Closed gibizer closed 4 months ago
mrkisaolamb
commented
4 months ago Currently we are using RunAsUser: ptr.To(nova.NovaUserID) and also only file that we mount with root are ssl.conf so maybe we can mount with apache user and we can close this
gibizer
commented
4 months ago It seems we did the majority of the work in https://github.com/openstack-k8s-operators/nova-operator/pull/598. #795 is nice to have. We can merge it if CI is green. I agree we can close this ticket. As a side note, we still cannot be fully rootless due to kolla uses sudo.
https://github.com/openstack-k8s-operators/nova-operator/blob/6e5ff216df799f08faaa8d3c6696d571a7e2ae73/pkg/novaapi/dbsync.go#L53
we should not be runnign as root
https://sdk.operatorframework.io/docs/best-practices/best-practices/#summary-1
"Does not run as root"
we should be using the nova user here.
the nova user and group is 42436
https://github.com/openstack/kolla/blob/master/kolla/common/users.py#L148-L151
https://github.com/openstack/tripleo-common/blob/0a4ca78500a30e80a1746ac65188350d597a32bc/container-images/kolla/base/uid_gid_manage.sh#L62
_Originally posted by @SeanMooney in https://github.com/openstack-k8s-operators/nova-operator/pull/84#discussion_r987207939_
also in https://github.com/openstack-k8s-operators/nova-operator/blob/6e5ff216df799f08faaa8d3c6696d571a7e2ae73/templates/novaapi/config/nova-api-config.json#L25
_Originally posted by @SeanMooney in https://github.com/openstack-k8s-operators/nova-operator/pull/84#discussion_r987215882_
also in https://github.com/openstack-k8s-operators/nova-operator/blob/6e5ff216df799f08faaa8d3c6696d571a7e2ae73/pkg/novaapi/deployment.go#L37
_Originally posted by @SeanMooney in https://github.com/openstack-k8s-operators/nova-operator/pull/84#discussion_r987227736_