WIP try to move our pods to nonroot-v2 profile

[gibizer]

• Kolla needs sudo, sudo needs uid 0.
• Manually mapping uid 0 via annotation does not seem to work.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gibizer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [gibizer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gibizer]

❯ oc describe pod nova-cell0-conductor-db-sync-npb8w
Name:             nova-cell0-conductor-db-sync-npb8w
Namespace:        openstack
Priority:         0
Service Account:  nova-nova
Node:             crc-n5gv4-master-0/192.168.126.11
Start Time:       Fri, 24 Nov 2023 10:47:48 +0100
Labels:           batch.kubernetes.io/controller-uid=7e8fac6d-e538-432e-ba31-0ff48ff25cf7
                  batch.kubernetes.io/job-name=nova-cell0-conductor-db-sync
                  controller-uid=7e8fac6d-e538-432e-ba31-0ff48ff25cf7
                  job-name=nova-cell0-conductor-db-sync
Annotations:      io.kubernetes.cri-o.userns-mode: private:uidmapping=0:100000:90000;gidmapping=0:100000:90000
                  k8s.v1.cni.cncf.io/network-status:
                    [{
                        "name": "openshift-sdn",
                        "interface": "eth0",
                        "ips": [
                            "10.217.1.181"
                        ],
                        "default": true,
                        "dns": {}
                    }]
                  openshift.io/scc: nonroot-v2
                  seccomp.security.alpha.kubernetes.io/pod: runtime/default
Status:           Running
SeccompProfile:   RuntimeDefault
IP:               10.217.1.181
IPs:
  IP:           10.217.1.181
Controlled By:  Job/nova-cell0-conductor-db-sync
Containers:
  nova-cell0-conductor-db-sync:
    Container ID:    cri-o://406514684f3ceae4c8c44c618a979edafb5fb7070a9b8a20516ec60571b1944b
    Image:           quay.io/podified-antelope-centos9/openstack-nova-conductor@sha256:76ec7708c803cce5b1c6041bdb56edf7d083141fb587277576ea4885cd2d4894
    Image ID:        quay.io/podified-antelope-centos9/openstack-nova-conductor@sha256:76ec7708c803cce5b1c6041bdb56edf7d083141fb587277576ea4885cd2d4894
    Port:            <none>
    Host Port:       <none>
    SeccompProfile:  RuntimeDefault
    Command:
      /bin/bash
    Args:
      -c
      /usr/local/bin/kolla_start
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Fri, 24 Nov 2023 10:47:49 +0100
      Finished:     Fri, 24 Nov 2023 10:47:49 +0100
    Ready:          False
    Restart Count:  1
    Environment:
      CELL_NAME:              cell0
      KOLLA_BOOTSTRAP:        true
      KOLLA_CONFIG_STRATEGY:  COPY_ALWAYS
    Mounts:
      /var/lib/kolla/config_files/config.json from config-data (rw,path="nova-conductor-dbsync-config.json")
      /var/lib/openstack/bin from scripts (rw)
      /var/lib/openstack/config from config-data (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-8p49x (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  config-data:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  nova-cell0-conductor-config-data
    Optional:    false
  scripts:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  nova-cell0-conductor-scripts
    Optional:    false
  kube-api-access-8p49x:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
    ConfigMapName:           openshift-service-ca.crt
    ConfigMapOptional:       <nil>
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason          Age              From               Message
  ----     ------          ----             ----               -------
  Normal   Scheduled       9s               default-scheduler  Successfully assigned openstack/nova-cell0-conductor-db-sync-npb8w to crc-n5gv4-master-0
  Normal   AddedInterface  8s               multus             Add eth0 [10.217.1.181/23] from openshift-sdn
  Normal   Pulled          8s (x2 over 8s)  kubelet            Container image "quay.io/podified-antelope-centos9/openstack-nova-conductor@sha256:76ec7708c803cce5b1c6041bdb56edf7d083141fb587277576ea4885cd2d4894" already present on machine
  Normal   Created         8s (x2 over 8s)  kubelet            Created container nova-cell0-conductor-db-sync
  Normal   Started         7s (x2 over 8s)  kubelet            Started container nova-cell0-conductor-db-sync
  Warning  BackOff         6s (x2 over 7s)  kubelet            Back-off restarting failed container nova-cell0-conductor-db-sync in pod nova-cell0-conductor-db-sync-npb8w_openstack(f681fbd2-71b7-47b9-869a-2b2e307dfacc)
❯ oc logs nova-cell0-conductor-db-sync-npb8w
+ sudo -E kolla_set_configs
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/e2de8f29f7514ef386f8c4be35d31b62

✔️ nova-operator-content-provider SUCCESS in 1h 35m 38s
❌ nova-operator-kuttl FAILURE in 47m 19s
❌ nova-operator-tempest-multinode FAILURE in 1h 12m 30s

[bogdando]

looking into rhcos crc host's /etc/crio/crio.conf.d/00-default, there is:

[crio.runtime.workloads.openshift-builder]
activation_annotation = "io.openshift.builder"
allowed_annotations = [
  "io.kubernetes.cri-o.userns-mode",
  "io.kubernetes.cri-o.Devices"
]

which looks a bit different to https://github.com/cri-o/cri-o/blob/main/tutorials/userns.md#cri-o-configuration

we need to reach out OCP folks to clarify the support status of this

[bogdando]

My naive guess, we also need the activation annotation specified so that the allowed annotations became treated as needed

[bogdando]

See also https://frasertweedale.github.io/blog-redhat/posts/2022-02-02-openshift-user-ns-without-anyuid.html

[bogdando]

to summarize:

• we might need /etc/subuid and /etc/subgid tweaks like that blog post provides.

# on my crc host:
[core@crc-lz7xw-master-0 ~]$ cat /etc/subgid
core:100000:65536
containers:200000:16000000
[core@crc-lz7xw-master-0 ~]$ cat /etc/subuid
core:100000:65536
containers:200000:16000000
# proposed to patch for MCO in the blogpost:
[core@crc-lz7xw-master-0 ~]$  echo Y29yZToxMDAwMDA6NjU1MzYKY29udGFpbmVyczoyMDAwMDA6MjY4NDM1NDU2Cg== | base64 -d
core:100000:65536
containers:200000:268435456
[core@crc-lz7xw-master-0 ~]$  echo Y29yZToxMDAwMDA6NjU1MzYKY29udGFpbmVyczoyMDAwMDA6MjY4NDM1NDU2Cg== | base64 -d
core:100000:65536
containers:200000:268435456

• we need to use io.openshift.builder annotations as well
• we need map-to-root https://frasertweedale.github.io/blog-redhat/posts/2022-02-02-openshift-user-ns-without-anyuid.html#solution
• we can omit unrelated things mentioned in the blogpost, like machne config tweaks for cgroups v2

[gibizer]

The doc talks about changing a conf file /etc/crio/crio.conf.d/01-userns-workload.conf so that is out of scope of our possibilitities.

[bogdando]

this is not needed, see the summarized steps

[SeanMooney]

we cant modify any config on the CRC host.
we cannot require any host config bar the default provided by openshfit.

so unless the /etc/subuid and /etc/subgid are purely in the container we cannot make those changes

[SeanMooney]

i have not fully read the blog you linked https://frasertweedale.github.io/blog-redhat/posts/2022-02-02-openshift-user-ns-without-anyuid.html#solution

but yes we might be able to use some of those steps

so i take it your suggestion is just to add

Annotations: map[string]string{
   io.openshift.userns: "true",
   io.kubernetes.cri-o.userns-mode: "auto:size=65536;map-to-root=true"
}

or perhaps

Annotations: map[string]string{
   io.openshift.userns: "true",
   "io.kubernetes.cri-o.userns-mode": "private:uidmapping=0:100000:90000;gidmapping=0:100000:90000;map-to-root=true"
}

[bogdando]

we cant modify any config on the CRC host. we cannot require any host config bar the default provided by openshfit.

so unless the /etc/subuid and /etc/subgid are purely in the container we cannot make those changes

I think we can omit those MCO tunings, it should just work (see the diff I provided, it looks not so much important)

[bogdando]

see resulting change that I tested bogdando@0bd0e77#diff-9d28b78ae63978beb363c084081d603e3566e8827c948d735f83f5868e6c6fca

[bogdando]

FYI use kubectl patch job nova-cell0-conductor-db-sync -p '{"spec":{"suspend":true}}' and kubectl patch job nova-cell0-conductor-db-sync -p '{"spec":{"suspend":false}}' to freeze/unfreeze the pod crashloop, when testing this (or crc eats all free space on the disk very fast)

[bogdando]

This test job has worked for me

apiVersion: batch/v1
kind: Job
metadata:
  annotations:
  labels:
    service: nova-conductor
  name: nova-cell0-conductor-db-sync
  namespace: openstack
spec:
  backoffLimit: 1
  completionMode: NonIndexed
  completions: 1
  parallelism: 1
  suspend: true
  template:
    metadata:
      annotations:
        io.kubernetes.cri-o.userns-mode: auto:size=65536;map-to-root=false
        io.openshift.builder: "true"
      labels:
        job-name: nova-cell0-conductor-db-sync
    spec:
      containers:
      - args:
        - -c
        - "cat /proc/self/uid_map && cat /proc/self/gid_map; sleep infinity"
        command:
        - bin/bash
        env:
        - name: CELL_NAME
          value: cell0
        - name: KOLLA_BOOTSTRAP
          value: "true"
        - name: KOLLA_CONFIG_STRATEGY
          value: COPY_ALWAYS
        image: quay.io/centos/centos:stream9
        imagePullPolicy: IfNotPresent
        name: nova-cell0-conductor-db-sync
        resources: {}
        securityContext:
          runAsGroup: 42436
          runAsNonRoot: true
          runAsUser: 42436
          seccompProfile:
            type: RuntimeDefault
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/lib/openstack/config
          name: config-data
        - mountPath: /var/lib/openstack/bin
          name: scripts
        - mountPath: /var/lib/kolla/config_files/config.json
          name: config-data
          subPath: nova-conductor-dbsync-config.json
      dnsPolicy: ClusterFirst
      restartPolicy: OnFailure
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: nova-nova
      serviceAccountName: nova-nova
      terminationGracePeriodSeconds: 30
      volumes:
      - name: config-data
        secret:
          defaultMode: 416
          secretName: nova-cell0-conductor-config-data
      - name: scripts
        secret:
          defaultMode: 480
          secretName: nova-cell0-conductor-scripts
  ttlSecondsAfterFinished: 6000

it logs

│          0     265536      65536                                                                                                                                                      │
│          0     265536      65536 

[gibizer]

In my local tests this still result in:

❯ oc logs nova-cell0-conductor-db-sync-wf8md --follow
+ sudo -E kolla_set_configs
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

[bogdando]

yes, I can confirm that:

[nova@nova-cell0-conductor-db-sync-djkdt /]$ sudo whoami
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

so this PoC needs more work then...

[bogdando]

btw, the sudo-less way to test this also works with map-to-root=true

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/83a1e22d24eb41d490e77ce6eb9289fa

✔️ nova-operator-content-provider SUCCESS in 1h 23m 26s
❌ nova-operator-kuttl FAILURE in 39m 13s
❌ nova-operator-tempest-multinode FAILURE in 1h 05m 12s

[gibizer]

In CI I see a possibly different error.
Both job fails with:

2023-11-27T18:50:47.729Z	INFO	controllers.Nova	ServiceAccount nova-nova-kuttl - created
2023-11-27T18:50:47.824Z	ERROR	Reconciler error	{"controller": "nova", "controllerGroup": "nova.openstack.org", "controllerKind": "Nova", "Nova": {"name":"nova-kuttl","namespace":"nova-kuttl-default"}, "namespace": "nova-kuttl-default", "name": "nova-kuttl", "reconcileID": "7e2d36eb-5c37-46c2-b675-b5f73b658992", "error": "Error creating role nova-nova-kuttl-role *v1.Role nova-kuttl-default/nova-nova-kuttl-role: roles.rbac.authorization.k8s.io \"nova-nova-kuttl-role\" is forbidden: user \"system:serviceaccount:openstack-operators:nova-operator-controller-manager\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:openstack-operators\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"security.openshift.io\"], Resources:[\"securitycontextconstraints\"], ResourceNames:[\"nonroot-v2\"], Verbs:[\"use\"]}"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:329
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:274
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:235

Error creating role nova-nova-kuttl-role *v1.Role nova-kuttl-default/nova-nova-kuttl-role: roles.rbac.authorization.k8s.io "nova-nova-kuttl-role" is forbidden: user "system:serviceaccount:openstack-operators:nova-operator-controller-manager" (groups=["system:serviceaccounts" "system:serviceaccounts:openstack-operators" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:["security.openshift.io"], Resources:["securitycontextconstraints"], ResourceNames:["nonroot-v2"], Verbs:["use"]}

[gibizer]

In CI I see a possibly different error. Both job fails with:

