diff --git a/PendingReleaseNotes.md b/PendingReleaseNotes.md index 105bf54b7f1e9..546f4d39bf859 100644 --- a/PendingReleaseNotes.md +++ b/PendingReleaseNotes.md @@ -8,14 +8,6 @@ v1.8... ## Breaking Changes -### Ceph - ## Features -### Core - -### Ceph - -### Cassandra - -### NFS +- The Rook Operator and the toolbox now run under the "rook" user and does not use "root" anymore. diff --git a/cluster/charts/rook-ceph/templates/deployment.yaml b/cluster/charts/rook-ceph/templates/deployment.yaml index 7efb599ebe433..0a4738b3a1082 100644 --- a/cluster/charts/rook-ceph/templates/deployment.yaml +++ b/cluster/charts/rook-ceph/templates/deployment.yaml @@ -26,6 +26,9 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: ["ceph", "operator"] + securityContext: + runAsNonRoot: true + runAsUser: 2016 volumeMounts: - mountPath: /var/lib/rook name: rook-config diff --git a/cluster/examples/kubernetes/ceph/operator-openshift.yaml b/cluster/examples/kubernetes/ceph/operator-openshift.yaml index c4ad20e4dd938..0a716d91d948c 100644 --- a/cluster/examples/kubernetes/ceph/operator-openshift.yaml +++ b/cluster/examples/kubernetes/ceph/operator-openshift.yaml @@ -434,6 +434,9 @@ spec: - name: rook-ceph-operator image: rook/ceph:master args: ["ceph", "operator"] + securityContext: + runAsNonRoot: true + runAsUser: 2016 volumeMounts: - mountPath: /var/lib/rook name: rook-config diff --git a/cluster/examples/kubernetes/ceph/operator.yaml b/cluster/examples/kubernetes/ceph/operator.yaml index 0a3d70594898f..01a264c9513a7 100644 --- a/cluster/examples/kubernetes/ceph/operator.yaml +++ b/cluster/examples/kubernetes/ceph/operator.yaml @@ -354,6 +354,9 @@ spec: - name: rook-ceph-operator image: rook/ceph:master args: ["ceph", "operator"] + securityContext: + runAsNonRoot: true + runAsUser: 2016 volumeMounts: - mountPath: /var/lib/rook name: rook-config diff --git a/cluster/examples/kubernetes/ceph/toolbox.yaml b/cluster/examples/kubernetes/ceph/toolbox.yaml index 28edc958b4bf7..190982e1aa13f 100644 --- a/cluster/examples/kubernetes/ceph/toolbox.yaml +++ b/cluster/examples/kubernetes/ceph/toolbox.yaml @@ -22,6 +22,9 @@ spec: command: ["/tini"] args: ["-g", "--", "/usr/local/bin/toolbox.sh"] imagePullPolicy: IfNotPresent + securityContext: + runAsNonRoot: true + runAsUser: 2016 env: - name: ROOK_CEPH_USERNAME valueFrom: diff --git a/images/ceph/Dockerfile b/images/ceph/Dockerfile index 53f26151d863f..034fc81c6e501 100644 --- a/images/ceph/Dockerfile +++ b/images/ceph/Dockerfile @@ -26,5 +26,11 @@ COPY rook rookflex toolbox.sh set-ceph-debug-level /usr/local/bin/ COPY ceph-monitoring /etc/ceph-monitoring COPY rook-external /etc/rook-external/ COPY ceph-csv-templates /etc/ceph-csv-templates +RUN useradd rook -u 2016 # 2016 is the UID of the rook user and also the year of the first commit in the project +RUN mkdir -p /var/lib/rook /etc/webhook +RUN chown rook:rook /var/lib/rook /etc/webhook +# TODO: remove me once flex is removed +RUN echo "rook ALL=(ALL) NOPASSWD: /usr/sbin/modinfo,/usr/sbin/modprobe" | sudo tee /etc/sudoers.d/rook +USER 2016 ENTRYPOINT ["/tini", "--", "/usr/local/bin/rook"] CMD [""] diff --git a/pkg/daemon/ceph/agent/flexvolume/manager/ceph/manager_test.go b/pkg/daemon/ceph/agent/flexvolume/manager/ceph/manager_test.go index 34f297c8f7701..4f0727cf61232 100644 --- a/pkg/daemon/ceph/agent/flexvolume/manager/ceph/manager_test.go +++ b/pkg/daemon/ceph/agent/flexvolume/manager/ceph/manager_test.go @@ -53,15 +53,16 @@ func TestInitLoadRBDModSingleMajor(t *testing.T) { executor := &exectest.MockExecutor{ MockExecuteCommandWithOutput: func(command string, args ...string) (string, error) { - assert.Equal(t, "modinfo", command) - assert.Equal(t, "rbd", args[2]) + assert.Equal(t, "sudo", command) + assert.Equal(t, "rbd", args[3]) modInfoCalled = true return "single_major:Use a single major number for all rbd devices (default: false) (bool)", nil }, MockExecuteCommand: func(command string, args ...string) error { - assert.Equal(t, "modprobe", command) - assert.Equal(t, "rbd", args[0]) - assert.Equal(t, "single_major=Y", args[1]) + assert.Equal(t, "sudo", command) + assert.Equal(t, "modprobe", args[0]) + assert.Equal(t, "rbd", args[1]) + assert.Equal(t, "single_major=Y", args[2]) modprobeCalled = true return nil }, @@ -82,15 +83,17 @@ func TestInitLoadRBDModNoSingleMajor(t *testing.T) { executor := &exectest.MockExecutor{ MockExecuteCommandWithOutput: func(command string, args ...string) (string, error) { - assert.Equal(t, "modinfo", command) - assert.Equal(t, "rbd", args[2]) + assert.Equal(t, "sudo", command) + assert.Equal(t, "modinfo", args[0]) + assert.Equal(t, "rbd", args[3]) modInfoCalled = true return "", nil }, MockExecuteCommand: func(command string, args ...string) error { - assert.Equal(t, "modprobe", command) - assert.Equal(t, 1, len(args)) - assert.Equal(t, "rbd", args[0]) + assert.Equal(t, "sudo", command) + assert.Equal(t, 2, len(args)) + assert.Equal(t, "modprobe", args[0]) + assert.Equal(t, "rbd", args[1]) modprobeCalled = true return nil }, diff --git a/pkg/util/sys/kmod.go b/pkg/util/sys/kmod.go index 7acd72b1a6d7b..06e540895e84c 100644 --- a/pkg/util/sys/kmod.go +++ b/pkg/util/sys/kmod.go @@ -56,9 +56,9 @@ func LoadKernelModule(name string, options []string, executor pkgexec.Executor) options = []string{} } - args := append([]string{name}, options...) + args := append([]string{"modprobe", name}, options...) - if err := executor.ExecuteCommand("modprobe", args[:]...); err != nil { + if err := executor.ExecuteCommand("sudo", args[:]...); err != nil { return fmt.Errorf("failed to load kernel module %s: %+v", name, err) } @@ -66,7 +66,7 @@ func LoadKernelModule(name string, options []string, executor pkgexec.Executor) } func CheckKernelModuleParam(name, param string, executor pkgexec.Executor) (bool, error) { - out, err := executor.ExecuteCommandWithOutput("modinfo", "-F", "parm", name) + out, err := executor.ExecuteCommandWithOutput("sudo", "modinfo", "-F", "parm", name) if err != nil { return false, fmt.Errorf("failed to check for %s module %s param: %+v", name, param, err) }