Run cinder-api and scheduler as cinder user

Run cinder-api and cinder-scheduler as the cinder user. This reconfigures httpd with the necessary mount permissions to run as the cinder user.
openstack-k8s-operators · Nov 25, 2024 · 5c82e9d · 5c82e9d
1 parent cdc5e8e
commit 5c82e9d
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 7 deletions.
diff --git a/pkg/cinderapi/statefuleset.go b/pkg/cinderapi/statefuleset.go
@@ -41,6 +41,7 @@ func StatefulSet(
 	annotations map[string]string,
 ) (*appsv1.StatefulSet, error) {
 	runAsUser := int64(0)
+	cinderUser := int64(cinderv1beta1.CinderUserID)
 
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
@@ -156,7 +157,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: &cinderUser,
 							},
 							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:   volumeMounts,

diff --git a/pkg/cinderscheduler/statefulset.go b/pkg/cinderscheduler/statefulset.go
@@ -38,7 +38,6 @@ func StatefulSet(
 	labels map[string]string,
 	annotations map[string]string,
 ) *appsv1.StatefulSet {
-	rootUser := int64(0)
 	cinderUser := int64(cinderv1.CinderUserID)
 	cinderGroup := int64(cinderv1.CinderGroupID)
 
@@ -112,7 +111,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &rootUser,
+								RunAsUser: &cinderUser,
 							},
 							Env:           env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:  volumeMounts,

diff --git a/templates/cinder/config/cinder-api-config.json b/templates/cinder/config/cinder-api-config.json
@@ -16,21 +16,21 @@
     {
       "source": "/var/lib/config-data/merged/ssl.conf",
       "dest": "/etc/httpd/conf.d/ssl.conf",
-      "owner": "root",
+      "owner": "cinder",
       "perm": "0644"
     },
     {
       "source": "/var/lib/config-data/tls/certs/*",
       "dest": "/etc/pki/tls/certs/",
-      "owner": "root",
+      "owner": "cinder",
       "perm": "0640",
       "optional": true,
       "merge": true
     },
     {
       "source": "/var/lib/config-data/tls/private/*",
       "dest": "/etc/pki/tls/private/",
-      "owner": "root",
+      "owner": "cinder",
       "perm": "0600",
       "optional": true,
       "merge": true
@@ -41,6 +41,11 @@
           "path": "/var/log/cinder",
           "owner": "cinder:apache",
           "recurse": true
+      },
+      {
+	  "path": "/etc/httpd/run",
+	  "owner": "cinder:apache",
+	  "recurse": true
       }
   ]
 }
diff --git a/templates/cinder/config/httpd.conf b/templates/cinder/config/httpd.conf
@@ -19,6 +19,7 @@ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-A
 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
 CustomLog /dev/stdout combined env=!forwarded
 CustomLog /dev/stdout proxy env=forwarded
+ErrorLog /dev/stdout
 
 # XXX: To disable SSL
 #Include conf.d/*.conf

diff --git a/test/kuttl/common/assert_sample_deployment.yaml b/test/kuttl/common/assert_sample_deployment.yaml
@@ -104,7 +104,7 @@ spec:
           timeoutSeconds: 5
         resources: {}
         securityContext:
-          runAsUser: 0
+          runAsUser: 42407
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         volumeMounts:

diff --git a/test/kuttl/common/assert_tls_sample_deployment.yaml b/test/kuttl/common/assert_tls_sample_deployment.yaml
@@ -193,6 +193,8 @@ spec:
           name: combined-ca-bundle
           readOnly: true
           subPath: tls-ca-bundle.pem
+        securityContext:
+          runAsUser: 42407
       - command:
         - /usr/local/bin/container-scripts/healthcheck.py
         - scheduler