From cdc5e8eb521d66a8ef77a1d605a15b670725dc63 Mon Sep 17 00:00:00 2001 From: Eric Harney Date: Wed, 10 Jul 2024 17:30:06 -0400 Subject: [PATCH 1/3] Fix cinder service ServiceCommands These all ran kolla_set_configs && kolla_start, but this is unnecessary because kolla_set_configs is run w/ sudo from kolla_start. Just call kolla_start instead. This is necessary to run cinder services as unprivileged cinder users instead of root -- without this change, containers fail to start because kolla_start can't open "/run_command" for writing. --- pkg/cinderapi/statefuleset.go | 2 +- pkg/cinderbackup/statefulset.go | 2 +- pkg/cinderscheduler/statefulset.go | 2 +- pkg/cindervolume/statefulset.go | 2 +- test/kuttl/common/assert_sample_deployment.yaml | 2 +- test/kuttl/common/assert_tls_sample_deployment.yaml | 6 +++--- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pkg/cinderapi/statefuleset.go b/pkg/cinderapi/statefuleset.go index 05c9e6c1..0cb7e234 100644 --- a/pkg/cinderapi/statefuleset.go +++ b/pkg/cinderapi/statefuleset.go @@ -30,7 +30,7 @@ import ( const ( // ServiceCommand - - ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + ServiceCommand = "/usr/local/bin/kolla_start" ) // StatefulSet func diff --git a/pkg/cinderbackup/statefulset.go b/pkg/cinderbackup/statefulset.go index 95a9eb52..7ff1d7fb 100644 --- a/pkg/cinderbackup/statefulset.go +++ b/pkg/cinderbackup/statefulset.go @@ -28,7 +28,7 @@ import ( const ( // ServiceCommand - - ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + ServiceCommand = "/usr/local/bin/kolla_start" ) // StatefulSet func diff --git a/pkg/cinderscheduler/statefulset.go b/pkg/cinderscheduler/statefulset.go index b5851873..87d9cd5f 100644 --- a/pkg/cinderscheduler/statefulset.go +++ b/pkg/cinderscheduler/statefulset.go @@ -28,7 +28,7 @@ import ( const ( // ServiceCommand - - ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + ServiceCommand = "/usr/local/bin/kolla_start" ) // StatefulSet func diff --git a/pkg/cindervolume/statefulset.go b/pkg/cindervolume/statefulset.go index e939488c..4b4ad881 100644 --- a/pkg/cindervolume/statefulset.go +++ b/pkg/cindervolume/statefulset.go @@ -28,7 +28,7 @@ import ( const ( // ServiceCommand - - ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + ServiceCommand = "/usr/local/bin/kolla_start" ) // StatefulSet func diff --git a/test/kuttl/common/assert_sample_deployment.yaml b/test/kuttl/common/assert_sample_deployment.yaml index 2e19a0b4..d6e9c6e9 100644 --- a/test/kuttl/common/assert_sample_deployment.yaml +++ b/test/kuttl/common/assert_sample_deployment.yaml @@ -77,7 +77,7 @@ spec: name: logs - args: - -c - - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start + - /usr/local/bin/kolla_start command: - /bin/bash imagePullPolicy: IfNotPresent diff --git a/test/kuttl/common/assert_tls_sample_deployment.yaml b/test/kuttl/common/assert_tls_sample_deployment.yaml index 41b891b1..94f6d15f 100644 --- a/test/kuttl/common/assert_tls_sample_deployment.yaml +++ b/test/kuttl/common/assert_tls_sample_deployment.yaml @@ -68,7 +68,7 @@ spec: name: logs - args: - -c - - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start + - /usr/local/bin/kolla_start volumeMounts: - mountPath: /etc/machine-id name: etc-machine-id @@ -164,7 +164,7 @@ spec: containers: - args: - -c - - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start + - /usr/local/bin/kolla_start volumeMounts: - mountPath: /etc/machine-id name: etc-machine-id @@ -264,7 +264,7 @@ spec: containers: - args: - -c - - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start + - /usr/local/bin/kolla_start volumeMounts: - mountPath: /etc/machine-id name: etc-machine-id From 5c82e9d982f5a956f016d1344d0a717af2be43f5 Mon Sep 17 00:00:00 2001 From: Eric Harney Date: Wed, 10 Jul 2024 17:45:42 -0400 Subject: [PATCH 2/3] Run cinder-api and scheduler as cinder user Run cinder-api and cinder-scheduler as the cinder user. This reconfigures httpd with the necessary mount permissions to run as the cinder user. --- pkg/cinderapi/statefuleset.go | 3 ++- pkg/cinderscheduler/statefulset.go | 3 +-- templates/cinder/config/cinder-api-config.json | 11 ++++++++--- templates/cinder/config/httpd.conf | 1 + test/kuttl/common/assert_sample_deployment.yaml | 2 +- test/kuttl/common/assert_tls_sample_deployment.yaml | 2 ++ 6 files changed, 15 insertions(+), 7 deletions(-) diff --git a/pkg/cinderapi/statefuleset.go b/pkg/cinderapi/statefuleset.go index 0cb7e234..60999653 100644 --- a/pkg/cinderapi/statefuleset.go +++ b/pkg/cinderapi/statefuleset.go @@ -41,6 +41,7 @@ func StatefulSet( annotations map[string]string, ) (*appsv1.StatefulSet, error) { runAsUser := int64(0) + cinderUser := int64(cinderv1beta1.CinderUserID) livenessProbe := &corev1.Probe{ // TODO might need tuning @@ -156,7 +157,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: &cinderUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), VolumeMounts: volumeMounts, diff --git a/pkg/cinderscheduler/statefulset.go b/pkg/cinderscheduler/statefulset.go index 87d9cd5f..8036967d 100644 --- a/pkg/cinderscheduler/statefulset.go +++ b/pkg/cinderscheduler/statefulset.go @@ -38,7 +38,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - rootUser := int64(0) cinderUser := int64(cinderv1.CinderUserID) cinderGroup := int64(cinderv1.CinderGroupID) @@ -112,7 +111,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &rootUser, + RunAsUser: &cinderUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), VolumeMounts: volumeMounts, diff --git a/templates/cinder/config/cinder-api-config.json b/templates/cinder/config/cinder-api-config.json index 1812cce0..d7929108 100644 --- a/templates/cinder/config/cinder-api-config.json +++ b/templates/cinder/config/cinder-api-config.json @@ -16,13 +16,13 @@ { "source": "/var/lib/config-data/merged/ssl.conf", "dest": "/etc/httpd/conf.d/ssl.conf", - "owner": "root", + "owner": "cinder", "perm": "0644" }, { "source": "/var/lib/config-data/tls/certs/*", "dest": "/etc/pki/tls/certs/", - "owner": "root", + "owner": "cinder", "perm": "0640", "optional": true, "merge": true @@ -30,7 +30,7 @@ { "source": "/var/lib/config-data/tls/private/*", "dest": "/etc/pki/tls/private/", - "owner": "root", + "owner": "cinder", "perm": "0600", "optional": true, "merge": true @@ -41,6 +41,11 @@ "path": "/var/log/cinder", "owner": "cinder:apache", "recurse": true + }, + { + "path": "/etc/httpd/run", + "owner": "cinder:apache", + "recurse": true } ] } diff --git a/templates/cinder/config/httpd.conf b/templates/cinder/config/httpd.conf index 73f69710..30430ead 100644 --- a/templates/cinder/config/httpd.conf +++ b/templates/cinder/config/httpd.conf @@ -19,6 +19,7 @@ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-A SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded +ErrorLog /dev/stdout # XXX: To disable SSL #Include conf.d/*.conf diff --git a/test/kuttl/common/assert_sample_deployment.yaml b/test/kuttl/common/assert_sample_deployment.yaml index d6e9c6e9..3cbb0c0e 100644 --- a/test/kuttl/common/assert_sample_deployment.yaml +++ b/test/kuttl/common/assert_sample_deployment.yaml @@ -104,7 +104,7 @@ spec: timeoutSeconds: 5 resources: {} securityContext: - runAsUser: 0 + runAsUser: 42407 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/test/kuttl/common/assert_tls_sample_deployment.yaml b/test/kuttl/common/assert_tls_sample_deployment.yaml index 94f6d15f..ab31d5b4 100644 --- a/test/kuttl/common/assert_tls_sample_deployment.yaml +++ b/test/kuttl/common/assert_tls_sample_deployment.yaml @@ -193,6 +193,8 @@ spec: name: combined-ca-bundle readOnly: true subPath: tls-ca-bundle.pem + securityContext: + runAsUser: 42407 - command: - /usr/local/bin/container-scripts/healthcheck.py - scheduler From f6aa4d5f430319cd4bfa2084d83c7d784ec077a6 Mon Sep 17 00:00:00 2001 From: Eric Harney Date: Wed, 10 Jul 2024 18:40:53 -0400 Subject: [PATCH 3/3] Run cinder-backup and volume as cinder user These services do not need to run as the root user, run them as the cinder user instead. --- pkg/cinderbackup/statefulset.go | 3 +-- pkg/cindervolume/statefulset.go | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/pkg/cinderbackup/statefulset.go b/pkg/cinderbackup/statefulset.go index 7ff1d7fb..56774555 100644 --- a/pkg/cinderbackup/statefulset.go +++ b/pkg/cinderbackup/statefulset.go @@ -39,7 +39,6 @@ func StatefulSet( annotations map[string]string, ) *appsv1.StatefulSet { trueVar := true - rootUser := int64(0) cinderUser := int64(cinderv1.CinderUserID) cinderGroup := int64(cinderv1.CinderGroupID) @@ -126,7 +125,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &rootUser, + RunAsUser: &cinderUser, Privileged: &trueVar, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), diff --git a/pkg/cindervolume/statefulset.go b/pkg/cindervolume/statefulset.go index 4b4ad881..957b98c9 100644 --- a/pkg/cindervolume/statefulset.go +++ b/pkg/cindervolume/statefulset.go @@ -40,7 +40,6 @@ func StatefulSet( usesLVM bool, ) *appsv1.StatefulSet { trueVar := true - rootUser := int64(0) cinderUser := int64(cinderv1.CinderUserID) cinderGroup := int64(cinderv1.CinderGroupID) @@ -133,7 +132,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &rootUser, + RunAsUser: &cinderUser, Privileged: &trueVar, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars),