +172,7 @@ spec:
mountPath: /etc/ceph/ceph.conf.template mountPath: /etc/ceph/ceph.conf.template
subPath: ceph.conf subPath: ceph.conf
readOnly: true readOnly: true
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }} {{ end }}
{{- if eq .Values.console.console_kind "novnc"}} {{- if eq .Values.console.console_kind "novnc"}}
- name: nova-compute-vnc-init - name: nova-compute-vnc-init
@ -187,6 +191,7 @@ spec:
readOnly: true readOnly: true
- name: pod-shared - name: pod-shared
mountPath: /tmp/pod-shared mountPath: /tmp/pod-shared
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }} {{ end }}
{{- if eq .Values.console.console_kind "spice"}} {{- if eq .Values.console.console_kind "spice"}}
- name: nova-compute-spice-init - name: nova-compute-spice-init
@ -205,6 +210,7 @@ spec:
readOnly: true readOnly: true
- name: pod-shared - name: pod-shared
mountPath: /tmp/pod-shared mountPath: /tmp/pod-shared
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }} {{ end }}
{{- if ( has "tungstenfabric" .Values.network.backend ) }} {{- if ( has "tungstenfabric" .Values.network.backend ) }}
- name: tungstenfabric-compute-init - name: tungstenfabric-compute-init
@ -217,15 +223,19 @@ spec:
mountPath: /opt/plugin mountPath: /opt/plugin
- name: tf-plugin-bin - name: tf-plugin-bin
mountPath: /opt/plugin/bin mountPath: /opt/plugin/bin
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- end }} {{- end }}
{{- if .Values.network.ssh.enabled }} {{- if .Values.network.ssh.enabled }}
- name: nova-compute-ssh-init - name: nova-compute-ssh-init
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
terminationMessagePath: /var/log/termination-log terminationMessagePath: /var/log/termination-log
env: env:
- name: SSH_PORT - name: SSH_PORT
value: {{ .Values.network.ssh.port | quote }} value: {{ .Values.network.ssh.port | quote }}
- name: NOVA_USER_UID
value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
command: command:
- /tmp/ssh-init.sh - /tmp/ssh-init.sh
volumeMounts: volumeMounts:
@ -241,14 +251,13 @@ spec:
mountPath: /tmp/ssh-init.sh mountPath: /tmp/ssh-init.sh
subPath: ssh-init.sh subPath: ssh-init.sh
readOnly: true readOnly: true
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- end }} {{- end }}
containers: containers:
- name: nova-compute - name: nova-compute
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
securityContext:
privileged: true
env: env:
{{- if .Values.conf.ceph.enabled }} {{- if .Values.conf.ceph.enabled }}
- name: CEPH_CINDER_USER - name: CEPH_CINDER_USER
@ -431,8 +440,6 @@ spec:
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
securityContext:
privileged: true
env: env:
- name: KEY_TYPES - name: KEY_TYPES
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }} value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
@ -455,6 +462,7 @@ spec:
subPath: ssh-start.sh subPath: ssh-start.sh
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }} {{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp

4
nova/values.yaml
View File

@ -2155,8 +2155,10 @@ pod:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
privileged: true privileged: true
nova_compute_ssh: nova_compute_ssh:
readOnlyRootFilesystem: true
privileged: true privileged: true
runAsUser: 0
nova_compute_ssh_init:
runAsUser: 0
nova_api_metadata_init: nova_api_metadata_init:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
allowPrivilegeEscalation: false allowPrivilegeEscalation: false

1
releasenotes/notes/nova.yaml
View File

@ -46,4 +46,5 @@ nova:
- 0.2.23 Add option to enable extra wait for cell-setup-init - 0.2.23 Add option to enable extra wait for cell-setup-init
- 0.2.24 Fix nova-bootstrap job labels - 0.2.24 Fix nova-bootstrap job labels
- 0.2.25 Add check for compute nodes - 0.2.25 Add check for compute nodes
- 0.2.26 Fix _ssh-start.sh.tpl to copy the ssh keys to the user on the security context
... ...