diff --git a/pkg/nova/cellmapping.go b/pkg/nova/cellmapping.go index 8d65c2682..d8d2d8ca3 100644 --- a/pkg/nova/cellmapping.go +++ b/pkg/nova/cellmapping.go @@ -4,6 +4,7 @@ import ( batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" common "github.com/openstack-k8s-operators/lib-common/modules/common" "github.com/openstack-k8s-operators/lib-common/modules/common/env" @@ -11,7 +12,7 @@ import ( ) const ( - cellMappingCommand = "/usr/local/bin/kolla_set_configs && /var/lib/openstack/bin/ensure_cell_mapping.sh" + cellMappingCommand = "sudo /usr/local/bin/kolla_set_configs && /var/lib/openstack/bin/ensure_cell_mapping.sh" ) func CellMappingJob( @@ -22,8 +23,6 @@ func CellMappingJob( inputHash string, labels map[string]string, ) *batchv1.Job { - runAsUser := int64(0) - args := []string{"-c"} if cell.Spec.Debug.StopJob { args = append(args, common.DebugCommand) @@ -69,7 +68,7 @@ func CellMappingJob( Args: args, Image: cell.Spec.ConductorServiceTemplate.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/nova/common.go b/pkg/nova/common.go index 4e0f0a73d..ee0b7915e 100644 --- a/pkg/nova/common.go +++ b/pkg/nova/common.go @@ -24,12 +24,15 @@ import ( const ( // KollaServiceCommand - the command to start the service binary in the kolla container - KollaServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + KollaServiceCommand = "sudo /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" // NovaAPIDatabaseName - the name of the DB to store tha API schema NovaAPIDatabaseName = "nova_api" // NovaCell0DatabaseName - the name of the DB to store the cell schema for // cell0 NovaCell0DatabaseName = "nova_cell0" + // NovaUserID is the linux user ID used by Kolla for the nova user + // in the service containers + NovaUserID int64 = 42436 ) // GetScriptSecretName returns the name of the Secret used for the diff --git a/pkg/nova/host_discovery.go b/pkg/nova/host_discovery.go index 1505eb8bf..4790efc66 100644 --- a/pkg/nova/host_discovery.go +++ b/pkg/nova/host_discovery.go @@ -22,10 +22,11 @@ import ( batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" ) const ( - discoverCommand = "/usr/local/bin/kolla_set_configs && /var/lib/openstack/bin/host_discover.sh" + discoverCommand = "sudo /usr/local/bin/kolla_set_configs && /var/lib/openstack/bin/host_discover.sh" ) func HostDiscoveryJob( @@ -35,8 +36,6 @@ func HostDiscoveryJob( inputHash string, labels map[string]string, ) *batchv1.Job { - runAsUser := int64(0) - args := []string{"-c"} if instance.Spec.Debug.StopJob { args = append(args, common.DebugCommand) @@ -81,7 +80,7 @@ func HostDiscoveryJob( Args: args, Image: instance.Spec.ConductorServiceTemplate.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novaapi/deployment.go b/pkg/novaapi/deployment.go index 39658c047..2d633f202 100644 --- a/pkg/novaapi/deployment.go +++ b/pkg/novaapi/deployment.go @@ -27,6 +27,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-api service @@ -36,8 +37,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - // This allows the pod to start up slowly. The pod will only be killed // if it does not succeed a probe in 60 seconds. startupProbe := &corev1.Probe{ @@ -135,7 +134,7 @@ func StatefulSet( Args: []string{"-c", "tail -n+1 -F /var/log/nova/nova-api.log"}, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{nova.GetLogVolumeMount()}, @@ -152,7 +151,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novacompute/deployment.go b/pkg/novacompute/deployment.go index cf2450031..abef38d88 100644 --- a/pkg/novacompute/deployment.go +++ b/pkg/novacompute/deployment.go @@ -26,6 +26,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-compute service @@ -35,8 +36,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - // After the first successful startupProbe, livenessProbe takes over livenessProbe := &corev1.Probe{ // TODO might need tuning @@ -122,7 +121,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novaconductor/dbsync.go b/pkg/novaconductor/dbsync.go index 36ae4d118..d275ccc80 100644 --- a/pkg/novaconductor/dbsync.go +++ b/pkg/novaconductor/dbsync.go @@ -26,11 +26,12 @@ import ( batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" ) const ( // cellDBSyncCommand - the command to be used to run db sync for the cell DB - cellDBSyncCommand = "/usr/local/bin/kolla_set_configs && /bin/sh -c /var/lib/openstack/bin/dbsync.sh" + cellDBSyncCommand = "sudo /usr/local/bin/kolla_set_configs && /bin/sh -c /var/lib/openstack/bin/dbsync.sh" ) // CellDBSyncJob - define a batchv1.Job to be run to apply the cel DB schema @@ -39,8 +40,6 @@ func CellDBSyncJob( labels map[string]string, annotations map[string]string, ) *batchv1.Job { - runAsUser := int64(0) - args := []string{"-c"} if instance.Spec.Debug.StopJob { args = append(args, common.DebugCommand) @@ -81,7 +80,7 @@ func CellDBSyncJob( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novaconductor/deployment.go b/pkg/novaconductor/deployment.go index 4cf586606..91233bfba 100644 --- a/pkg/novaconductor/deployment.go +++ b/pkg/novaconductor/deployment.go @@ -26,6 +26,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-api service @@ -35,8 +36,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - livenessProbe := &corev1.Probe{ // TODO might need tuning TimeoutSeconds: 5, @@ -128,7 +127,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novametadata/deployment.go b/pkg/novametadata/deployment.go index 2d864a9d8..4fb77b6bf 100644 --- a/pkg/novametadata/deployment.go +++ b/pkg/novametadata/deployment.go @@ -27,6 +27,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-metadata service @@ -36,8 +37,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - // This allows the pod to start up slowly. The pod will only be killed // if it does not succeed a probe in 60 seconds. startupProbe := &corev1.Probe{ @@ -135,7 +134,7 @@ func StatefulSet( Args: []string{"-c", "tail -n+1 -F /var/log/nova/nova-metadata.log"}, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ @@ -154,7 +153,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novascheduler/deployment.go b/pkg/novascheduler/deployment.go index 365711028..9724e8a1e 100644 --- a/pkg/novascheduler/deployment.go +++ b/pkg/novascheduler/deployment.go @@ -26,6 +26,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-scheduler service @@ -35,8 +36,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - // This allows the pod to start up slowly. The pod will only be killed // if it does not succeed a probe in 60 seconds. startupProbe := &corev1.Probe{ @@ -137,7 +136,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novncproxy/deployment.go b/pkg/novncproxy/deployment.go index 6d284f8bc..e9f89646a 100644 --- a/pkg/novncproxy/deployment.go +++ b/pkg/novncproxy/deployment.go @@ -27,6 +27,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-novanovncproxy service @@ -36,8 +37,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - // This allows the pod to start up slowly. The pod will only be killed // if it does not succeed a probe in 60 seconds. startupProbe := &corev1.Probe{ @@ -135,7 +134,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{