Stop setting FSGroup

FSGroup recursively chowns/chgrps each volume and setgids the dirs. This can interfere with permissions on the openstackclient, which needs to resemble a traditional undercloud host as closely as possible. SSH in particular has strict rule for the ownership and mode of it's files, but there could be other pemissions issues too. Note FSGroup has no effect on NFS, which we happen to be using in CI, but will affect local volumes, RBD etc... which provide formatted block devices. Avoid this completely by removing FSGroup and explicitly setting all ownership/modes in the init container. Jira: OSP-27993 Resolves: rhbz#2236085
openshift-cherrypick-robot · Sep 8, 2023 · 759bc58 · 759bc58
1 parent 02d1a84
commit 759bc58
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 16 deletions.
diff --git a/controllers/openstackclient_controller.go b/controllers/openstackclient_controller.go
@@ -556,7 +556,6 @@ func (r *OpenStackClientReconciler) podCreateOrUpdate(
 
 		pod.Spec.SecurityContext.RunAsUser = &runAsUser
 		pod.Spec.SecurityContext.RunAsGroup = &runAsGroup
-		pod.Spec.SecurityContext.FSGroup = &runAsGroup
 		pod.Spec.ServiceAccountName = openstackclient.ServiceAccount
 		pod.Spec.TerminationGracePeriodSeconds = &terminationGracePeriodSeconds
 		pod.Spec.Volumes = common.MergeVolumes(pod.Spec.Volumes, volumes)

diff --git a/pkg/openstackconfiggenerator/job.go b/pkg/openstackconfiggenerator/job.go
@@ -58,7 +58,6 @@ func ConfigJob(cr *ospdirectorv1beta1.OpenStackConfigGenerator, configHash strin
 		SecurityContext: &corev1.PodSecurityContext{
 			RunAsUser:  &runAsUser,
 			RunAsGroup: &runAsGroup,
-			FSGroup:    &runAsGroup,
 		},
 		TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,
 		Volumes:                       volumes,

diff --git a/pkg/openstackdeploy/job.go b/pkg/openstackdeploy/job.go
@@ -61,7 +61,6 @@ func DeployJob(
 		SecurityContext: &corev1.PodSecurityContext{
 			RunAsUser:  &runAsUser,
 			RunAsGroup: &runAsGroup,
-			FSGroup:    &runAsGroup,
 		},
 		TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,
 		Containers: []corev1.Container{

diff --git a/templates/openstackclient/bin/init.sh b/templates/openstackclient/bin/init.sh
@@ -15,15 +15,21 @@
 # under the License.
 set -ex
 
+umask 0022
+CHOWN_UID=$(id -u)
+CHOWN_GID=$(id -g)
+
+sudo chown $CHOWN_UID:$CHOWN_GID /home/cloud-admin
+sudo chmod 00755 /home/cloud-admin
+
+sudo cp -a /etc/hostname /mnt/etc/hostname
 if [ -v FQDN ]; then
-  echo "$FQDN" > /mnt/etc/hostname
-else
-  cp /etc/hostname /mnt/etc/hostname
+  sudo tee /mnt/etc/hostname >/dev/null <<<"$FQDN"
 fi
 
 # if the pvc is an empty volume, copy the existing hosts file to it
 if [ ! -f /mnt/etc/hosts ]; then
-  cp /etc/hosts /mnt/etc/
+  sudo cp -a /etc/hosts /mnt/etc/
 fi
 
 mkdir -p /home/cloud-admin/tripleo-deploy/validations
@@ -38,9 +44,9 @@ if [ -d /mnt/ssh-config ]; then
 
   # add cloud-admin ssh keys to /home/cloud-admin/.ssh in openstackclient
   mkdir -p /home/cloud-admin/.ssh
-  cp /mnt/ssh-config/* /home/cloud-admin/.ssh/
-  chmod 600 /home/cloud-admin/.ssh/id_rsa
-  sudo chown -R cloud-admin: /home/cloud-admin/.ssh
+  sudo cp /mnt/ssh-config/* /home/cloud-admin/.ssh/
+  sudo chmod 600 /home/cloud-admin/.ssh/id_rsa
+  sudo chown -R $CHOWN_UID:$CHOWN_GID /home/cloud-admin/.ssh
 fi
 
 if [ -d /mnt/ca-certs ]; then
@@ -61,11 +67,15 @@ if [ "$IPA_SERVER" != "" ]; then
     SHORT_HOSTNAME=$(hostname -s)
     LONG_HOSTNAME=$(hostname -f)
     if [ "$LONG_HOSTNAME" != "$FQDN" ]; then
-      sed -i -e "s/^\([0-9.]\+\)\s\+\(.*\)${SHORT_HOSTNAME}\$/\1\t\2${FQDN} ${SHORT_HOSTNAME}/" /mnt/etc/hosts
+      sudo sed -i -e "s/^\([0-9.]\+\)\s\+\(.*\)${SHORT_HOSTNAME}\$/\1\t\2${FQDN} ${SHORT_HOSTNAME}/" /mnt/etc/hosts
       sudo bash -c "cat /mnt/etc/hosts > /etc/hosts"
     fi
 
-    cat <<EOF > /home/cloud-admin/openstackclient_ipa_install.yaml
+    sudo truncate -s 0 /run/openstackclient_ipa_install.yaml
+    sudo chmod 600 /run/openstackclient_ipa_install.yaml
+    sudo chown $CHOWN_UID:$CHOWN_GID /run/openstackclient_ipa_install.yaml
+
+    cat <<EOF >> /run/openstackclient_ipa_install.yaml
 {{`---
 - hosts: localhost
   become: true
@@ -97,7 +107,7 @@ if [ "$IPA_SERVER" != "" ]; then
         name: tripleo_ipa_setup
 EOF`}}
 
-    ansible-playbook -e ipa_server_user=${IPA_SERVER_USER} -e ipa_realm=${IPA_REALM} -e ipa_server_hostname=${IPA_SERVER} -e ipa_domain=${IPA_DOMAIN} /home/cloud-admin/openstackclient_ipa_install.yaml
+    ansible-playbook -e ipa_server_user=${IPA_SERVER_USER} -e ipa_realm=${IPA_REALM} -e ipa_server_hostname=${IPA_SERVER} -e ipa_domain=${IPA_DOMAIN} /run/openstackclient_ipa_install.yaml
   fi
 
   # Fetch the latest IPA CA cert

diff --git a/templates/openstackconfiggenerator/bin/create-playbooks.sh b/templates/openstackconfiggenerator/bin/create-playbooks.sh
@@ -1,11 +1,15 @@
 #!/bin/bash
 set -eux
 
+umask 0022
+CHOWN_UID=$(id -u)
+CHOWN_GID=$(id -g)
+
 # add cloud-admin ssh keys to $HOME/.ssh
 mkdir -p $HOME/.ssh
-cp /mnt/ssh-config/* $HOME/.ssh/
-chmod 600 $HOME/.ssh/git_id_rsa
-chown -R cloud-admin: $HOME/.ssh
+sudo cp /mnt/ssh-config/* $HOME/.ssh/
+sudo chmod 600 $HOME/.ssh/git_id_rsa
+sudo chown -R $CHOWN_UID:$CHOWN_GID $HOME/.ssh
 
 export GIT_SSH_COMMAND="ssh -i $HOME/.ssh/git_id_rsa -o StrictHostKeyChecking=no"