Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run manila services using manila user/group #317

Merged

Conversation

fmount
Copy link
Collaborator

@fmount fmount commented Aug 14, 2024

This patch represents an improvment of the existing code to make sure we run manila services using the manila user instead of root.

Jira: https://issues.redhat.com/browse/OSPRH-10142
Jira: https://issues.redhat.com/browse/OSPRH-9409

@fmount fmount requested a review from gouthampacha August 14, 2024 08:49
Copy link
Contributor

openshift-ci bot commented Aug 14, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fmount

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fmount fmount requested a review from silvacarloss August 14, 2024 08:49
@fmount fmount force-pushed the manila_user branch 2 times, most recently from d3eed61 to aab8d4f Compare August 14, 2024 12:07
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/b5937352a4704a908391e903b953f0da

openstack-k8s-operators-content-provider FAILURE in 18m 36s
⚠️ manila-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ manila-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

@abays
Copy link
Contributor

abays commented Aug 14, 2024

Build failed (check pipeline). Post recheck (without leading slash) to rerun all jobs. Make sure the failure cause has been resolved before you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/b5937352a4704a908391e903b953f0da

openstack-k8s-operators-content-provider FAILURE in 18m 36s ⚠️ manila-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting) ⚠️ manila-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

recheck

Error: initializing source docker://quay.io/openstack-k8s-operators/barbican-operator-bundle:61e947eee09cff8ead669ece7fab058df79b2245: can't talk to a V1 container registry

@abays
Copy link
Contributor

abays commented Aug 14, 2024

recheck

@silvacarloss
Copy link
Contributor

Code lgtm, thank you!

Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/c7238555a0b441cd924ec4a5f1a57ba1

openstack-k8s-operators-content-provider FAILURE in 11m 36s
⚠️ manila-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ manila-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

@fmount
Copy link
Collaborator Author

fmount commented Aug 14, 2024

@fmount
Copy link
Collaborator Author

fmount commented Aug 14, 2024

mm looks like there are issues cloning the repo [1] (/cc @viroel )

[1] https://logserver.rdoproject.org/17/317/a943ae2689c21c0a28cd989b391fa4f80e6d0b5f/github-check/manila-operator-kuttl/1cc1630/job-output.txt

... which was probably a flaky issue

@fmount fmount force-pushed the manila_user branch 2 times, most recently from 6ec22e5 to 6e9ffd5 Compare August 27, 2024 20:48
VolumeMounts: dbSyncMounts,
Args: args,
Image: instance.Spec.ManilaAPI.ContainerImage,
SecurityContext: dbSyncSecurityContext(),
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gouthampacha FYI now this run with its own security context, which is different from cronjobs but it's what we did for glance as well [1].

[1] openstack-k8s-operators/glance-operator#609

RunAsGroup: &runAsGroup,
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{
"MKNOD",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did dropping "ALL" fail here? I wonder what Caps are needed..

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I tried added both SETUID and SETGID caps (and removing ALL), however kolla_start fails to run the init script.
One thing we can do, as an alternative solution, is to remove kolla and run the command /usr/bin/manila-manage --config-dir /etc/manila/manila.conf.d db sync" directly. This way we shouldn't need any additional capability and we can Drop: All`.
I'm going to update the patch and try that.

@@ -19,6 +19,7 @@ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-A
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
ErrorLog /dev/stdout
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you discover this when testing capabilities? :)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct, w/o this it fails when using manilaUser

Copy link
Contributor

@gouthampacha gouthampacha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @fmount
This looks good; i have one question regarding the dbsync caps..

@fmount fmount force-pushed the manila_user branch 2 times, most recently from 426fe46 to b8353e3 Compare August 28, 2024 07:51
This patch represents an improvment of the existing code to make sure we
run manila services using the manila user instead of root.
It also set the right SecurityContext on both dbsync and cronjobs.

Jira: https://issues.redhat.com/browse/OSPRH-9115

Signed-off-by: Francesco Pantano <[email protected]>
@fmount
Copy link
Collaborator Author

fmount commented Aug 28, 2024

/test manila-operator-build-deploy-kuttl

@fmount fmount requested a review from gouthampacha August 28, 2024 10:06
@@ -71,6 +79,8 @@ const (
ShortDuration = time.Duration(5) * time.Second
// NormalDuration -
NormalDuration = time.Duration(10) * time.Second
//DBSyncCommand -
DBSyncCommand = "/usr/bin/manila-manage --config-dir /etc/manila/manila.conf.d db sync"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++ Thanks; i do think this is a good improvement even in isolation!

@gouthampacha
Copy link
Contributor

/lgtm

This looks great; thanks @fmount

dbSync
dbPurge
manila API manilaScheduler manilaShare

@openshift-ci openshift-ci bot added the lgtm label Aug 28, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit f733ae7 into openstack-k8s-operators:main Aug 28, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants