ceph: run operator with rook user

The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: #8734 Signed-off-by: Sébastien Han <seb@redhat.com>
rook · Sep 22, 2021 · 433ff0e · 433ff0e
1 parent e8d540c
commit 433ff0e
Show file tree

Hide file tree

Showing 8 changed files with 35 additions and 22 deletions.
diff --git a/PendingReleaseNotes.md b/PendingReleaseNotes.md
@@ -8,14 +8,6 @@ v1.8...
 
 ## Breaking Changes
 
-### Ceph
-
 ## Features
 
-### Core
-
-### Ceph
-
-### Cassandra
-
-### NFS
+- The Rook Operator and the toolbox now run under the "rook" user and does not use "root" anymore.
diff --git a/cluster/charts/rook-ceph/templates/deployment.yaml b/cluster/charts/rook-ceph/templates/deployment.yaml
@@ -26,6 +26,9 @@ spec:
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         args: ["ceph", "operator"]
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 2016
         volumeMounts:
         - mountPath: /var/lib/rook
           name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/operator-openshift.yaml b/cluster/examples/kubernetes/ceph/operator-openshift.yaml
@@ -434,6 +434,9 @@ spec:
         - name: rook-ceph-operator
           image: rook/ceph:master
           args: ["ceph", "operator"]
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
           volumeMounts:
             - mountPath: /var/lib/rook
               name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/operator.yaml b/cluster/examples/kubernetes/ceph/operator.yaml
@@ -354,6 +354,9 @@ spec:
         - name: rook-ceph-operator
           image: rook/ceph:master
           args: ["ceph", "operator"]
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
           volumeMounts:
             - mountPath: /var/lib/rook
               name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/toolbox.yaml b/cluster/examples/kubernetes/ceph/toolbox.yaml
@@ -22,6 +22,9 @@ spec:
           command: ["/tini"]
           args: ["-g", "--", "/usr/local/bin/toolbox.sh"]
           imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
           env:
             - name: ROOK_CEPH_USERNAME
               valueFrom:

diff --git a/images/ceph/Dockerfile b/images/ceph/Dockerfile
@@ -26,5 +26,11 @@ COPY rook rookflex toolbox.sh set-ceph-debug-level /usr/local/bin/
 COPY ceph-monitoring /etc/ceph-monitoring
 COPY rook-external /etc/rook-external/
 COPY ceph-csv-templates /etc/ceph-csv-templates
+RUN useradd rook -u 2016 # 2016 is the UID of the rook user and also the year of the first commit in the project
+RUN mkdir -p /var/lib/rook /etc/webhook
+RUN chown rook:rook /var/lib/rook /etc/webhook
+# TODO: remove me once flex is removed
+RUN echo "rook  ALL=(ALL) NOPASSWD: /usr/sbin/modinfo,/usr/sbin/modprobe" | sudo tee /etc/sudoers.d/rook
+USER 2016
 ENTRYPOINT ["/tini", "--", "/usr/local/bin/rook"]
 CMD [""]
diff --git a/pkg/daemon/ceph/agent/flexvolume/manager/ceph/manager_test.go b/pkg/daemon/ceph/agent/flexvolume/manager/ceph/manager_test.go
@@ -53,15 +53,16 @@ func TestInitLoadRBDModSingleMajor(t *testing.T) {
 
 	executor := &exectest.MockExecutor{
 		MockExecuteCommandWithOutput: func(command string, args ...string) (string, error) {
-			assert.Equal(t, "modinfo", command)
-			assert.Equal(t, "rbd", args[2])
+			assert.Equal(t, "sudo", command)
+			assert.Equal(t, "rbd", args[3])
 			modInfoCalled = true
 			return "single_major:Use a single major number for all rbd devices (default: false) (bool)", nil
 		},
 		MockExecuteCommand: func(command string, args ...string) error {
-			assert.Equal(t, "modprobe", command)
-			assert.Equal(t, "rbd", args[0])
-			assert.Equal(t, "single_major=Y", args[1])
+			assert.Equal(t, "sudo", command)
+			assert.Equal(t, "modprobe", args[0])
+			assert.Equal(t, "rbd", args[1])
+			assert.Equal(t, "single_major=Y", args[2])
 			modprobeCalled = true
 			return nil
 		},
@@ -82,15 +83,17 @@ func TestInitLoadRBDModNoSingleMajor(t *testing.T) {
 
 	executor := &exectest.MockExecutor{
 		MockExecuteCommandWithOutput: func(command string, args ...string) (string, error) {
-			assert.Equal(t, "modinfo", command)
-			assert.Equal(t, "rbd", args[2])
+			assert.Equal(t, "sudo", command)
+			assert.Equal(t, "modinfo", args[0])
+			assert.Equal(t, "rbd", args[3])
 			modInfoCalled = true
 			return "", nil
 		},
 		MockExecuteCommand: func(command string, args ...string) error {
-			assert.Equal(t, "modprobe", command)
-			assert.Equal(t, 1, len(args))
-			assert.Equal(t, "rbd", args[0])
+			assert.Equal(t, "sudo", command)
+			assert.Equal(t, 2, len(args))
+			assert.Equal(t, "modprobe", args[0])
+			assert.Equal(t, "rbd", args[1])
 			modprobeCalled = true
 			return nil
 		},

diff --git a/pkg/util/sys/kmod.go b/pkg/util/sys/kmod.go
@@ -56,17 +56,17 @@ func LoadKernelModule(name string, options []string, executor pkgexec.Executor)
 		options = []string{}
 	}
 
-	args := append([]string{name}, options...)
+	args := append([]string{"modprobe", name}, options...)
 
-	if err := executor.ExecuteCommand("modprobe", args[:]...); err != nil {
+	if err := executor.ExecuteCommand("sudo", args[:]...); err != nil {
 		return fmt.Errorf("failed to load kernel module %s: %+v", name, err)
 	}
 
 	return nil
 }
 
 func CheckKernelModuleParam(name, param string, executor pkgexec.Executor) (bool, error) {
-	out, err := executor.ExecuteCommandWithOutput("modinfo", "-F", "parm", name)
+	out, err := executor.ExecuteCommandWithOutput("sudo", "modinfo", "-F", "parm", name)
 	if err != nil {
 		return false, fmt.Errorf("failed to check for %s module %s param: %+v", name, param, err)
 	}