Do not run nova services as root

[gibizer]

Implements: https://issues.redhat.com/browse/OSPRH-1374

[gibizer]

/hold I need to test this

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/0a07729177b944599c3cca2a74e37ebd

✔️ nova-operator-content-provider SUCCESS in 1h 32m 07s
❌ nova-operator-kuttl FAILURE in 44m 27s
❌ nova-operator-tempest-multinode FAILURE in 1h 11m 56s

[gibizer]

db sync job fails but must gather does not collect the job's log :/ I need to try this with a local build

[gibizer]

@SeanMooney you mentioned that kolla set config needs sudo and that the sudo is managed by rootwrap in the k8s nova images.

❯ oc exec -t nova-cell0-conductor-0 -- cat /etc/sudoers.d/nova
Defaults:nova !requiretty

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *
nova ALL = (root) NOPASSWD: /usr/bin/privsep-helper *

❯ oc exec -t nova-cell0-conductor-0 -- grep filters_path /etc/nova/rootwrap.conf
filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap

❯ oc exec -t nova-cell0-conductor-0 -- ls /etc/nova/rootwrap.d /usr/share/nova/rootwrap
ls: cannot access '/etc/nova/rootwrap.d': No such file or directory
ls: cannot access '/usr/share/nova/rootwrap': No such file or directory
command terminated with exit code 2

It seems to me that the sudo config is incomplete as we have no filters defined. For dbsync we directly call kolla_set_configs at
https://github.com/openstack-k8s-operators/nova-operator/blob/main/pkg/novaconductor/dbsync.go#L33
For the service containers we call /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start

If I understand correctly kolla_set_config needs sudo. How should we provide it in this env?

[gibizer]

@SeanMooney you mentioned that kolla set config needs sudo and that the sudo is managed by rootwrap in the k8s nova images.

❯ oc exec -t nova-cell0-conductor-0 -- cat /etc/sudoers.d/nova
Defaults:nova !requiretty

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *
nova ALL = (root) NOPASSWD: /usr/bin/privsep-helper *

❯ oc exec -t nova-cell0-conductor-0 -- grep filters_path /etc/nova/rootwrap.conf
filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap

❯ oc exec -t nova-cell0-conductor-0 -- ls /etc/nova/rootwrap.d /usr/share/nova/rootwrap
ls: cannot access '/etc/nova/rootwrap.d': No such file or directory
ls: cannot access '/usr/share/nova/rootwrap': No such file or directory
command terminated with exit code 2

It seems to me that the sudo config is incomplete as we have no filters defined. For dbsync we directly call kolla_set_configs at https://github.com/openstack-k8s-operators/nova-operator/blob/main/pkg/novaconductor/dbsync.go#L33 For the service containers we call /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start

If I understand correctly kolla_set_config needs sudo. How should we provide it in this env?

Ahh there is an extra line the sudoers file:

# anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
# root user via sudo without password confirmation
%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla*

that suggest that we only need a user in the kolla group for the kolla commands to work.

And nova is in the kolla group:

sh-5.1# cat /etc/group | grep kolla
kolla:x:42400:nova

[softwarefactory-project-zuul]

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/nova-operator for 598,c4dc4cc0493d5ce118bc80c37b6ca09edf71c65f

[gibizer]

So lets try to switch from root(0) to nova(42436) in the pods

[gibizer]

/test functional

[SeanMooney]

so this is a bug we should never call kolla_set_configs directly

we have two options

cellDBSyncCommand = "sudo /usr/local/bin/kolla_set_configs && /bin/sh -c /var/lib/openstack/bin/dbsync.sh"

as you said

or

cellDBSyncCommand = "/usr/local/bin/kolla_start" and provide a kolla config.json file with
"/bin/sh -c /var/lib/openstack/bin/dbsync.sh" as the command for kolla start to run after it has set up the config.

that would be my preference.

i.e. instead of bypassing the kolla image API we should correctly provide the kolla config.json to the job container and specify the command as normal in that.

