Run GlanceAPI with GlanceUID user #610
Conversation
fmount
changed the title
|
/test glance-operator-build-deploy-kuttl |
pkg/glanceapi/statefulset.go
Outdated
|
|
||
| userID := glance.GlanceUID | ||
| if privileged { | ||
| userID = int64(0) |
There was a problem hiding this comment.
This is actually used when Cinder is the backend, and the concern is mostly related to the os-brick locks here. I'm wondering if we can still run it as glance user, and let the kolla group access the os-brick locks shared by glance and cinder (/cc @eharney )
fmount
force-pushed
the
sec_context
branch
2 times, most recently
from
e6a2ea4 to
c0674fb
Compare
fmount
force-pushed
the
sec_context
branch
2 times, most recently
from
3c4ebc1 to
a6b45e2
Compare
fmount
changed the title
fmount
force-pushed
the
sec_context
branch
2 times, most recently
from
10a8187 to
a5ab01f
Compare
When the backend is not Cinder (Cinder still has to be fully tested), GlanceAPI can reduce the permissions required for glance-api container, and run as GlanceUID/GlanceGID. This patch introduces scc for both glanceAPI and Httpd. Signed-off-by: Francesco Pantano <[email protected]>
ImageCache currently uses two different cronJobs associated to each glance-api instance (-cleaner and -pruner cronJobs). They mount /var/lib/glance/image-cache, a RWO Pvc, and execute a glance utility on the filestem owned by glance kolla user/group. Without glance-api being privileged, after the cronJob execution the Glance Pod is not able to access the image-cache path anymore, resulting in a Permission denied error. This patch defines a FSGroup that should be set at Pod level to make sure we always have the right privileges on the container fs, and, in addition, it runs glance-api as a privileged container when Cache is enabled. Jira: https://issues.redhat.com/browse/OSPRH-9842 Signed-off-by: Francesco Pantano <[email protected]>
|
/test glance-operator-build-deploy-kuttl |
1 similar comment
|
/test glance-operator-build-deploy-kuttl |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abays, fmount, konan-abhi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Tested with uni*eta to make sure Glance + Cinder is not a problem. I think we can merge this patch, and follow up in case of unexpected issues. |
|
Thank you @abays for the review. |
openshift-merge-bot
bot
merged commit 94bf45f
into
openstack-k8s-operators:main
When the backend is not
Cinder(Cinder still has to be fully tested),GlanceAPIcan reduce the permissions required forglance-apicontainer, and run asGlanceUID/GlanceGID. This patch introducessccfor bothglanceAPIandhttpd.Jira: https://issues.redhat.com/browse/OSPRH-9842
Jira: https://issues.redhat.com/browse/OSPRH-10149