remove capability SYS_MODULE (#4744)

Signed-off-by: zhangzujian <[email protected]>
kubeovn · Nov 25, 2024 · 95ceeff · 95ceeff
1 parent 35f181b
commit 95ceeff
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 32 deletions.
diff --git a/charts/kube-ovn/templates/ovncni-ds.yaml b/charts/kube-ovn/templates/ovncni-ds.yaml
@@ -35,11 +35,7 @@ spec:
         command:
           - sh
           - -xec
-          - {{ if not .Values.DISABLE_MODULES_MANAGEMENT -}}
-            iptables -V
-            {{- else -}}
-            echo "nothing to do"
-            {{- end }}
+          - iptables -V
         securityContext:
           allowPrivilegeEscalation: true
           capabilities:
@@ -128,9 +124,6 @@ spec:
               - NET_RAW
               - SYS_ADMIN
               - SYS_PTRACE
-              {{- if not .Values.DISABLE_MODULES_MANAGEMENT }}
-              - SYS_MODULE
-              {{- end }}
               - SYS_NICE
         env:
           - name: ENABLE_SSL

diff --git a/charts/kube-ovn/templates/ovsovn-ds.yaml b/charts/kube-ovn/templates/ovsovn-ds.yaml
@@ -49,8 +49,9 @@ spec:
             - -xec
             - |
               chown -R nobody: /var/run/ovn /var/log/ovn /etc/openvswitch /var/run/openvswitch /var/log/openvswitch
-              {{- if not .Values.DISABLE_MODULES_MANAGEMENT }}
               iptables -V
+              {{- if not .Values.DISABLE_MODULES_MANAGEMENT }}
+              /usr/share/openvswitch/scripts/ovs-ctl load-kmod
               {{- else }}
               ln -sf /bin/true /usr/local/sbin/modprobe
               ln -sf /bin/true /usr/local/sbin/modinfo
@@ -64,6 +65,9 @@ spec:
             privileged: true
             runAsUser: 0
           volumeMounts:
+            - mountPath: /lib/modules
+              name: host-modules
+              readOnly: true
             - mountPath: /usr/local/sbin
               name: usr-local-sbin
             - mountPath: /var/log/ovn
@@ -96,9 +100,7 @@ spec:
               add:
                 - NET_ADMIN
                 - NET_BIND_SERVICE
-                {{- if not .Values.DISABLE_MODULES_MANAGEMENT }}
-                - SYS_MODULE
-                {{- end }}
+                - NET_RAW
                 - SYS_NICE
                 - SYS_ADMIN
           env:

diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base
@@ -137,18 +137,19 @@ RUN apt update && apt upgrade -y && apt install ca-certificates python3 hostname
         tcpdump ipvsadm ipset curl uuid-runtime openssl inetutils-ping arping ndisc6 conntrack traceroute iputils-tracepath \
         logrotate dnsutils net-tools strongswan strongswan-pki libcharon-extra-plugins libmnl0 \
         libcharon-extauth-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins -y --no-install-recommends && \
-        setcap CAP_SYS_NICE+eip $(readlink -f $(which nice)) && \
+        setcap CAP_NET_ADMIN+eip $(readlink -f $(which conntrack)) && \
+        setcap CAP_NET_ADMIN+eip $(readlink -f $(which ethtool)) && \
+        setcap CAP_NET_ADMIN+eip $(readlink -f $(which ip)) && \
+        setcap CAP_NET_ADMIN+eip $(readlink -f $(which ipset)) && \
+        setcap CAP_NET_ADMIN,CAP_NET_RAW+eip $(readlink -f $(which xtables-legacy-multi)) && \
+        setcap CAP_NET_ADMIN,CAP_NET_RAW+eip $(readlink -f $(which xtables-nft-multi)) && \
         setcap CAP_NET_RAW+eip $(readlink -f $(which arping)) && \
         setcap CAP_NET_RAW+eip $(readlink -f $(which ndisc6)) && \
         setcap CAP_NET_RAW+eip $(readlink -f $(which tcpdump)) && \
-        setcap CAP_NET_ADMIN+eip $(readlink -f $(which ethtool)) && \
         setcap CAP_SYS_ADMIN+eip $(readlink -f $(which nsenter)) && \
+        setcap CAP_SYS_ADMIN+eip $(readlink -f $(which sysctl)) && \
         setcap CAP_SYS_MODULE+eip $(readlink -f $(which modprobe)) && \
-        setcap CAP_NET_ADMIN+eip $(readlink -f $(which conntrack)) && \
-        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which ipset)) && \
-        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-legacy-multi)) && \
-        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-nft-multi)) && \
-        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ip)) && \
+        setcap CAP_SYS_NICE+eip $(readlink -f $(which nice)) && \
         rm -rf /var/lib/apt/lists/* && \
         rm -rf /etc/localtime && \
         rm -f /usr/bin/nc && \
@@ -182,7 +183,7 @@ RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages  \
     setcap CAP_NET_ADMIN+eip $(readlink -f $(which ovs-dpctl)) && \
     if [ "${DEBUG}" != "true" ]; then \
         setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which ovsdb-server)) && \
-        setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ovs-vswitchd)); \
+        setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip $(readlink -f $(which ovs-vswitchd)); \
     else \
         apt update && apt install -y --no-install-recommends gdb valgrind && \
         rm -rf /var/lib/apt/lists/* && \