[gibizer]

so this is a bug we should never call kolla_set_configs directly

we have two options

cellDBSyncCommand = "sudo /usr/local/bin/kolla_set_configs && /bin/sh -c /var/lib/openstack/bin/dbsync.sh"

as you said

or

cellDBSyncCommand = "/usr/local/bin/kolla_start" and provide a kolla config.json file with "/bin/sh -c /var/lib/openstack/bin/dbsync.sh" as the command for kolla start to run after it has set up the config.

that would be my preference.

i.e. instead of bypassing the kolla image API we should correctly provide the kolla config.json to the job container and specify the command as normal in that.

Thanks. I will rework this.

FYI, we have an even worse situation in placement-operator openstack-k8s-operators/placement-operator#107 (comment) as I think the placement image itself is broken (placement user is no in the kolla group)

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/8ac4e9b28fff4df89503fdc8fb772371

✔️ nova-operator-content-provider SUCCESS in 57m 20s
❌ nova-operator-kuttl FAILURE in 40m 28s
❌ nova-operator-tempest-multinode RETRY_LIMIT in 5s

[gibizer]

This is now using sudo for kolla_set_config just to see if that make the rest of the pieces work. If so I can add another commit to use kolla config files to execute the job commands.

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/34595c044c1c4e929b1bead7576f47fb

❌ nova-operator-content-provider NODE_FAILURE Node request 200-0006654352 failed in 0s
⚠️ nova-operator-kuttl SKIPPED Skipped due to failed job nova-operator-content-provider
⚠️ nova-operator-tempest-multinode SKIPPED Skipped due to failed job nova-operator-content-provider

[gibizer]

recheck

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/14de4d53311d4a6c90c60cea8e3a172e

❌ nova-operator-content-provider NODE_FAILURE Node request 200-0006654921 failed in 0s
⚠️ nova-operator-kuttl SKIPPED Skipped due to failed job nova-operator-content-provider
⚠️ nova-operator-tempest-multinode SKIPPED Skipped due to failed job nova-operator-content-provider

[gibizer]

recheck zuul nodepool should be back in business

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/bc20599914454911845ad66d2485539e

✔️ nova-operator-content-provider SUCCESS in 1h 25m 42s
❌ nova-operator-kuttl FAILURE in 40m 24s
❌ nova-operator-tempest-multinode FAILURE in 1h 07m 10s

[gibizer]

Still no success even with sudo. And must gather still not provide job logs (and the related pod is deleted) so I need to go back and deploy it locally to see the error.

[gibizer]

/test functional

[gibizer]

/unhold

[SeanMooney]

im +1.5 on this im just wondering if we really need to change the script mode or not

[bogdando]

lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gibizer, SeanMooney

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [SeanMooney,gibizer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gibizer]

Setting scc to nonroot-v2 (or nonroot) does not work with kolla + sudo. It seem sudo needs uid 0 to exists

❯ oc logs nova-cell0-conductor-db-sync-bbtdl
+ sudo -E kolla_set_configs
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

[bogdando]

Setting scc to nonroot-v2 (or nonroot) does not work with kolla + sudo. It seem sudo needs uid 0 to exists

❯ oc logs nova-cell0-conductor-db-sync-bbtdl
+ sudo -E kolla_set_configs
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

To have a user with uid 0 mapped to some (nova) id user in the host, usernsmappings should work for cri-o in openshift the similar thay it works for podman, see cri-o/cri-o#5294

[gibizer]

Setting scc to nonroot-v2 (or nonroot) does not work with kolla + sudo. It seem sudo needs uid 0 to exists

❯ oc logs nova-cell0-conductor-db-sync-bbtdl
+ sudo -E kolla_set_configs
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

To have a user with uid 0 mapped to some (nova) id user in the host, usernsmappings should work for cri-o in openshift the similar thay it works for podman, see cri-o/cri-o#5294

Tried the manual mapping in #605 it does not seem to work.

[bogdando]

Tried the manual mapping in #605 it does not seem to work.

there is still something to research in that regard, see #605 (comment)