Merge pull request #417 from eharney/cinder-service-runas

Run cinder services as cinder user
openstack-k8s-operators · Nov 25, 2024 · 8564a3c · 8564a3c
2 parents 9e97663 + f6aa4d5
commit 8564a3c
Show file tree

Hide file tree

Showing 8 changed files with 25 additions and 19 deletions.
diff --git a/pkg/cinderapi/statefuleset.go b/pkg/cinderapi/statefuleset.go
@@ -30,7 +30,7 @@ import (
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/kolla_start"
 )
 
 // StatefulSet func
@@ -41,6 +41,7 @@ func StatefulSet(
 	annotations map[string]string,
 ) (*appsv1.StatefulSet, error) {
 	runAsUser := int64(0)
+	cinderUser := int64(cinderv1beta1.CinderUserID)
 
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
@@ -156,7 +157,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: &cinderUser,
 							},
 							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:   volumeMounts,

diff --git a/pkg/cinderbackup/statefulset.go b/pkg/cinderbackup/statefulset.go
@@ -28,7 +28,7 @@ import (
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/kolla_start"
 )
 
 // StatefulSet func
@@ -39,7 +39,6 @@ func StatefulSet(
 	annotations map[string]string,
 ) *appsv1.StatefulSet {
 	trueVar := true
-	rootUser := int64(0)
 	cinderUser := int64(cinderv1.CinderUserID)
 	cinderGroup := int64(cinderv1.CinderGroupID)
 
@@ -126,7 +125,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser:  &rootUser,
+								RunAsUser:  &cinderUser,
 								Privileged: &trueVar,
 							},
 							Env:           env.MergeEnvs([]corev1.EnvVar{}, envVars),

diff --git a/pkg/cinderscheduler/statefulset.go b/pkg/cinderscheduler/statefulset.go
@@ -28,7 +28,7 @@ import (
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/kolla_start"
 )
 
 // StatefulSet func
@@ -38,7 +38,6 @@ func StatefulSet(
 	labels map[string]string,
 	annotations map[string]string,
 ) *appsv1.StatefulSet {
-	rootUser := int64(0)
 	cinderUser := int64(cinderv1.CinderUserID)
 	cinderGroup := int64(cinderv1.CinderGroupID)
 
@@ -112,7 +111,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &rootUser,
+								RunAsUser: &cinderUser,
 							},
 							Env:           env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:  volumeMounts,

diff --git a/pkg/cindervolume/statefulset.go b/pkg/cindervolume/statefulset.go
@@ -28,7 +28,7 @@ import (
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/kolla_start"
 )
 
 // StatefulSet func
@@ -40,7 +40,6 @@ func StatefulSet(
 	usesLVM bool,
 ) *appsv1.StatefulSet {
 	trueVar := true
-	rootUser := int64(0)
 	cinderUser := int64(cinderv1.CinderUserID)
 	cinderGroup := int64(cinderv1.CinderGroupID)
 
@@ -133,7 +132,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser:  &rootUser,
+								RunAsUser:  &cinderUser,
 								Privileged: &trueVar,
 							},
 							Env:           env.MergeEnvs([]corev1.EnvVar{}, envVars),

diff --git a/templates/cinder/config/cinder-api-config.json b/templates/cinder/config/cinder-api-config.json
@@ -16,21 +16,21 @@
     {
       "source": "/var/lib/config-data/merged/ssl.conf",
       "dest": "/etc/httpd/conf.d/ssl.conf",
-      "owner": "root",
+      "owner": "cinder",
       "perm": "0644"
     },
     {
       "source": "/var/lib/config-data/tls/certs/*",
       "dest": "/etc/pki/tls/certs/",
-      "owner": "root",
+      "owner": "cinder",
       "perm": "0640",
       "optional": true,
       "merge": true
     },
     {
       "source": "/var/lib/config-data/tls/private/*",
       "dest": "/etc/pki/tls/private/",
-      "owner": "root",
+      "owner": "cinder",
       "perm": "0600",
       "optional": true,
       "merge": true
@@ -41,6 +41,11 @@
           "path": "/var/log/cinder",
           "owner": "cinder:apache",
           "recurse": true
+      },
+      {
+	  "path": "/etc/httpd/run",
+	  "owner": "cinder:apache",
+	  "recurse": true
       }
   ]
 }
diff --git a/templates/cinder/config/httpd.conf b/templates/cinder/config/httpd.conf
@@ -19,6 +19,7 @@ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-A
 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
 CustomLog /dev/stdout combined env=!forwarded
 CustomLog /dev/stdout proxy env=forwarded
+ErrorLog /dev/stdout
 
 # XXX: To disable SSL
 #Include conf.d/*.conf

diff --git a/test/kuttl/common/assert_sample_deployment.yaml b/test/kuttl/common/assert_sample_deployment.yaml
@@ -77,7 +77,7 @@ spec:
           name: logs
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         command:
         - /bin/bash
         imagePullPolicy: IfNotPresent
@@ -104,7 +104,7 @@ spec:
           timeoutSeconds: 5
         resources: {}
         securityContext:
-          runAsUser: 0
+          runAsUser: 42407
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         volumeMounts:

diff --git a/test/kuttl/common/assert_tls_sample_deployment.yaml b/test/kuttl/common/assert_tls_sample_deployment.yaml
@@ -68,7 +68,7 @@ spec:
           name: logs
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         volumeMounts:
         - mountPath: /etc/machine-id
           name: etc-machine-id
@@ -164,7 +164,7 @@ spec:
       containers:
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         volumeMounts:
         - mountPath: /etc/machine-id
           name: etc-machine-id
@@ -193,6 +193,8 @@ spec:
           name: combined-ca-bundle
           readOnly: true
           subPath: tls-ca-bundle.pem
+        securityContext:
+          runAsUser: 42407
       - command:
         - /usr/local/bin/container-scripts/healthcheck.py
         - scheduler
@@ -264,7 +266,7 @@ spec:
       containers:
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         volumeMounts:
         - mountPath: /etc/machine-id
           name: etc-machine-id