Fix nova-compute-ssh
On stx-openstack, we run the nova-compute containers as user 0 (root) to get privileged access to some of the host resources. During the latest upversion of openstack-helm, we got in some commits that were incompatible with our usage of the root user since the keys for ssh access to a different compute were always placed under the 'nova' user's folder. This commit fixes that behavior while we don't merge a definitive fix on openstack-helm and go through a new upversion. Test Plan: PASS - nova-compute-ssh starting correctly after change the sshd->ssh parameter PASS - migrate/resize vm Closes-Bug: #1956229 Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com> Signed-off-by: Hugo Brito <hugo.brito@windriver.com> Change-Id: Ic90e8e64670b8314b9a2f38b93a59361dcb7ecc9
This commit is contained in:
parent
1b67fd1aa8
commit
4e3157bf4c
@ -29,6 +29,7 @@ Patch07: 0007-Add-stx_admin-account.patch
|
|||||||
Patch08: 0008-Disabling-helm3_hook.patch
|
Patch08: 0008-Disabling-helm3_hook.patch
|
||||||
Patch09: 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
|
Patch09: 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
|
||||||
Patch10: 0010-Enable-taint-toleration-for-Openstack-services.patch
|
Patch10: 0010-Enable-taint-toleration-for-Openstack-services.patch
|
||||||
|
Patch11: 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
|
||||||
|
|
||||||
BuildRequires: helm
|
BuildRequires: helm
|
||||||
BuildRequires: openstack-helm-infra
|
BuildRequires: openstack-helm-infra
|
||||||
@ -50,6 +51,7 @@ Openstack Helm charts
|
|||||||
%patch08 -p1
|
%patch08 -p1
|
||||||
%patch09 -p1
|
%patch09 -p1
|
||||||
%patch10 -p1
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# Stage helm-toolkit in the local repo
|
# Stage helm-toolkit in the local repo
|
||||||
|
@ -26,6 +26,7 @@ override_dh_auto_build:
|
|||||||
patch --no-backup-if-mismatch --fuzz=0 -p1 < 0008-Disabling-helm3_hook.patch
|
patch --no-backup-if-mismatch --fuzz=0 -p1 < 0008-Disabling-helm3_hook.patch
|
||||||
patch --no-backup-if-mismatch --fuzz=0 -p1 < 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
|
patch --no-backup-if-mismatch --fuzz=0 -p1 < 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
|
||||||
patch --no-backup-if-mismatch --fuzz=0 -p1 < 0010-Enable-taint-toleration-for-Openstack-services.patch
|
patch --no-backup-if-mismatch --fuzz=0 -p1 < 0010-Enable-taint-toleration-for-Openstack-services.patch
|
||||||
|
patch --no-backup-if-mismatch --fuzz=0 -p1 < 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
|
||||||
# Host a server for the helm charts.
|
# Host a server for the helm charts.
|
||||||
chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" \
|
chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" \
|
||||||
--storage-local-rootdir="." &
|
--storage-local-rootdir="." &
|
||||||
|
@ -0,0 +1,172 @@
|
|||||||
|
From fc736ec3993ff18b6380d2016060991e2c3a11f4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thiago Brito <thiago.brito@windriver.com>
|
||||||
|
Date: Fri, 7 Jan 2022 15:59:41 -0300
|
||||||
|
Subject: [PATCH] Fix nova-compute-ssh init to execute as runAsUser
|
||||||
|
|
||||||
|
On _ssh-init.sh.tpl, despite one change the runAsUser for the
|
||||||
|
nova-compute container on the securityContext, the ssh keys are always
|
||||||
|
being copied into the 'nova' user's folder. This change fixes it by
|
||||||
|
getting the correct user defined on the securityContext and copying the
|
||||||
|
keys to its correct folder.
|
||||||
|
|
||||||
|
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
|
||||||
|
Change-Id: Ia7883dc4626a295892eb4637ef717b0b1725ac89
|
||||||
|
---
|
||||||
|
nova/templates/bin/_ssh-init.sh.tpl | 13 ++++++++-----
|
||||||
|
nova/templates/daemonset-compute.yaml | 16 ++++++++++++----
|
||||||
|
nova/values.yaml | 4 +++-
|
||||||
|
3 files changed, 23 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/nova/templates/bin/_ssh-init.sh.tpl b/nova/templates/bin/_ssh-init.sh.tpl
|
||||||
|
index be2e33a4..fbd96f04 100644
|
||||||
|
--- a/nova/templates/bin/_ssh-init.sh.tpl
|
||||||
|
+++ b/nova/templates/bin/_ssh-init.sh.tpl
|
||||||
|
@@ -16,10 +16,13 @@ limitations under the License.
