make ironic-image runnable as non-root #410
Conversation
metal3-io-bot
added
do-not-merge/work-in-progress
tuminoid
force-pushed
the
tuomo/ironic-nonroot
branch
from
3e4d95d
to
80ea8b5
Compare
|
/test-ubuntu-integration-main To get any benefit from this change, the BMO PR need to be applied, but as standalone, this should be non-invasive and should pass testing. So let's run it for smoke test. |
|
Yeah, it passes smoke, nice. Now to figure out the TODOs and how to test in CI. |
|
/cc @elfosardo @dtantsur This is still WIP, but I'd appreciate early comments. |
tuminoid
force-pushed
the
tuomo/ironic-nonroot
branch
from
80ea8b5
to
8550d9f
Compare
Testing thes two together: metal3-io/ironic-image#410 metal3-io/baremetal-operator#1231
tuminoid
force-pushed
the
tuomo/ironic-nonroot
branch
from
8550d9f
to
0f6fe31
Compare
|
@tuminoid thanks, two things for now:
|
The things I’ve changed in/to Dockerfile are there because they need root privileges, and during build we are root. When were running the container, we are nonroot and cannot do any of them. |
@tuminoid we run scripts in the Dockerfile to avoid that being too long and create too many layers |
Testing thes two together: metal3-io/ironic-image#410 metal3-io/baremetal-operator#1231
|
OK, now I got you. Sure, this is just POC at this point, I'll put all the non-root related configuration to single script when I'm done with the FIXME's and TODO's. |
|
/test-centos-integration-main |
Testing thes two together: metal3-io/ironic-image#410 metal3-io/baremetal-operator#1231
Testing thes two together: metal3-io/ironic-image#410 metal3-io/baremetal-operator#1231
|
/test-centos-integration-main Combined tests are running at metal3-io/metal3-dev-env#1172 but this should pass standalone as well. |
tuminoid
force-pushed
the
tuomo/ironic-nonroot
branch
3 times, most recently
from
b84bc57
to
b2ae2fb
Compare
|
Tuomo, this is a great idea, but I wonder if it would be easier to exclude dnsmasq initially. It's pretty natural for it to run as root. /cc @zaneb Zane, I know you were interested in such a thing. |
tuminoid
force-pushed
the
tuomo/ironic-nonroot
branch
from
620bb96
to
36dad41
Compare
|
/test-ubuntu-integration-main-ironic-source |
tuminoid
force-pushed
the
tuomo/ironic-nonroot
branch
from
36dad41
to
41eb9df
Compare
BMO ironic has no reason to run as root. Make it run as "ironic" user. dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation. Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md Add securityContext to BMO deployment manifest and keepalived component, with correct UIDs and GIDs. This is important to be able to share files via /shared. Modify keepalived image to run as ironic user, which we use the same UID and GID as the ironic-image. This commit requires ironic-image with PR metal3-io/ironic-image#410 to be merged to work.
OK, I made the users/groups match the rpm install image. I also changed inspector related files to inspector, and on the BMO side made the inspector container run as inspector. /test-ubuntu-integration-main-ironic-source |
Do not merge this. Testing thes two together: metal3-io/ironic-image#410 metal3-io/baremetal-operator#1231
tuminoid
force-pushed
the
tuomo/ironic-nonroot
branch
from
41eb9df
to
f05efa0
Compare
|
@tuminoid thanks! |
I found out that they're the regular job names plus /test-ubuntu-integration-main-ironic-source |
Do not merge this. Testing thes two together: metal3-io/ironic-image#410 metal3-io/baremetal-operator#1231
this is correct, even though you run ^ , jenkins would not show it with that name in the list of running jobs, rather with usual name |
BMO ironic has no reason to run as root. Make it run as "ironic" user. dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation. Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md Most of the changed here are making runtime configuration possible by changing file and directory ownership from root:root to root:ironic and applying 775/664 perms to allow modification/creation of files.
tuminoid
force-pushed
the
tuomo/ironic-nonroot
branch
from
f05efa0
to
97d3d76
Compare
|
/test-ubuntu-integration-main-ironic-source |
|
OK, tests are passing here as well as metal3-io/metal3-dev-env#1172, and all the comments are addressed. Can I get LGTM and approval? @zaneb @dtantsur @elfosardo |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: elfosardo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
metal3-io-bot
added
the
approved
BMO ironic has no reason to run as root. Make it run as "ironic" user. dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation. Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md Add securityContext to BMO deployment manifest and keepalived component, with correct UIDs and GIDs. This is important to be able to share files via /shared. Modify keepalived image to run as ironic user, which we use the same UID and GID as the ironic-image. This commit requires ironic-image with PR metal3-io/ironic-image#410 to be merged to work.
Do not merge this. Testing thes two together: metal3-io/ironic-image#410 metal3-io/baremetal-operator#1231
BMO ironic has no reason to run as root. Make it run as "ironic" user. dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation. Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md Add securityContext to BMO deployment manifest and keepalived component, with correct UIDs and GIDs. This is important to be able to share files via /shared. Modify keepalived image to run as ironic user, which we use the same UID and GID as the ironic-image. This commit requires ironic-image with PR metal3-io/ironic-image#410 to be merged to work. This v2 of the PR fixes issues identified after merging 1st PR: - mariadb was missing securityContext and failed to run - keepalived changes were not backwards compatible, and due using only single tag for all versions, new image broke all release branches
BMO ironic has no reason to run as root. Make it run as "ironic" user. dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation. Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md Add securityContext to BMO deployment manifest and keepalived component, with correct UIDs and GIDs. This is important to be able to share files via /shared. Modify keepalived image to run as ironic user, which we use the same UID and GID as the ironic-image. This commit requires ironic-image with PR metal3-io/ironic-image#410 to be merged to work. This v2 of the PR fixes issues identified after merging 1st PR: - mariadb was missing securityContext and failed to run - keepalived changes were not backwards compatible, and due using only single tag for all versions, new image broke all release branches
BMO ironic has no reason to run as root. Make it run as "ironic" user. dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation. Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md Add securityContext to BMO deployment manifest and keepalived component, with correct UIDs and GIDs. This is important to be able to share files via /shared. Modify keepalived image to run as ironic user, which we use the same UID and GID as the ironic-image. This commit requires ironic-image with PR metal3-io/ironic-image#410 to be merged to work.
BMO ironic has no reason to run as root. Make it run as "ironic" user. dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation. Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md Add securityContext to BMO deployment manifest and keepalived component, with correct UIDs and GIDs. This is important to be able to share files via /shared. Modify keepalived image to run as ironic user, which we use the same UID and GID as the ironic-image. This commit requires ironic-image with PR metal3-io/ironic-image#410 to be merged to work. This v2 of the PR fixes issues identified after merging 1st PR: - mariadb was missing securityContext and failed to run - keepalived changes were not backwards compatible, and due using only single tag for all versions, new image broke all release branches
BMO ironic has no reason to run as root. Make it run as "ironic" user.
dnsmasq requires elevated capabiities. k8s is missing the feature of ambient capabilities, so it requires us to setcap the binaries with expected capabilities and container must be running with "allowPrivilegeEscalation: true" in the manifest to allow elevation.
Read the ambient capabilities KEP for more details: https://github.com/kubernetes/enhancements/blob/master/keps/sig-security/2763-ambient-capabilities/README.md
Most of the changed here are making runtime configuration possible by changing file and directory ownership from root:root to root:ironic and applying 775/664 perms to allow modification/creation of files.