da84f84ecb
Add "dl_path" to download the source tarball. Add "src_files" to copy local files to build directory. Copy patches to deb_folder/patches, and remove the patching commands from rules. Remove dl_hook. Test Plan: Pass: successfully build openstack-helm Pass: No difference comparing with the result of dl_hook Story: 2009101 Task: 43801 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Change-Id: I5686cdab4869f5627422c8e7f99a0ce1bdeac9a7
173 lines
7.6 KiB
Diff
173 lines
7.6 KiB
Diff
From fc736ec3993ff18b6380d2016060991e2c3a11f4 Mon Sep 17 00:00:00 2001
|
|
From: Thiago Brito <thiago.brito@windriver.com>
|
|
Date: Fri, 7 Jan 2022 15:59:41 -0300
|
|
Subject: [PATCH] Fix nova-compute-ssh init to execute as runAsUser
|
|
|
|
On _ssh-init.sh.tpl, despite one change the runAsUser for the
|
|
nova-compute container on the securityContext, the ssh keys are always
|
|
being copied into the 'nova' user's folder. This change fixes it by
|
|
getting the correct user defined on the securityContext and copying the
|
|
keys to its correct folder.
|
|
|
|
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
|
|
Change-Id: Ia7883dc4626a295892eb4637ef717b0b1725ac89
|
|
---
|
|
nova/templates/bin/_ssh-init.sh.tpl | 13 ++++++++-----
|
|
nova/templates/daemonset-compute.yaml | 16 ++++++++++++----
|
|
nova/values.yaml | 4 +++-
|
|
3 files changed, 23 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/nova/templates/bin/_ssh-init.sh.tpl b/nova/templates/bin/_ssh-init.sh.tpl
|
|
index be2e33a4..fbd96f04 100644
|
|
--- a/nova/templates/bin/_ssh-init.sh.tpl
|
|
+++ b/nova/templates/bin/_ssh-init.sh.tpl
|
|
@@ -16,10 +16,13 @@ limitations under the License.
|
|
|
|
set -ex
|
|
|
|
-mkdir -p ~nova/.ssh
|
|
-chown -R nova:nova ~nova/.ssh
|
|
+export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
|
|
+export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
|
|
|
|
-cat > ~nova/.ssh/config <<EOF
|
|
+mkdir -p ${NOVA_USER_HOME}/.ssh
|
|
+chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
|
|
+
|
|
+cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
|
|
Host *
|
|
StrictHostKeyChecking no
|
|
UserKnownHostsFile /dev/null
|
|
@@ -27,5 +30,5 @@ Host *
|
|
IdentitiesOnly yes
|
|
EOF
|
|
|
|
-cp /tmp/nova-ssh/* ~nova/.ssh/
|
|
-chmod 600 ~nova/.ssh/id_rsa
|
|
+cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
|
|
+chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
|
|
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
|
|
index 4c690d61..2b23e334 100644
|
|
--- a/nova/templates/daemonset-compute.yaml
|
|
+++ b/nova/templates/daemonset-compute.yaml
|
|
@@ -104,6 +104,7 @@ spec:
|
|
mountPath: /var/lib/nova
|
|
- name: pod-shared
|
|
mountPath: /tmp/pod-shared
|
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
|
{{- if .Values.conf.ceph.enabled }}
|
|
- name: ceph-perms
|
|
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
@@ -119,6 +120,7 @@ spec:
|
|
mountPath: /tmp
|
|
- name: etcceph
|
|
mountPath: /etc/ceph
|
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
|
{{- if empty .Values.conf.ceph.cinder.keyring }}
|
|
- name: ceph-admin-keyring-placement
|
|
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
@@ -141,6 +143,7 @@ spec:
|
|
subPath: key
|
|
readOnly: true
|
|
{{ end }}
|
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
|
{{ end }}
|
|
- name: ceph-keyring-placement
|
|
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
@@ -169,6 +172,7 @@ spec:
|
|
mountPath: /etc/ceph/ceph.conf.template
|
|
subPath: ceph.conf
|
|
readOnly: true
|
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
|
{{ end }}
|
|
{{- if eq .Values.console.console_kind "novnc"}}
|
|
- name: nova-compute-vnc-init
|
|
@@ -187,6 +191,7 @@ spec:
|
|
readOnly: true
|
|
- name: pod-shared
|
|
mountPath: /tmp/pod-shared
|
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
|
{{ end }}
|
|
{{- if eq .Values.console.console_kind "spice"}}
|
|
- name: nova-compute-spice-init
|
|
@@ -205,6 +210,7 @@ spec:
|
|
readOnly: true
|
|
- name: pod-shared
|
|
mountPath: /tmp/pod-shared
|
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
|
{{ end }}
|
|
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
|
|
- name: tungstenfabric-compute-init
|
|
@@ -217,15 +223,19 @@ spec:
|
|
mountPath: /opt/plugin
|
|
- name: tf-plugin-bin
|
|
mountPath: /opt/plugin/bin
|
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
|
{{- end }}
|
|
{{- if .Values.network.ssh.enabled }}
|
|
- name: nova-compute-ssh-init
|
|
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
|
terminationMessagePath: /var/log/termination-log
|
|
env:
|
|
- name: SSH_PORT
|
|
value: {{ .Values.network.ssh.port | quote }}
|
|
+ - name: NOVA_USER_UID
|
|
+ value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
|
|
command:
|
|
- /tmp/ssh-init.sh
|
|
volumeMounts:
|
|
@@ -241,14 +251,13 @@ spec:
|
|
mountPath: /tmp/ssh-init.sh
|
|
subPath: ssh-init.sh
|
|
readOnly: true
|
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
|
{{- end }}
|
|
containers:
|
|
- name: nova-compute
|
|
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
|
- securityContext:
|
|
- privileged: true
|
|
env:
|
|
{{- if .Values.conf.ceph.enabled }}
|
|
- name: CEPH_CINDER_USER
|
|
@@ -431,8 +440,6 @@ spec:
|
|
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
|
- securityContext:
|
|
- privileged: true
|
|
env:
|
|
- name: KEY_TYPES
|
|
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
|
|
@@ -455,6 +462,7 @@ spec:
|
|
subPath: ssh-start.sh
|
|
readOnly: true
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
|
{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
diff --git a/nova/values.yaml b/nova/values.yaml
|
|
index cdb14575..72dd0d11 100644
|
|
--- a/nova/values.yaml
|
|
+++ b/nova/values.yaml
|
|
@@ -2155,8 +2155,10 @@ pod:
|
|
readOnlyRootFilesystem: true
|
|
privileged: true
|
|
nova_compute_ssh:
|
|
- readOnlyRootFilesystem: true
|
|
privileged: true
|
|
+ runAsUser: 0
|
|
+ nova_compute_ssh_init:
|
|
+ runAsUser: 0
|
|
nova_api_metadata_init:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
--
|
|
2.17.1
|
|
|