|
||||||
|
|
||||||
|
set -ex
|
||||||
|
|
||||||
|
-mkdir -p ~nova/.ssh
|
||||||
|
-chown -R nova:nova ~nova/.ssh
|
||||||
|
+export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
|
||||||
|
+export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
|
||||||
|
|
||||||
|
-cat > ~nova/.ssh/config <<EOF
|
||||||
|
+mkdir -p ${NOVA_USER_HOME}/.ssh
|
||||||
|
+chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
|
||||||
|
+
|
||||||
|
+cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
|
||||||
|
Host *
|
||||||
|
StrictHostKeyChecking no
|
||||||
|
UserKnownHostsFile /dev/null
|
||||||
|
@@ -27,5 +30,5 @@ Host *
|
||||||
|
IdentitiesOnly yes
|
||||||
|
EOF
|
||||||
|
|
||||||
|
-cp /tmp/nova-ssh/* ~nova/.ssh/
|
||||||
|
-chmod 600 ~nova/.ssh/id_rsa
|
||||||
|
+cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
|
||||||
|
+chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
|
||||||
|
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
|
||||||
|
index 4c690d61..2b23e334 100644
|
||||||
|
--- a/nova/templates/daemonset-compute.yaml
|
||||||
|
+++ b/nova/templates/daemonset-compute.yaml
|
||||||
|
@@ -104,6 +104,7 @@ spec:
|
||||||
|
mountPath: /var/lib/nova
|
||||||
|
- name: pod-shared
|
||||||
|
mountPath: /tmp/pod-shared
|
||||||
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||||
|
{{- if .Values.conf.ceph.enabled }}
|
||||||
|
- name: ceph-perms
|
||||||
|
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
@@ -119,6 +120,7 @@ spec:
|
||||||
|
mountPath: /tmp
|
||||||
|
- name: etcceph
|
||||||
|
mountPath: /etc/ceph
|
||||||
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||||
|
{{- if empty .Values.conf.ceph.cinder.keyring }}
|
||||||
|
- name: ceph-admin-keyring-placement
|
||||||
|
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
@@ -141,6 +143,7 @@ spec:
|
||||||
|
subPath: key
|
||||||
|
readOnly: true
|
||||||
|
{{ end }}
|
||||||
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
- name: ceph-keyring-placement
|
||||||
|
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
@@ -169,6 +172,7 @@ spec:
|
||||||
|
mountPath: /etc/ceph/ceph.conf.template
|
||||||
|
subPath: ceph.conf
|
||||||
|
readOnly: true
|
||||||
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
{{- if eq .Values.console.console_kind "novnc"}}
|
||||||
|
- name: nova-compute-vnc-init
|
||||||
|
@@ -187,6 +191,7 @@ spec:
|
||||||
|
readOnly: true
|
||||||
|
- name: pod-shared
|
||||||
|
mountPath: /tmp/pod-shared
|
||||||
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
{{- if eq .Values.console.console_kind "spice"}}
|
||||||
|
- name: nova-compute-spice-init
|
||||||
|
@@ -205,6 +210,7 @@ spec:
|
||||||
|
readOnly: true
|
||||||
|
- name: pod-shared
|
||||||
|
mountPath: /tmp/pod-shared
|
||||||
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
|
||||||
|
- name: tungstenfabric-compute-init
|
||||||
|
@@ -217,15 +223,19 @@ spec:
|
||||||
|
mountPath: /opt/plugin
|
||||||
|
- name: tf-plugin-bin
|
||||||
|
mountPath: /opt/plugin/bin
|
||||||
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.network.ssh.enabled }}
|
||||||
|
- name: nova-compute-ssh-init
|
||||||
|
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
|
terminationMessagePath: /var/log/termination-log
|
||||||
|
env:
|
||||||
|
- name: SSH_PORT
|
||||||
|
value: {{ .Values.network.ssh.port | quote }}
|
||||||
|
+ - name: NOVA_USER_UID
|
||||||
|
+ value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
|
||||||
|
command:
|
||||||
|
- /tmp/ssh-init.sh
|
||||||
|
volumeMounts:
|
||||||
|
@@ -241,14 +251,13 @@ spec:
|
||||||
|
mountPath: /tmp/ssh-init.sh
|
||||||
|
subPath: ssh-init.sh
|
||||||
|
readOnly: true
|
||||||
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: nova-compute
|
||||||
|
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
|
- securityContext:
|
||||||
|
- privileged: true
|
||||||
|
env:
|
||||||
|
{{- if .Values.conf.ceph.enabled }}
|
