security: Run the crash collector as ceph user

[travisn]

Description of your changes:
The crash collector does not have the command line arguments to run as ceph user id 167, so we set the security context to run as the ceph user in the main crash collector container.

Checklist:

• Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide).
• Skip Tests for Docs: If this is only a documentation change, add the label skip-ci on the PR.
• Reviewed the developer guide on Submitting a Pull Request
• Pending release notes updated with breaking and/or notable changes for the next minor release.
• Documentation has been updated, if necessary.
• Unit tests have been added, if necessary.
• Integration tests have been added, if necessary.

[leseb]

Ideally, this is something the Ceph image would fix as well in its DockerFile, but that approach LGTM. Also, all the container specs could potentially use this as a default and we could stop using "run-as" flags altogether. Something to keep in mind for a future refactor maybe.
Last question, is this fixing a bug, or is it "just" to run non-root? Final point, I think the log rotate sidecar as the same problem.

[leseb]

nit: IIRC there is a constant somewhere like CephUserID.

[travisn]

After a quick search I didn't find one, but I'll look again, thanks

[travisn]

Couldn't find it, so defined one

[lerminou]

Ideally, this is something the Ceph image would fix as well in its DockerFile,

Yes there is a security issue in their backlog for this, I sent an email yesterday to Travis to mitigate the CVE directly in Rook
I don't know if there is some logic in Ceph behind this, it seems "they suffers some delays in handling the issue"

Last question, is this fixing a bug, or is it "just" to run non-root?

yes a CVE was discovered recently in Ceph, I don't know if I can link it here ?

[travisn]

Ideally, this is something the Ceph image would fix as well in its DockerFile, but that approach LGTM. Also, all the container specs could potentially use this as a default and we could stop using "run-as" flags altogether. Something to keep in mind for a future refactor maybe.

I was thinking about removing the run-as flags and using the security context like this in a separate PR. It does seem like a better approach if we can just use the K8s context and no need for the ceph flags.

Last question, is this fixing a bug, or is it "just" to run non-root? Final point, I think the log rotate sidecar as the same problem.

Thanks, I'll look at the log rotate sidecar too.

[travisn]

After a quick search I didn't find one, but I'll look again, thanks

[leseb]

Ideally, this is something the Ceph image would fix as well in its DockerFile, but that approach LGTM. Also, all the container specs could potentially use this as a default and we could stop using "run-as" flags altogether. Something to keep in mind for a future refactor maybe.

I was thinking about removing the run-as flags and using the security context like this in a separate PR. It does seem like a better approach if we can just use the K8s context and no need for the ceph flags.

After thoughts, this won't be super trivial though, I had an attempt here #9175 but never had time to finish it.
I had most of working IIRC, but it's tricky so be careful :).

Last question, is this fixing a bug, or is it "just" to run non-root? Final point, I think the log rotate sidecar as the same problem.

Thanks, I'll look at the log rotate sidecar too.

[travisn]

Thanks, I'll look at the log rotate sidecar too.

The log rotate sidecar will take a bit more investigation, will work on it in a follow-up issue with #11235.

[leseb]

Thanks, I'll look at the log rotate sidecar too.

The log rotate sidecar will take a bit more investigation, will work on it in a follow-up issue with #11235.

Yes, I think my old PR should have what's necessary to fix it, feel free to ping me when you tackle it.

[leseb]

One last thing, did you verify that the crash files can be uploaded by the ceph-crash script when they appear? Normally the crash logs should be owned by ceph so this should not be a problem. Better safe than sorry though.

[travisn]

One last thing, did you verify that the crash files can be uploaded by the ceph-crash script when they appear? Normally the crash logs should be owned by ceph so this should not be a problem. Better safe than sorry though.

Verified both in minikube and openshift. If I look at the crash directory, the crash moved into the posted subdir, and the toolbox shows the crash was reported:

sh-4.4$ ceph crash ls
ID                                                                ENTITY  NEW  
2022-10-28T17:31:32.037827Z_c5308e72-cdee-4c4d-8158-e24476180554  mon.a    *   

However, the logging in the crash collector pod makes it look like the operator failed. But I see this same log whether the crash collector is running as ceph or root (the same behavior before or after this fix). @leseb Have you seen this before?

INFO:ceph-crash:monitoring path /var/lib/ceph/crash, delay 600s
WARNING:ceph-crash:post /var/lib/ceph/crash/2022-10-28T17:31:32.037827Z_c5308e72-cdee-4c4d-8158-e24476180554 as client.crash.rook-ceph-crashcollector-7949e6200e610c9b3d040f70a100f3f4-cq5rx failed: (None, b'2022-10-28T17:36:22.538+0000 7f14db7fe700 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]\n2022-10-28T17:36:22.540+0000 7f14e0edb700 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]\n2022-10-28T17:36:22.543+0000 7f14dbfff700 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]\n[errno 13] RADOS permission denied (error connecting to the cluster)\n')
WARNING:ceph-crash:post /var/lib/ceph/crash/2022-10-28T17:31:32.037827Z_c5308e72-cdee-4c4d-8158-e24476180554 as client.crash failed: (None, b

[leseb]

One last thing, did you verify that the crash files can be uploaded by the ceph-crash script when they appear? Normally the crash logs should be owned by ceph so this should not be a problem. Better safe than sorry though.

Verified both in minikube and openshift. If I look at the crash directory, the crash moved into the posted subdir, and the toolbox shows the crash was reported:

sh-4.4$ ceph crash ls
ID                                                                ENTITY  NEW  
2022-10-28T17:31:32.037827Z_c5308e72-cdee-4c4d-8158-e24476180554  mon.a    *   

However, the logging in the crash collector pod makes it look like the operator failed. But I see this same log whether the crash collector is running as ceph or root (the same behavior before or after this fix). @leseb Have you seen this before?

INFO:ceph-crash:monitoring path /var/lib/ceph/crash, delay 600s
WARNING:ceph-crash:post /var/lib/ceph/crash/2022-10-28T17:31:32.037827Z_c5308e72-cdee-4c4d-8158-e24476180554 as client.crash.rook-ceph-crashcollector-7949e6200e610c9b3d040f70a100f3f4-cq5rx failed: (None, b'2022-10-28T17:36:22.538+0000 7f14db7fe700 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]\n2022-10-28T17:36:22.540+0000 7f14e0edb700 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]\n2022-10-28T17:36:22.543+0000 7f14dbfff700 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]\n[errno 13] RADOS permission denied (error connecting to the cluster)\n')
WARNING:ceph-crash:post /var/lib/ceph/crash/2022-10-28T17:31:32.037827Z_c5308e72-cdee-4c4d-8158-e24476180554 as client.crash failed: (None, b

Yes, this is very confusing but harmless. Essentially, the ceph-crash tries a bunch of users, and some fail but eventually one succeeds. That's why you see the crash being present in Ceph.

[BlaineEXE]

👏 👏 👏 👏 👏 👏 👏 👏 👏 👏