Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

run chaos-daemon in privileged by default #1453

Merged
merged 5 commits into from
Jan 28, 2021
Merged

run chaos-daemon in privileged by default #1453

merged 5 commits into from
Jan 28, 2021

Conversation

cwen0
Copy link
Member

@cwen0 cwen0 commented Jan 26, 2021
edited
Loading

Signed-off-by: cwen0 cwenyin0@gmail.com

What problem does this PR solve?

What is changed and how does it work?

Add a field to control privileged mode and run chaos-daemon in privileged by default.

Checklist

Tests

  • Unit test
  • E2E test
  • Manual test (add detailed scripts or steps below)
  • No code

Side effects

  • Breaking backward compatibility

Related changes

  • Need to update the documentation

Does this PR introduce a user-facing change?

NONE

@cwen0
run chaos-daemon in privileged by default
d613c35 
Signed-off-by: cwen0 <cwenyin0@gmail.com>
@codecov-io
Copy link

codecov-io commented Jan 26, 2021
edited
Loading

Codecov Report

Merging #1453 (510e5f6) into master (7e9ff3f) will decrease coverage by 3.77%.
The diff coverage is 59.62%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1453      +/-   ##
==========================================
- Coverage   55.78%   52.00%   -3.78%     
==========================================
  Files          68       80      +12     
  Lines        4383     5107     +724     
==========================================
+ Hits         2445     2656     +211     
- Misses       1768     2183     +415     
- Partials      170      268      +98
Impacted Files Coverage Δ
api/v1alpha1/common_types.go 0.00% <0.00%> (ø)
api/v1alpha1/common_webhook.go 100.00% <ø> (ø)
api/v1alpha1/dnschaos_type.go 0.00% <0.00%> (ø)
api/v1alpha1/dnschaos_webhook.go 0.00% <0.00%> (ø)
api/v1alpha1/httpchaos_types.go 0.00% <0.00%> (ø)
api/v1alpha1/iochaos_types.go 0.00% <ø> (-40.00%) ⬇️
api/v1alpha1/jvmchaos_webhook.go 0.00% <0.00%> (ø)
api/v1alpha1/kernelchaos_types.go 0.00% <ø> (-20.00%) ⬇️
api/v1alpha1/kernelchaos_webhook.go 100.00% <ø> (+14.81%) ⬆️
api/v1alpha1/kinds.go 27.27% <ø> (+0.60%) ⬆️
... and 130 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8220452...510e5f6. Read the comment docs.

STRRL
STRRL reviewed Jan 26, 2021
View reviewed changes
helm/chaos-mesh/templates/chaos-daemon-daemonset.yaml Outdated
@@ -64,6 +64,9 @@ spec:
value: {{ .Values.timezone | default "UTC" }}
{{- end }}
securityContext:
{{- if .Values.chaosDaemon.privileged }}
privileged: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove 2 spaces here.
I think privileged: true should keep the same indent level with capabilities.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

@cwen0
address comment
00e4068 
Signed-off-by: cwen0 <cwenyin0@gmail.com>
@cwen0 cwen0 requested a review from STRRL January 27, 2021 05:32
STRRL
STRRL previously approved these changes Jan 27, 2021
View reviewed changes
Copy link
Member

@STRRL STRRL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

WangXiangUSTC
WangXiangUSTC reviewed Jan 27, 2021
View reviewed changes
helm/chaos-mesh/templates/chaos-daemon-daemonset.yaml
@@ -64,6 +64,9 @@ spec:
value: {{ .Values.timezone | default "UTC" }}
{{- end }}
securityContext:
{{- if .Values.chaosDaemon.privileged }}
privileged: true
{{- else }}
capabilities:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to remove these capabilities when privileged is true

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SYS_PTRACE must be kept and others can be removed.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other capabilities are unnecessary when privileged is true, except SYS_PTRACE. I think we can delete them to make the code cleaner

@cwen0
address comment
91d9bfe 
Signed-off-by: cwen0 <cwenyin0@gmail.com>
@cwen0
update install.sh
2cf10bb 
Signed-off-by: cwen0 <cwenyin0@gmail.com>
WangXiangUSTC
WangXiangUSTC approved these changes Jan 27, 2021
View reviewed changes
Copy link
Contributor

@WangXiangUSTC WangXiangUSTC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@WangXiangUSTC
Copy link
Contributor

/merge

@ti-srebot
Copy link
Contributor

Your auto merge job has been accepted, waiting for:

  • 1330

@ti-srebot
Copy link
Contributor

/run-all-tests

@WangXiangUSTC WangXiangUSTC merged commit e7db1ee into chaos-mesh:master Jan 28, 2021
@cwen0 cwen0 deleted the set_privilege branch January 28, 2021 03:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@WangXiangUSTC WangXiangUSTC WangXiangUSTC approved these changes

@STRRL STRRL STRRL approved these changes

Assignees
No one assigned
Labels
component/helm component/scripts status/can-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cwen0 @codecov-io @WangXiangUSTC @ti-srebot @STRRL