||||||
|
- name: CEPH_CINDER_USER
|
||||||
|
@@ -431,8 +440,6 @@ spec:
|
||||||
|
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
|
- securityContext:
|
||||||
|
- privileged: true
|
||||||
|
env:
|
||||||
|
- name: KEY_TYPES
|
||||||
|
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
|
||||||
|
@@ -455,6 +462,7 @@ spec:
|
||||||
|
subPath: ssh-start.sh
|
||||||
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
|
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
volumes:
|
||||||
|
- name: pod-tmp
|
||||||
|
diff --git a/nova/values.yaml b/nova/values.yaml
|
||||||
|
index cdb14575..72dd0d11 100644
|
||||||
|
--- a/nova/values.yaml
|
||||||
|
+++ b/nova/values.yaml
|
||||||
|
@@ -2155,8 +2155,10 @@ pod:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
privileged: true
|
||||||
|
nova_compute_ssh:
|
||||||
|
- readOnlyRootFilesystem: true
|
||||||
|
privileged: true
|
||||||
|
+ runAsUser: 0
|
||||||
|
+ nova_compute_ssh_init:
|
||||||
|
+ runAsUser: 0
|
||||||
|
nova_api_metadata_init:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
@ -142,12 +142,13 @@ class NovaHelm(openstack.OpenstackBaseHelm):
|
|||||||
'hosts': self._get_per_host_overrides()
|
'hosts': self._get_per_host_overrides()
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
'ssh_private': ssh_privatekey,
|
|
||||||
'ssh_public': ssh_publickey,
|
|
||||||
},
|
},
|
||||||
'endpoints': self._get_endpoints_overrides(),
|
'endpoints': self._get_endpoints_overrides(),
|
||||||
'network': {
|
'network': {
|
||||||
'sshd': {
|
'ssh': {
|
||||||
|
'enabled': 'true',
|
||||||
|
'private_key': ssh_privatekey,
|
||||||
|
'public_key': ssh_publickey,
|
||||||
'from_subnet': self._get_ssh_subnet(),
|
'from_subnet': self._get_ssh_subnet(),
|
||||||
},
|
},
|
||||||
'novncproxy': {
|
'novncproxy': {
|
||||||
@ -160,6 +161,20 @@ class NovaHelm(openstack.OpenstackBaseHelm):
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# https://bugs.launchpad.net/starlingx/+bug/1956229
|
||||||
|
# The volume/volumeMount below are needed if we want to use the root user to ssh to the destiny host during a
|
||||||
|
# migration operation
|
||||||
|
overrides[common.HELM_NS_OPENSTACK]["pod"]["mounts"]["nova_compute"]["nova_compute"]["volumeMounts"].append({
|
||||||
|
"name": "userhome",
|
||||||
|
"mountPath": "/root",
|
||||||
|
})
|
||||||
|
overrides[common.HELM_NS_OPENSTACK]["pod"]["mounts"]["nova_compute"]["nova_compute"]["volumes"].append({
|
||||||
|
"name": "userhome",
|
||||||
|
"hostPath": {
|
||||||
|
"path": "/var/lib/nova-user-home"
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
if namespace in self.SUPPORTED_NAMESPACES:
|
if namespace in self.SUPPORTED_NAMESPACES:
|
||||||
return overrides[namespace]
|
return overrides[namespace]
|
||||||
elif namespace:
|
elif namespace:
|
||||||
|
@ -1220,12 +1220,10 @@ data:
|
|||||||
- key: openstack-compute-node
|
- key: openstack-compute-node
|
||||||
operator: Exists
|
operator: Exists
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
user:
|
|
||||||
nova:
|
|
||||||
uid: 0
|
|
||||||
security_context:
|
security_context:
|
||||||
nova:
|
nova:
|
||||||
pod:
|
pod:
|
||||||
|
# https://bugs.launchpad.net/starlingx/+bug/1956229
|
||||||
runAsUser: 0
|
runAsUser: 0
|
||||||
probes:
|
probes:
|
||||||
readiness:
|
readiness:
|
||||||
@ -1349,8 +1347,13 @@ data:
|
|||||||
enable_numa_live_migration: true
|
enable_numa_live_migration: true
|
||||||
hypervisor:
|
hypervisor:
|
||||||
address_search_enabled: false
|
address_search_enabled: false
|
||||||
|
ssh: |
|
||||||
|
Host *
|
||||||
|
StrictHostKeyChecking no
|
||||||
|
UserKnownHostsFile /dev/null
|
||||||
|
Port {{ .Values.network.ssh.port }}
|
||||||
network:
|
network:
|
||||||
sshd:
|
ssh:
|
||||||
enabled: true
|
enabled: true
|
||||||
console:
|
console:
|
||||||
address_search_enabled: false
|
address_search_enabled: false
|
||||||
|
Loading…
x
Reference in New Issue
Block a user