From 108f566eb9e0afe107a2463cdd42dd09b26f1a23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Han?= Date: Mon, 13 Dec 2021 14:02:33 +0100 Subject: [PATCH 1/2] mgr: run active-watch as root and privileged MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For now, we must run the container with UID 0 and privileged for multiple reasons: * the rook binary writes ceph config to /var/lib/rook which is owned by root * it's difficult to use /etc/ceph since it will conflict with the rook-ceph-override configmap AND is also owned by root since it's a mounted configmap. * using /etc/ceph might be possible but has other issues with rook's exec package since the ceph config is built from /var/lib/rook Closes: https://github.com/rook/rook/issues/9385 Signed-off-by: Sébastien Han (cherry picked from commit 5c1e459a6a266f0660f05a0f2f2d5e6d8ac2ebc2) --- pkg/operator/ceph/cluster/cleanup.go | 4 +--- pkg/operator/ceph/cluster/mgr/spec.go | 11 ++++++----- pkg/operator/ceph/cluster/osd/config.go | 10 ---------- pkg/operator/ceph/cluster/osd/spec.go | 12 ++++++------ pkg/operator/ceph/controller/spec.go | 16 ++++++++++++++++ 5 files changed, 29 insertions(+), 24 deletions(-) diff --git a/pkg/operator/ceph/cluster/cleanup.go b/pkg/operator/ceph/cluster/cleanup.go index bcf48adbf70f..dc5df20dd746 100644 --- a/pkg/operator/ceph/cluster/cleanup.go +++ b/pkg/operator/ceph/cluster/cleanup.go @@ -127,9 +127,7 @@ func (c *ClusterController) cleanUpJobContainer(cluster *cephv1.CephCluster, mon // See https://tracker.ceph.com/issues/53511 // Also, it's hard to catch the ceph version since the cluster is being deleted so not // implementing a version check and simply always run this as root - rootUserID := int64(0) - securityContext := osd.PrivilegedContext() - securityContext.RunAsUser = &rootUserID + securityContext := controller.PrivilegedContext(true) return v1.Container{ Name: "host-cleanup", diff --git a/pkg/operator/ceph/cluster/mgr/spec.go b/pkg/operator/ceph/cluster/mgr/spec.go index 9896d25b5239..b062a5186a5b 100644 --- a/pkg/operator/ceph/cluster/mgr/spec.go +++ b/pkg/operator/ceph/cluster/mgr/spec.go @@ -228,11 +228,12 @@ func (c *Cluster) makeMgrSidecarContainer(mgrConfig *mgrConfig) v1.Container { } return v1.Container{ - Args: []string{"ceph", "mgr", "watch-active"}, - Name: "watch-active", - Image: c.rookVersion, - Env: envVars, - Resources: cephv1.GetMgrSidecarResources(c.spec.Resources), + Args: []string{"ceph", "mgr", "watch-active"}, + Name: "watch-active", + Image: c.rookVersion, + Env: envVars, + Resources: cephv1.GetMgrSidecarResources(c.spec.Resources), + SecurityContext: controller.PrivilegedContext(true), } } diff --git a/pkg/operator/ceph/cluster/osd/config.go b/pkg/operator/ceph/cluster/osd/config.go index 5c0f4c4aaa52..55ac64b9c082 100644 --- a/pkg/operator/ceph/cluster/osd/config.go +++ b/pkg/operator/ceph/cluster/osd/config.go @@ -25,22 +25,12 @@ import ( cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1" "github.com/rook/rook/pkg/operator/ceph/cluster/mgr" opconfig "github.com/rook/rook/pkg/operator/ceph/config" - v1 "k8s.io/api/core/v1" ) const ( dmCryptKeySize = 128 ) -// PrivilegedContext returns a privileged Pod security context -func PrivilegedContext() *v1.SecurityContext { - privileged := true - - return &v1.SecurityContext{ - Privileged: &privileged, - } -} - func osdOnSDNFlag(network cephv1.NetworkSpec) []string { var args []string // OSD fails to find the right IP to bind to when running on SDN diff --git a/pkg/operator/ceph/cluster/osd/spec.go b/pkg/operator/ceph/cluster/osd/spec.go index e979aeae70c9..0e6f14e3328d 100644 --- a/pkg/operator/ceph/cluster/osd/spec.go +++ b/pkg/operator/ceph/cluster/osd/spec.go @@ -765,7 +765,7 @@ func (c *Cluster) getActivateOSDInitContainer(configDir, namespace, osdID string Name: "activate", Image: c.spec.CephVersion.Image, VolumeMounts: volMounts, - SecurityContext: PrivilegedContext(), + SecurityContext: controller.PrivilegedContext(true), Env: envVars, Resources: osdProps.resources, } @@ -857,7 +857,7 @@ func (c *Cluster) generateEncryptionOpenBlockContainer(resources v1.ResourceRequ fmt.Sprintf(openEncryptedBlock, c.clusterInfo.FSID, pvcName, encryptionKeyPath(), encryptionBlockDestinationCopy(mountPath, blockType), encryptionDMName(pvcName, cryptBlockType), encryptionDMPath(pvcName, cryptBlockType)), }, VolumeMounts: []v1.VolumeMount{getPvcOSDBridgeMountActivate(mountPath, volumeMountPVCName), getDeviceMapperMount()}, - SecurityContext: PrivilegedContext(), + SecurityContext: controller.PrivilegedContext(true), Resources: resources, } } @@ -1111,7 +1111,7 @@ func (c *Cluster) getActivatePVCInitContainer(osdProps osdProperties, osdID stri }, }, VolumeMounts: []v1.VolumeMount{getPvcOSDBridgeMountActivate(osdDataPath, osdProps.pvc.ClaimName)}, - SecurityContext: PrivilegedContext(), + SecurityContext: controller.PrivilegedContext(true), Resources: osdProps.resources, } @@ -1139,7 +1139,7 @@ func (c *Cluster) getExpandPVCInitContainer(osdProps osdProperties, osdID string }, Args: []string{"bluefs-bdev-expand", "--path", osdDataPath}, VolumeMounts: []v1.VolumeMount{getPvcOSDBridgeMountActivate(osdDataPath, osdProps.pvc.ClaimName)}, - SecurityContext: PrivilegedContext(), + SecurityContext: controller.PrivilegedContext(true), Resources: osdProps.resources, } } @@ -1166,7 +1166,7 @@ func (c *Cluster) getExpandEncryptedPVCInitContainer(mountPath string, osdProps }, Args: []string{"--verbose", "resize", encryptionDMName(osdProps.pvc.ClaimName, DmcryptBlockType)}, VolumeMounts: volMount, - SecurityContext: PrivilegedContext(), + SecurityContext: controller.PrivilegedContext(true), Resources: osdProps.resources, } } @@ -1196,7 +1196,7 @@ func (c *Cluster) getEncryptedStatusPVCInitContainer(mountPath string, osdProps }, Args: []string{"--verbose", "status", encryptionDMName(osdProps.pvc.ClaimName, DmcryptBlockType)}, VolumeMounts: []v1.VolumeMount{getPvcOSDBridgeMountActivate(mountPath, osdProps.pvc.ClaimName)}, - SecurityContext: PrivilegedContext(), + SecurityContext: controller.PrivilegedContext(true), Resources: osdProps.resources, } } diff --git a/pkg/operator/ceph/controller/spec.go b/pkg/operator/ceph/controller/spec.go index 183a6a424ea4..aab9710cd300 100644 --- a/pkg/operator/ceph/controller/spec.go +++ b/pkg/operator/ceph/controller/spec.go @@ -620,6 +620,22 @@ func PodSecurityContext() *v1.SecurityContext { } } +// PrivilegedContext returns a privileged Pod security context +func PrivilegedContext(runAsRoot bool) *v1.SecurityContext { + privileged := true + rootUser := int64(0) + + sec := &v1.SecurityContext{ + Privileged: &privileged, + } + + if runAsRoot { + sec.RunAsUser = &rootUser + } + + return sec +} + // LogCollectorContainer runs a cron job to rotate logs func LogCollectorContainer(daemonID, ns string, c cephv1.ClusterSpec) *v1.Container { return &v1.Container{ From 7b88115d97a5bbaaeb0095013afbb8247f0d5ace Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Han?= Date: Mon, 13 Dec 2021 14:08:57 +0100 Subject: [PATCH 2/2] mgr: add missing context to the active-watch sidecar MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The context was not initialized and thus the configmap fetch will fail with a nil pointer. Signed-off-by: Sébastien Han (cherry picked from commit 892c9a211c79400bb3df3d91759d340c25d69c97) --- cmd/rook/ceph/mgr.go | 1 + 1 file changed, 1 insertion(+) diff --git a/cmd/rook/ceph/mgr.go b/cmd/rook/ceph/mgr.go index 9ab42fed6cad..9c0ec816d919 100644 --- a/cmd/rook/ceph/mgr.go +++ b/cmd/rook/ceph/mgr.go @@ -66,6 +66,7 @@ func init() { // Start the mgr daemon sidecar func runMgrSidecar(cmd *cobra.Command, args []string) error { rook.SetLogLevel() + clusterInfo.Context = cmd.Context() context := createContext() clusterInfo.Monitors = mon.ParseMonEndpoints(cfg.monEndpoints)