From 6e9ffd580b22a5764f1285f160e752066d4f2dea Mon Sep 17 00:00:00 2001 From: Francesco Pantano Date: Wed, 14 Aug 2024 10:41:40 +0200 Subject: [PATCH] Run manila services using manila user/group This patch represents an improvment of the existing code to make sure we run manila services using the manila user instead of root. It also set the right SecurityContext on both dbsync and cronjobs. Jira: https://issues.redhat.com/browse/OSPRH-9115 Signed-off-by: Francesco Pantano --- pkg/manila/const.go | 8 ++++++ pkg/manila/cronjob.go | 2 +- pkg/manila/dbsync.go | 15 ++++------ pkg/manila/funcs.go | 28 ++++++++++++++++--- pkg/manilaapi/statefulset.go | 8 +++--- pkg/manilascheduler/statefulset.go | 11 +++----- pkg/manilashare/statefulset.go | 12 ++++---- templates/manila/config/httpd.conf | 1 + .../manila/config/manila-api-config.json | 11 ++++++-- test/kuttl/tests/manila-tls/03-assert.yaml | 6 ++-- 10 files changed, 64 insertions(+), 38 deletions(-) diff --git a/pkg/manila/const.go b/pkg/manila/const.go index b9399a62..5a33a205 100644 --- a/pkg/manila/const.go +++ b/pkg/manila/const.go @@ -36,6 +36,14 @@ const ( // is to be generated, e.g. "manila_e5a4", "manila_78bc", etc DatabaseUsernamePrefix = "manila" + // Manila's uid and gid magic numbers come from the 'manila-user' in + // https://github.com/openstack/kolla/blob/master/kolla/common/users.py + + // ManilaUserID - + ManilaUserID int64 = 42429 + // ManilaGroupID - + ManilaGroupID int64 = 42429 + // ManilaPublicPort - ManilaPublicPort int32 = 8786 // ManilaInternalPort - diff --git a/pkg/manila/cronjob.go b/pkg/manila/cronjob.go index 1c4a54f9..2f99d1cb 100644 --- a/pkg/manila/cronjob.go +++ b/pkg/manila/cronjob.go @@ -112,7 +112,7 @@ func CronJob( }, Args: args, VolumeMounts: cronJobVolumeMounts, - SecurityContext: GetManilaSecurityContext(), + SecurityContext: cronJobSecurityContext(), }, }, Volumes: cronJobVolume, diff --git a/pkg/manila/dbsync.go b/pkg/manila/dbsync.go index 3000311e..4395b11b 100644 --- a/pkg/manila/dbsync.go +++ b/pkg/manila/dbsync.go @@ -10,7 +10,7 @@ import ( const ( //DBSyncCommand - - DBSyncCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + DBSyncCommand = "/usr/local/bin/kolla_start" ) // DbSyncJob func @@ -75,7 +75,6 @@ func DbSyncJob(instance *manilav1.Manila, labels map[string]string, annotations dbSyncMounts = append(dbSyncMounts, instance.Spec.ManilaAPI.TLS.CreateVolumeMounts(nil)...) } - runAsUser := int64(0) envVars := map[string]env.Setter{} envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS") envVars["KOLLA_BOOTSTRAP"] = env.SetValue("TRUE") @@ -100,13 +99,11 @@ func DbSyncJob(instance *manilav1.Manila, labels map[string]string, annotations Command: []string{ "/bin/bash", }, - Args: args, - Image: instance.Spec.ManilaAPI.ContainerImage, - SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, - }, - Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: dbSyncMounts, + Args: args, + Image: instance.Spec.ManilaAPI.ContainerImage, + SecurityContext: dbSyncSecurityContext(), + Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), + VolumeMounts: dbSyncMounts, }, }, Volumes: dbSyncVolume, diff --git a/pkg/manila/funcs.go b/pkg/manila/funcs.go index 1b9642e1..82d32a14 100644 --- a/pkg/manila/funcs.go +++ b/pkg/manila/funcs.go @@ -19,13 +19,13 @@ func GetOwningManilaName(instance client.Object) string { return "" } -// GetManilaSecurityContext - Returns the right set of SecurityContext that +// cronJobSecurityContext - Returns the right set of SecurityContext that // does not violate the k8s requirements -func GetManilaSecurityContext() *corev1.SecurityContext { +func cronJobSecurityContext() *corev1.SecurityContext { falseVal := false trueVal := true - runAsUser := int64(42429) - runAsGroup := int64(42429) + runAsUser := ManilaUserID + runAsGroup := ManilaGroupID return &corev1.SecurityContext{ RunAsUser: &runAsUser, RunAsGroup: &runAsGroup, @@ -42,6 +42,26 @@ func GetManilaSecurityContext() *corev1.SecurityContext { } } +// dbSyncSecurityContext - currently used to make sure we don't run db-sync as +// root user +func dbSyncSecurityContext() *corev1.SecurityContext { + runAsUser := ManilaUserID + runAsGroup := ManilaGroupID + + return &corev1.SecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "MKNOD", + }, + }, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + } +} + // GetPodAffinity - Returns a corev1.Affinity reference for the specified component. func GetPodAffinity(componentName string) *corev1.Affinity { // If possible two pods of the same component (e.g manila-share) should not diff --git a/pkg/manilaapi/statefulset.go b/pkg/manilaapi/statefulset.go index 35ace295..82daf2b1 100644 --- a/pkg/manilaapi/statefulset.go +++ b/pkg/manilaapi/statefulset.go @@ -27,7 +27,7 @@ import ( const ( // ServiceCommand - - ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + ServiceCommand = "/usr/local/bin/kolla_start" ) // StatefulSet func @@ -37,7 +37,7 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) (*appsv1.StatefulSet, error) { - runAsUser := int64(0) + manilaUser := manila.ManilaUserID livenessProbe := &corev1.Probe{ TimeoutSeconds: 10, @@ -134,7 +134,7 @@ func StatefulSet( }, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: &manilaUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), VolumeMounts: []corev1.VolumeMount{GetLogVolumeMount()}, @@ -154,7 +154,7 @@ func StatefulSet( }, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: &manilaUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), VolumeMounts: volumeMounts, diff --git a/pkg/manilascheduler/statefulset.go b/pkg/manilascheduler/statefulset.go index ccbd9b33..1f4f7ea7 100644 --- a/pkg/manilascheduler/statefulset.go +++ b/pkg/manilascheduler/statefulset.go @@ -25,7 +25,7 @@ import ( const ( // ServiceCommand - - ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + ServiceCommand = "/usr/local/bin/kolla_start" ) // StatefulSet func @@ -35,11 +35,8 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - rootUser := int64(0) - // manila's uid and gid magic numbers come from the 'manila-user' in - // https://github.com/openstack/kolla/blob/master/kolla/common/users.py - manilaUser := int64(42429) - manilaGroup := int64(42429) + manilaUser := manila.ManilaUserID + manilaGroup := manila.ManilaGroupID livenessProbe := &corev1.Probe{ // TODO might need tuning @@ -115,7 +112,7 @@ func StatefulSet( }, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &rootUser, + RunAsUser: &manilaUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), VolumeMounts: volumeMounts, diff --git a/pkg/manilashare/statefulset.go b/pkg/manilashare/statefulset.go index eda1385a..5c68fc06 100644 --- a/pkg/manilashare/statefulset.go +++ b/pkg/manilashare/statefulset.go @@ -25,7 +25,7 @@ import ( const ( // ServiceCommand - - ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + ServiceCommand = "/usr/local/bin/kolla_start" ) // StatefulSet func @@ -36,11 +36,9 @@ func StatefulSet( annotations map[string]string, ) *appsv1.StatefulSet { trueVar := true - rootUser := int64(0) - // Manila's uid and gid magic numbers come from the 'manila-user' in - // https://github.com/openstack/kolla/blob/master/kolla/common/users.py - manilaUser := int64(42429) - manilaGroup := int64(42429) + + manilaUser := manila.ManilaUserID + manilaGroup := manila.ManilaGroupID // TODO until we determine how to properly query for these livenessProbe := &corev1.Probe{ @@ -129,7 +127,7 @@ func StatefulSet( }, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &rootUser, + RunAsUser: &manilaUser, Privileged: &trueVar, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), diff --git a/templates/manila/config/httpd.conf b/templates/manila/config/httpd.conf index 50493669..301ce51b 100644 --- a/templates/manila/config/httpd.conf +++ b/templates/manila/config/httpd.conf @@ -19,6 +19,7 @@ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-A SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded +ErrorLog /dev/stdout # XXX: To disable SSL #Include conf.d/*.conf diff --git a/templates/manila/config/manila-api-config.json b/templates/manila/config/manila-api-config.json index 6c33a8b3..31689ac7 100644 --- a/templates/manila/config/manila-api-config.json +++ b/templates/manila/config/manila-api-config.json @@ -16,13 +16,13 @@ { "source": "/var/lib/config-data/default/ssl.conf", "dest": "/etc/httpd/conf.d/ssl.conf", - "owner": "root", + "owner": "manila", "perm": "0644" }, { "source": "/var/lib/config-data/tls/certs/*", "dest": "/etc/pki/tls/certs/", - "owner": "root", + "owner": "manila", "perm": "0640", "optional": true, "merge": true @@ -30,7 +30,7 @@ { "source": "/var/lib/config-data/tls/private/*", "dest": "/etc/pki/tls/private/", - "owner": "root", + "owner": "manila", "perm": "0600", "optional": true, "merge": true @@ -41,6 +41,11 @@ "path": "/var/log/manila", "owner": "manila:apache", "recurse": true + }, + { + "path": "/etc/httpd/run", + "owner": "manila:apache", + "recurse": true } ] } diff --git a/test/kuttl/tests/manila-tls/03-assert.yaml b/test/kuttl/tests/manila-tls/03-assert.yaml index 96093886..f71e7dea 100644 --- a/test/kuttl/tests/manila-tls/03-assert.yaml +++ b/test/kuttl/tests/manila-tls/03-assert.yaml @@ -264,7 +264,7 @@ spec: - -- - /bin/bash - -c - - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start + - /usr/local/bin/kolla_start command: - /usr/bin/dumb-init volumeMounts: @@ -365,7 +365,7 @@ spec: - -- - /bin/bash - -c - - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start + - /usr/local/bin/kolla_start command: - /usr/bin/dumb-init volumeMounts: @@ -488,7 +488,7 @@ spec: - -- - /bin/bash - -c - - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start + - /usr/local/bin/kolla_start command: - /usr/bin/dumb-init volumeMounts: