starlingx/openstack-armada-app
Code Issues Proposed changes
3a95ea5d05
openstack-armada-app/openstack-helm/files/0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
Lucas Cavalcante 4e3157bf4c Fix nova-compute-ssh 
On stx-openstack, we run the nova-compute containers as user 0 (root) to
get privileged access to some of the host resources. During the latest
upversion of openstack-helm, we got in some commits that were
incompatible with our usage of the root user since the keys for ssh
access to a different compute were always placed under the 'nova' user's
folder. This commit fixes that behavior while we don't merge a
definitive fix on openstack-helm and go through a new upversion.

Test Plan:

PASS - nova-compute-ssh starting correctly after change
the sshd->ssh parameter
PASS - migrate/resize vm

Closes-Bug: #1956229

Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
Change-Id: Ic90e8e64670b8314b9a2f38b93a59361dcb7ecc9
2022-01-13 22:59:54 -03:00

173 lines
7.6 KiB
Diff
Raw Blame History

From fc736ec3993ff18b6380d2016060991e2c3a11f4 Mon Sep 17 00:00:00 2001
From: Thiago Brito <thiago.brito@windriver.com>
Date: Fri, 7 Jan 2022 15:59:41 -0300
Subject: [PATCH] Fix nova-compute-ssh init to execute as runAsUser
On _ssh-init.sh.tpl, despite one change the runAsUser for the
nova-compute container on the securityContext, the ssh keys are always
being copied into the 'nova' user's folder. This change fixes it by
getting the correct user defined on the securityContext and copying the
keys to its correct folder.
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Ia7883dc4626a295892eb4637ef717b0b1725ac89
---
nova/templates/bin/_ssh-init.sh.tpl | 13 ++++++++-----
nova/templates/daemonset-compute.yaml | 16 ++++++++++++----
nova/values.yaml | 4 +++-
3 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/nova/templates/bin/_ssh-init.sh.tpl b/nova/templates/bin/_ssh-init.sh.tpl
index be2e33a4..fbd96f04 100644
--- a/nova/templates/bin/_ssh-init.sh.tpl
+++ b/nova/templates/bin/_ssh-init.sh.tpl
@@ -16,10 +16,13 @@ limitations under the License.
set -ex
-mkdir -p ~nova/.ssh
-chown -R nova:nova ~nova/.ssh
+export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
+export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
-cat > ~nova/.ssh/config <<EOF
+mkdir -p ${NOVA_USER_HOME}/.ssh
+chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
+
+cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
@@ -27,5 +30,5 @@ Host *
IdentitiesOnly yes
EOF
-cp /tmp/nova-ssh/* ~nova/.ssh/
-chmod 600 ~nova/.ssh/id_rsa
+cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
+chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
index 4c690d61..2b23e334 100644
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@@ -104,6 +104,7 @@ spec:
mountPath: /var/lib/nova
- name: pod-shared
mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.conf.ceph.enabled }}
- name: ceph-perms
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -119,6 +120,7 @@ spec:
mountPath: /tmp
- name: etcceph
mountPath: /etc/ceph
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if empty .Values.conf.ceph.cinder.keyring }}
- name: ceph-admin-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -141,6 +143,7 @@ spec:
subPath: key
readOnly: true
{{ end }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }}
- name: ceph-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -169,6 +172,7 @@ spec:
mountPath: /etc/ceph/ceph.conf.template
subPath: ceph.conf
readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }}
{{- if eq .Values.console.console_kind "novnc"}}
- name: nova-compute-vnc-init
@@ -187,6 +191,7 @@ spec:
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }}
{{- if eq .Values.console.console_kind "spice"}}
- name: nova-compute-spice-init
@@ -205,6 +210,7 @@ spec:
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }}
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
- name: tungstenfabric-compute-init
@@ -217,15 +223,19 @@ spec:
mountPath: /opt/plugin
- name: tf-plugin-bin
mountPath: /opt/plugin/bin
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- end }}
{{- if .Values.network.ssh.enabled }}
- name: nova-compute-ssh-init
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
terminationMessagePath: /var/log/termination-log
env:
- name: SSH_PORT
value: {{ .Values.network.ssh.port | quote }}
+ - name: NOVA_USER_UID
+ value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
command:
- /tmp/ssh-init.sh
volumeMounts:
@@ -241,14 +251,13 @@ spec:
mountPath: /tmp/ssh-init.sh
subPath: ssh-init.sh
readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- end }}
containers:
- name: nova-compute
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
- securityContext:
- privileged: true
env:
{{- if .Values.conf.ceph.enabled }}
- name: CEPH_CINDER_USER
@@ -431,8 +440,6 @@ spec:
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
- securityContext:
- privileged: true
env:
- name: KEY_TYPES
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
@@ -455,6 +462,7 @@ spec:
subPath: ssh-start.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }}
volumes:
- name: pod-tmp
diff --git a/nova/values.yaml b/nova/values.yaml
index cdb14575..72dd0d11 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -2155,8 +2155,10 @@ pod:
readOnlyRootFilesystem: true
privileged: true
nova_compute_ssh:
- readOnlyRootFilesystem: true
privileged: true
+ runAsUser: 0
+ nova_compute_ssh_init:
+ runAsUser: 0
nova_api_metadata_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
--
2.17.1
View Git Blame Copy Permalink