search

open-traffic-generator / keng-operator

Other
6 stars 1 forks source link

otg-controller pod containers do not support arbitrary user IDs #17

Open raballew opened 2 years ago

raballew commented 2 years ago

Both containers ixia-c and gnmi of the otg-controller pod fail to start due to permission denied errors when trying to run the operator on OpenShift. This is most likely due to the usage of arbitrary UIDs as part of the OpenShift multi layer security strategy as described here.

panic: Logger init failed: mkdir /home/keysight/ixia-c/controller/logs: permission denied
goroutine 1 [running]:
keysight/athena/controller/config.init.0()
/home/keysight/athena/controller/config/init.go:102 +0x1b7
panic: Logger init failed: mkdir /home/keysight/ixia-c-gnmi-server/logs: permission denied
goroutine 1 [running]:
github.com/open-traffic-generator/ixia-c-gnmi-server/config.init.0()
/home/keysight/ixia-c-gnmi-server/config/init.go:76 +0x173

To support using this operator on OpenShift the files access should be readable and writable by GID=0 (a container is always member of the root group). Thus commands invoked by the Entrypoint will be executed with a unprivileged UID and GID=0 pair. That means, it is an unprivileged user executing the commands and the UID that will be used during execution is not known in advance. From the technical design perspective, that means, directories and files that may be written to by processes in the Container should be owned by the root group and be read/writable by GID=0. Files to be executed should also have group execute permissions.

If you could point me in the right direction, I could contribute the required changes myself.

raballew commented 2 years ago

I can not find the proper Dockerfile in the repository but the fix seems to be setting a bunch of permissions right:

FROM docker.io/ixiacom/ixia-c-controller:0.0.1-3423

RUN chgrp -R 0 /home/keysight/ && \
    chmod -R g=u /home/keysight/
RUN chmod g=u /etc/passwd

or 

FROM docker.io/ixiacom/ixia-c-gnmi-server:1.9.5

RUN chgrp -R 0 /home/keysight/ && \
    chmod -R g=u /home/keysight/
RUN chmod g=u /etc/passwd
anjan-keysight commented 2 years ago

Those required permission changes are in our internal components and not part of this public repo. The issue has been raised with relevant teams and we expect this to get resolved by next week. I will update once new builds are available.