From 4e3157bf4c3271d2d01d72b1ea6bc5407dbc296a Mon Sep 17 00:00:00 2001
From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Date: Mon, 20 Dec 2021 17:19:09 -0300
Subject: [PATCH] Fix nova-compute-ssh

On stx-openstack, we run the nova-compute containers as user 0 (root) to
get privileged access to some of the host resources. During the latest
upversion of openstack-helm, we got in some commits that were
incompatible with our usage of the root user since the keys for ssh
access to a different compute were always placed under the 'nova' user's
folder. This commit fixes that behavior while we don't merge a
definitive fix on openstack-helm and go through a new upversion.

Test Plan:

PASS - nova-compute-ssh starting correctly after change
the sshd->ssh parameter
PASS - migrate/resize vm

Closes-Bug: #1956229

Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
Change-Id: Ic90e8e64670b8314b9a2f38b93a59361dcb7ecc9
---
 openstack-helm/centos/openstack-helm.spec     |   2 +
 openstack-helm/debian/deb_folder/rules        |   1 +
 ...ute-ssh-init-to-execute-as-runAsUser.patch | 172 ++++++++++++++++++
 .../k8sapp_openstack/helm/nova.py             |  21 ++-
 .../manifests/manifest.yaml                   |  11 +-
 5 files changed, 200 insertions(+), 7 deletions(-)
 create mode 100644 openstack-helm/files/0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch

diff --git a/openstack-helm/centos/openstack-helm.spec b/openstack-helm/centos/openstack-helm.spec
index 1b586b08..d7fb66cf 100644
--- a/openstack-helm/centos/openstack-helm.spec
+++ b/openstack-helm/centos/openstack-helm.spec
@@ -29,6 +29,7 @@ Patch07: 0007-Add-stx_admin-account.patch
 Patch08: 0008-Disabling-helm3_hook.patch
 Patch09: 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
 Patch10: 0010-Enable-taint-toleration-for-Openstack-services.patch
+Patch11: 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
 
 BuildRequires: helm
 BuildRequires: openstack-helm-infra
@@ -50,6 +51,7 @@ Openstack Helm charts
 %patch08 -p1
 %patch09 -p1
 %patch10 -p1
+%patch11 -p1
 
 %build
 # Stage helm-toolkit in the local repo
diff --git a/openstack-helm/debian/deb_folder/rules b/openstack-helm/debian/deb_folder/rules
index 33d7c2f1..eb9242c7 100755
--- a/openstack-helm/debian/deb_folder/rules
+++ b/openstack-helm/debian/deb_folder/rules
@@ -26,6 +26,7 @@ override_dh_auto_build:
 	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0008-Disabling-helm3_hook.patch
 	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
 	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0010-Enable-taint-toleration-for-Openstack-services.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
 	# Host a server for the helm charts.
 	chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" \
 		--storage-local-rootdir="." &
diff --git a/openstack-helm/files/0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch b/openstack-helm/files/0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
new file mode 100644
index 00000000..d4c3afcc
--- /dev/null
+++ b/openstack-helm/files/0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
@@ -0,0 +1,172 @@
+From fc736ec3993ff18b6380d2016060991e2c3a11f4 Mon Sep 17 00:00:00 2001
+From: Thiago Brito <thiago.brito@windriver.com>
+Date: Fri, 7 Jan 2022 15:59:41 -0300
+Subject: [PATCH] Fix nova-compute-ssh init to execute as runAsUser
+
+On _ssh-init.sh.tpl, despite one change the runAsUser for the
+nova-compute container on the securityContext, the ssh keys are always
+being copied into the 'nova' user's folder. This change fixes it by
+getting the correct user defined on the securityContext and copying the
+keys to its correct folder.
+
+Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
+Change-Id: Ia7883dc4626a295892eb4637ef717b0b1725ac89
+---
+ nova/templates/bin/_ssh-init.sh.tpl   | 13 ++++++++-----
+ nova/templates/daemonset-compute.yaml | 16 ++++++++++++----
+ nova/values.yaml                      |  4 +++-
+ 3 files changed, 23 insertions(+), 10 deletions(-)
+
+diff --git a/nova/templates/bin/_ssh-init.sh.tpl b/nova/templates/bin/_ssh-init.sh.tpl
+index be2e33a4..fbd96f04 100644
+--- a/nova/templates/bin/_ssh-init.sh.tpl
++++ b/nova/templates/bin/_ssh-init.sh.tpl
+@@ -16,10 +16,13 @@ limitations under the License.
+
+ set -ex
+
+-mkdir -p ~nova/.ssh
+-chown -R nova:nova ~nova/.ssh
++export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
++export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
+
+-cat > ~nova/.ssh/config <<EOF
++mkdir -p ${NOVA_USER_HOME}/.ssh
++chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
++
++cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
+ Host *
+   StrictHostKeyChecking no
+   UserKnownHostsFile /dev/null
+@@ -27,5 +30,5 @@ Host *
+   IdentitiesOnly yes
+ EOF
+
+-cp /tmp/nova-ssh/* ~nova/.ssh/
+-chmod 600 ~nova/.ssh/id_rsa
++cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
++chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
+diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
+index 4c690d61..2b23e334 100644
+--- a/nova/templates/daemonset-compute.yaml
++++ b/nova/templates/daemonset-compute.yaml
+@@ -104,6 +104,7 @@ spec:
+               mountPath: /var/lib/nova
+             - name: pod-shared
+               mountPath: /tmp/pod-shared
++{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{- if .Values.conf.ceph.enabled }}
+         - name: ceph-perms
+ {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+@@ -119,6 +120,7 @@ spec:
+               mountPath: /tmp
+             - name: etcceph
+               mountPath: /etc/ceph
++{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{- if empty .Values.conf.ceph.cinder.keyring }}
+         - name: ceph-admin-keyring-placement
+ {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+@@ -141,6 +143,7 @@ spec:
+               subPath: key
+               readOnly: true
+             {{ end }}
++{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{ end }}
+         - name: ceph-keyring-placement
+ {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+@@ -169,6 +172,7 @@ spec:
+               mountPath: /etc/ceph/ceph.conf.template
+               subPath: ceph.conf
+               readOnly: true
++{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{ end }}
+         {{- if eq .Values.console.console_kind "novnc"}}
+         - name: nova-compute-vnc-init
+@@ -187,6 +191,7 @@ spec:
+               readOnly: true
+             - name: pod-shared
+               mountPath: /tmp/pod-shared
++{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{ end }}
+         {{- if eq .Values.console.console_kind "spice"}}
+         - name: nova-compute-spice-init
+@@ -205,6 +210,7 @@ spec:
+               readOnly: true
+             - name: pod-shared
+               mountPath: /tmp/pod-shared
++{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{ end }}
+         {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+         - name: tungstenfabric-compute-init
+@@ -217,15 +223,19 @@ spec:
+               mountPath: /opt/plugin
+             - name: tf-plugin-bin
+               mountPath: /opt/plugin/bin
++{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{- end }}
+         {{- if .Values.network.ssh.enabled }}
+         - name: nova-compute-ssh-init
+ {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
+ {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
++{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+           terminationMessagePath: /var/log/termination-log
+           env:
+             - name: SSH_PORT
+               value: {{ .Values.network.ssh.port | quote }}
++            - name: NOVA_USER_UID
++              value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
+           command:
+             - /tmp/ssh-init.sh
+           volumeMounts:
+@@ -241,14 +251,13 @@ spec:
+               mountPath: /tmp/ssh-init.sh
+               subPath: ssh-init.sh
+               readOnly: true
++{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{- end }}
+       containers:
+         - name: nova-compute
+ {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+ {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+-          securityContext:
+-            privileged: true
+           env:
+           {{- if .Values.conf.ceph.enabled }}
+             - name: CEPH_CINDER_USER
+@@ -431,8 +440,6 @@ spec:
+ {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
+ {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+-          securityContext:
+-            privileged: true
+           env:
+             - name: KEY_TYPES
+               value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
+@@ -455,6 +462,7 @@ spec:
+               subPath: ssh-start.sh
+               readOnly: true
+ {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
++{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{ end }}
+       volumes:
+         - name: pod-tmp
+diff --git a/nova/values.yaml b/nova/values.yaml
+index cdb14575..72dd0d11 100644
+--- a/nova/values.yaml
++++ b/nova/values.yaml
+@@ -2155,8 +2155,10 @@ pod:
+           readOnlyRootFilesystem: true
+           privileged: true
+         nova_compute_ssh:
+-          readOnlyRootFilesystem: true
+           privileged: true
++          runAsUser: 0
++        nova_compute_ssh_init:
++          runAsUser: 0
+         nova_api_metadata_init:
+           readOnlyRootFilesystem: true
+           allowPrivilegeEscalation: false
+--
+2.17.1
+
diff --git a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py
index eb54f3bd..581bacde 100644
--- a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py
+++ b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py
@@ -142,12 +142,13 @@ class NovaHelm(openstack.OpenstackBaseHelm):
                             'hosts': self._get_per_host_overrides()
                         }
                     },
-                    'ssh_private': ssh_privatekey,
-                    'ssh_public': ssh_publickey,
                 },
                 'endpoints': self._get_endpoints_overrides(),
                 'network': {
-                    'sshd': {
+                    'ssh': {
+                        'enabled': 'true',
+                        'private_key': ssh_privatekey,
+                        'public_key': ssh_publickey,
                         'from_subnet': self._get_ssh_subnet(),
                     },
                     'novncproxy': {
@@ -160,6 +161,20 @@ class NovaHelm(openstack.OpenstackBaseHelm):
             }
         }
 
+        # https://bugs.launchpad.net/starlingx/+bug/1956229
+        # The volume/volumeMount below are needed if we want to use the root user to ssh to the destiny host during a
+        # migration operation
+        overrides[common.HELM_NS_OPENSTACK]["pod"]["mounts"]["nova_compute"]["nova_compute"]["volumeMounts"].append({
+            "name": "userhome",
+            "mountPath": "/root",
+        })
+        overrides[common.HELM_NS_OPENSTACK]["pod"]["mounts"]["nova_compute"]["nova_compute"]["volumes"].append({
+            "name": "userhome",
+            "hostPath": {
+                "path": "/var/lib/nova-user-home"
+            }
+        })
+
         if namespace in self.SUPPORTED_NAMESPACES:
             return overrides[namespace]
         elif namespace:
diff --git a/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml b/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
index 326fe8dd..257ee1ce 100644
--- a/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
@@ -1220,12 +1220,10 @@ data:
           - key: openstack-compute-node
             operator: Exists
             effect: NoSchedule
-      user:
-        nova:
-          uid: 0
       security_context:
         nova:
           pod:
+            # https://bugs.launchpad.net/starlingx/+bug/1956229
             runAsUser: 0
       probes:
         readiness:
@@ -1349,8 +1347,13 @@ data:
           enable_numa_live_migration: true
       hypervisor:
         address_search_enabled: false
+      ssh: |
+        Host *
+          StrictHostKeyChecking no
+          UserKnownHostsFile /dev/null
+          Port {{ .Values.network.ssh.port }}
     network:
-      sshd:
+      ssh:
         enabled: true
     console:
       address_search_enabled: false