Fix nova-compute-ssh

On stx-openstack, we run the nova-compute containers as user 0 (root) to get privileged access to some of the host resources. During the latest upversion of openstack-helm, we got in some commits that were incompatible with our usage of the root user since the keys for ssh access to a different compute were always placed under the 'nova' user's folder. This commit fixes that behavior while we don't merge a definitive fix on openstack-helm and go through a new upversion. Test Plan: PASS - nova-compute-ssh starting correctly after change the sshd->ssh parameter PASS - migrate/resize vm Closes-Bug: #1956229 Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com> Signed-off-by: Hugo Brito <hugo.brito@windriver.com> Change-Id: Ic90e8e64670b8314b9a2f38b93a59361dcb7ecc9
2021-12-20 17:19:09 -03:00 · 2021-12-20 17:19:09 -03:00 · 4e3157bf4c
commit 4e3157bf4c
parent 1b67fd1aa8
5 changed files with 200 additions and 7 deletions
--- a/openstack-helm/centos/openstack-helm.spec
+++ b/openstack-helm/centos/openstack-helm.spec
@ -29,6 +29,7 @@ Patch07: 0007-Add-stx_admin-account.patch
 Patch08: 0008-Disabling-helm3_hook.patch
 Patch09: 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
 Patch10: 0010-Enable-taint-toleration-for-Openstack-services.patch
+Patch11: 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch

 BuildRequires: helm
 BuildRequires: openstack-helm-infra
@ -50,6 +51,7 @@ Openstack Helm charts
 %patch08 -p1
 %patch09 -p1
 %patch10 -p1
+%patch11 -p1

 %build
 # Stage helm-toolkit in the local repo
--- a/openstack-helm/debian/deb_folder/rules
+++ b/openstack-helm/debian/deb_folder/rules
@ -26,6 +26,7 @@ override_dh_auto_build:
 	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0008-Disabling-helm3_hook.patch
 	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
 	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0010-Enable-taint-toleration-for-Openstack-services.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
 	# Host a server for the helm charts.
 	chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" \
 		--storage-local-rootdir="." &
--- a/openstack-helm/files/0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
+++ b/openstack-helm/files/0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
@ -0,0 +1,172 @@
+From fc736ec3993ff18b6380d2016060991e2c3a11f4 Mon Sep 17 00:00:00 2001
+From: Thiago Brito <thiago.brito@windriver.com>
+Date: Fri, 7 Jan 2022 15:59:41 -0300
+Subject: [PATCH] Fix nova-compute-ssh init to execute as runAsUser
+
+On _ssh-init.sh.tpl, despite one change the runAsUser for the
+nova-compute container on the securityContext, the ssh keys are always
+being copied into the 'nova' user's folder. This change fixes it by
+getting the correct user defined on the securityContext and copying the
+keys to its correct folder.
+
+Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
+Change-Id: Ia7883dc4626a295892eb4637ef717b0b1725ac89
+---
+ nova/templates/bin/_ssh-init.sh.tpl   | 13 ++++++++-----
+ nova/templates/daemonset-compute.yaml | 16 ++++++++++++----
+ nova/values.yaml                      |  4 +++-
+ 3 files changed, 23 insertions(+), 10 deletions(-)
+
+diff --git a/nova/templates/bin/_ssh-init.sh.tpl b/nova/templates/bin/_ssh-init.sh.tpl
+index be2e33a4..fbd96f04 100644
+--- a/nova/templates/bin/_ssh-init.sh.tpl
+++ b/nova/templates/bin/_ssh-init.sh.tpl
+@@ -16,10 +16,13 @@ limitations under the License.
+
+ set -ex
+
+-mkdir -p ~nova/.ssh
+-chown -R nova:nova ~nova/.ssh
+export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
+export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
+
+-cat > ~nova/.ssh/config <<EOF
+mkdir -p ${NOVA_USER_HOME}/.ssh
+chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
+
+cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
+ Host *
+   StrictHostKeyChecking no
+   UserKnownHostsFile /dev/null
+@@ -27,5 +30,5 @@ Host *
+   IdentitiesOnly yes
+ EOF
+
+-cp /tmp/nova-ssh/* ~nova/.ssh/
+-chmod 600 ~nova/.ssh/id_rsa
+cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
+chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
+diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
+index 4c690d61..2b23e334 100644
+--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
+@@ -104,6 +104,7 @@ spec:
+               mountPath: /var/lib/nova
+             - name: pod-shared
+               mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{- if .Values.conf.ceph.enabled }}
+         - name: ceph-perms
+ {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+@@ -119,6 +120,7 @@ spec:
+               mountPath: /tmp
+             - name: etcceph
+               mountPath: /etc/ceph
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{- if empty .Values.conf.ceph.cinder.keyring }}
+         - name: ceph-admin-keyring-placement
+ {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+@@ -141,6 +143,7 @@ spec:
+               subPath: key
+               readOnly: true
+             {{ end }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{ end }}
+         - name: ceph-keyring-placement
+ {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+@@ -169,6 +172,7 @@ spec:
+               mountPath: /etc/ceph/ceph.conf.template
+               subPath: ceph.conf
+               readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{ end }}
+         {{- if eq .Values.console.console_kind "novnc"}}
+         - name: nova-compute-vnc-init
+@@ -187,6 +191,7 @@ spec:
+               readOnly: true
+             - name: pod-shared
+               mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{ end }}
+         {{- if eq .Values.console.console_kind "spice"}}
+         - name: nova-compute-spice-init
+@@ -205,6 +210,7 @@ spec:
+               readOnly: true
+             - name: pod-shared
+               mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{ end }}
+         {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+         - name: tungstenfabric-compute-init
+@@ -217,15 +223,19 @@ spec:
+               mountPath: /opt/plugin
+             - name: tf-plugin-bin
+               mountPath: /opt/plugin/bin
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{- end }}
+         {{- if .Values.network.ssh.enabled }}
+         - name: nova-compute-ssh-init
+ {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
+ {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+           terminationMessagePath: /var/log/termination-log
+           env:
+             - name: SSH_PORT
+               value: {{ .Values.network.ssh.port | quote }}
+            - name: NOVA_USER_UID
+              value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
+           command:
+             - /tmp/ssh-init.sh
+           volumeMounts:
+@@ -241,14 +251,13 @@ spec:
+               mountPath: /tmp/ssh-init.sh
+               subPath: ssh-init.sh
+               readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{- end }}
+       containers:
+         - name: nova-compute
+ {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+ {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+-          securityContext:
+-            privileged: true
+           env:
+           {{- if .Values.conf.ceph.enabled }}
+             - name: CEPH_CINDER_USER
+@@ -431,8 +440,6 @@ spec:
+ {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
+ {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ {{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+-          securityContext:
+-            privileged: true
+           env:
+             - name: KEY_TYPES
+               value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
+@@ -455,6 +462,7 @@ spec:
+               subPath: ssh-start.sh
+               readOnly: true
+ {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+         {{ end }}
+       volumes:
+         - name: pod-tmp
+diff --git a/nova/values.yaml b/nova/values.yaml
+index cdb14575..72dd0d11 100644
+--- a/nova/values.yaml
+++ b/nova/values.yaml
+@@ -2155,8 +2155,10 @@ pod:
+           readOnlyRootFilesystem: true
+           privileged: true
+         nova_compute_ssh:
+-          readOnlyRootFilesystem: true
+           privileged: true
+          runAsUser: 0
+        nova_compute_ssh_init:
+          runAsUser: 0
+         nova_api_metadata_init:
+           readOnlyRootFilesystem: true
+           allowPrivilegeEscalation: false
+--
+2.17.1
+
--- a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py
+++ b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py
@ -142,12 +142,13 @@ class NovaHelm(openstack.OpenstackBaseHelm):
                            'hosts': self._get_per_host_overrides()
                        }
                    },
-                    'ssh_private': ssh_privatekey,
-                    'ssh_public': ssh_publickey,
                },
                'endpoints': self._get_endpoints_overrides(),
                'network': {
-                    'sshd': {
+                    'ssh': {
+                        'enabled': 'true',
+                        'private_key': ssh_privatekey,
+                        'public_key': ssh_publickey,
                        'from_subnet': self._get_ssh_subnet(),
                    },
                    'novncproxy': {
@ -160,6 +161,20 @@ class NovaHelm(openstack.OpenstackBaseHelm):
            }
        }

+        # https://bugs.launchpad.net/starlingx/+bug/1956229
+        # The volume/volumeMount below are needed if we want to use the root user to ssh to the destiny host during a
+        # migration operation
+        overrides[common.HELM_NS_OPENSTACK]["pod"]["mounts"]["nova_compute"]["nova_compute"]["volumeMounts"].append({
+            "name": "userhome",
+            "mountPath": "/root",
+        })
+        overrides[common.HELM_NS_OPENSTACK]["pod"]["mounts"]["nova_compute"]["nova_compute"]["volumes"].append({
+            "name": "userhome",
+            "hostPath": {
+                "path": "/var/lib/nova-user-home"
+            }
+        })
+
        if namespace in self.SUPPORTED_NAMESPACES:
            return overrides[namespace]
        elif namespace:
--- a/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
@ -1220,12 +1220,10 @@ data:
          - key: openstack-compute-node
            operator: Exists
            effect: NoSchedule
-      user:
-        nova:
-          uid: 0
      security_context:
        nova:
          pod:
+            # https://bugs.launchpad.net/starlingx/+bug/1956229
            runAsUser: 0
      probes:
        readiness:
@ -1349,8 +1347,13 @@ data:
          enable_numa_live_migration: true
      hypervisor:
        address_search_enabled: false
+      ssh: |
+        Host *
+          StrictHostKeyChecking no
+          UserKnownHostsFile /dev/null
+          Port {{ .Values.network.ssh.port }}
    network:
-      sshd:
+      ssh:
        enabled: true
    console:
      address_search_enabled: false