2023-11-27T18:50:47.729Z	INFO	controllers.Nova	ServiceAccount nova-nova-kuttl - created
2023-11-27T18:50:47.824Z	ERROR	Reconciler error	{"controller": "nova", "controllerGroup": "nova.openstack.org", "controllerKind": "Nova", "Nova": {"name":"nova-kuttl","namespace":"nova-kuttl-default"}, "namespace": "nova-kuttl-default", "name": "nova-kuttl", "reconcileID": "7e2d36eb-5c37-46c2-b675-b5f73b658992", "error": "Error creating role nova-nova-kuttl-role *v1.Role nova-kuttl-default/nova-nova-kuttl-role: roles.rbac.authorization.k8s.io \"nova-nova-kuttl-role\" is forbidden: user \"system:serviceaccount:openstack-operators:nova-operator-controller-manager\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:openstack-operators\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"security.openshift.io\"], Resources:[\"securitycontextconstraints\"], ResourceNames:[\"nonroot-v2\"], Verbs:[\"use\"]}"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:329
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:274
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:235

Error creating role nova-nova-kuttl-role *v1.Role nova-kuttl-default/nova-nova-kuttl-role: roles.rbac.authorization.k8s.io "nova-nova-kuttl-role" is forbidden: user "system:serviceaccount:openstack-operators:nova-operator-controller-manager" (groups=["system:serviceaccounts" "system:serviceaccounts:openstack-operators" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:["security.openshift.io"], Resources:["securitycontextconstraints"], ResourceNames:["nonroot-v2"], Verbs:["use"]}

This was a missing / unaligned RBAC annotation for nonroot-v2, fixed now.

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/6346d0c06b2d4385b63ce70425efa144

✔️ nova-operator-content-provider SUCCESS in 59m 02s
❌ nova-operator-kuttl FAILURE in 39m 17s
❌ nova-operator-tempest-multinode RETRY_LIMIT in 7s

[gibizer]

The dbsync failed in kuttl I assume this is the same error I see locally
https://review.rdoproject.org/zuul/build/962d2c2296d3448ebac43642ac4f37d9/log/controller/ci-framework-data/logs/quay-io-openstack-k8s-operators-openstack-must-gather-sha256-ba46c79513f7fbfb2f9b9f5ac8674654484cdab9ebd68478f983278fdcd937d0/namespaces/nova-kuttl-default/jobs/nova-kuttl-cell0-conductor-db-sync.yaml

[bogdando]

If the use of sudo by kolla blocks this, I'd say let's no longer use kolla and sudo

[booxter]

For what I see, using kolla implies that

1. allowPrivilegeEscalation cannot be false (for sudo);
2. dropCapabilities cannot be ALL (I get sudo: unable to change to root gid: Operation not permitted on sudo -E kolla_set_configs).

What's the goal of having kolla at all? Config file management seems to be as easy with or without it (arguably simpler without?) What else? (Config file management becomes a moot point for services like OVN that don't even have config files / INI files through oslo.config). Anyone have an idea behind kolla beyond historical reasons?

[bogdando]

Anyone have an idea behind kolla beyond historical reasons?

note that we don't use upstream Kolla, but its forked version as of tripleo.
That means we can change that "kolla" for our needs, like removing the need in sudo completely

[SeanMooney]

we provide the kolla image abi to our partenrs to integrate against
we the defined entry porit and config management that implies
if we remove it then any partner that used it will need to reintegrate and adapt.

we can define our own but we need to do so carefully if we do
we also need the config management and start process to work the same for both
container running on edpm host and openshfit so we cannot really on something that
only works on opensfhit or podman
it must support both to be a replacement for the kolla image API
https://docs.openstack.org/kolla/latest/admin/kolla_api.html

@booxter we also tried to document this in https://github.com/openstack-k8s-operators/docs/blob/main/service_config.md
when we had this conversation 6 months ago and tried to agree on a design to be implemented by all services in next gen.

[bogdando]

it must support both to be a replacement for the kolla image API
https://docs.openstack.org/kolla/latest/admin/kolla_api.html

As I noted earlier, formally we do not follow it as of 2020

[SeanMooney]

it must support both to be a replacement for the kolla image API
https://docs.openstack.org/kolla/latest/admin/kolla_api.html

As I noted earlier, formally we do not follow it as of 2020

we follow the API we forked the implementation there is a diffence

[bogdando]

it must support both to be a replacement for the kolla image API
https://docs.openstack.org/kolla/latest/admin/kolla_api.html

As I noted earlier, formally we do not follow it as of 2020

we follow the API we forked the implementation there is a diffence

We do not track Kolla API changes to reflect them into the fork. My point is that we could change the sudo requirements in the forked implementation w/o breaking the APIs