diff --git a/dist/images/install.sh b/dist/images/install.sh
@@ -3936,6 +3936,7 @@ spec:
             - |
               chown -R nobody: /var/run/ovn /var/log/ovn /etc/openvswitch /var/run/openvswitch /var/log/openvswitch
               iptables -V
+              /usr/share/openvswitch/scripts/ovs-ctl load-kmod
           securityContext:
             allowPrivilegeEscalation: true
             capabilities:
@@ -3944,6 +3945,9 @@ spec:
             privileged: true
             runAsUser: 0
           volumeMounts:
+            - mountPath: /lib/modules
+              name: host-modules
+              readOnly: true
             - mountPath: /usr/local/sbin
               name: usr-local-sbin
             - mountPath: /var/log/ovn
@@ -3969,7 +3973,7 @@ spec:
               add:
                 - NET_ADMIN
                 - NET_BIND_SERVICE
-                - SYS_MODULE
+                - NET_RAW
                 - SYS_NICE
                 - SYS_ADMIN
           env:
@@ -4585,7 +4589,6 @@ spec:
               - NET_BIND_SERVICE
               - NET_RAW
               - SYS_ADMIN
-              - SYS_MODULE
               - SYS_NICE
               - SYS_PTRACE
         env:

diff --git a/dist/images/start-ovs.sh b/dist/images/start-ovs.sh
@@ -15,15 +15,6 @@ OVN_REMOTE_OPENFLOW_INTERVAL=${OVN_REMOTE_OPENFLOW_INTERVAL:-180}
 echo "OVN_REMOTE_PROBE_INTERVAL is set to $OVN_REMOTE_PROBE_INTERVAL"
 echo "OVN_REMOTE_OPENFLOW_INTERVAL is set to $OVN_REMOTE_OPENFLOW_INTERVAL"
 
-# Check required kernel module
-modinfo -m openvswitch
-modinfo -m geneve
-
-# CentOS 8 might not load iptables module by default, which will hurt nat function
-if modinfo -m ip_tables; then
-  modprobe ip_tables
-fi
-
 # https://bugs.launchpad.net/neutron/+bug/1776778
 if grep -q "3.10.0-862" /proc/version
 then

diff --git a/test/e2e/framework/iptables/iptables.go b/test/e2e/framework/iptables/iptables.go
@@ -24,7 +24,7 @@ func CheckIptablesRulesOnNode(f *framework.Framework, node, table, chain, protoc
 		iptBin = "ip6tables"
 	}
 
-	cmd := fmt.Sprintf(`%s -t %s -S `, iptBin, table)
+	cmd := fmt.Sprintf(`%s -t %s -S`, iptBin, table)
 	if chain != "" {
 		cmd += chain
 	}