Skip to content

Drop privileged from manila-share StatefulSet#597

Open
fmount wants to merge 2 commits into
openstack-k8s-operators:mainfrom
fmount:priv
Open

Drop privileged from manila-share StatefulSet#597
fmount wants to merge 2 commits into
openstack-k8s-operators:mainfrom
fmount:priv

Conversation

@fmount

@fmount fmount commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Unlike some valid use cases for glance and cinder, we never require a privileged Pod for manila-share.
It can be always run using Manila user and kolla group, which is sufficient to distribute config files and start the service.

Jira: OSPRH-32347

Unlike some valid use cases for glance and cinder, we never require a
privileged Pod for manila-share. It can be run (even kolla) using Manila
user and kolla group, which is sufficient to distribute config files and
start the service.

Signed-off-by: Francesco Pantano <fpantano@redhat.com>
@openshift-ci openshift-ci Bot requested review from abays and dprince July 2, 2026 17:37
@openshift-ci openshift-ci Bot added the approved label Jul 2, 2026
@fmount fmount requested a review from gouthampacha July 2, 2026 17:37
@centosinfra-prod-github-app

Copy link
Copy Markdown

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/f35d6916dea543b2963883f183ed9cc5

openstack-k8s-operators-content-provider FAILURE in 5m 37s
⚠️ manila-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ manila-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

@gouthampacha

Copy link
Copy Markdown
Contributor

recheck

@gouthampacha

gouthampacha commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

/lgtm

thank you @fmount! Agree. beyond the init actions, the operational parts for the share manager service (reading/writing files) doesn't need to be privileged on the host because the users have access. we might need to run privileged if we ever introduce a driver that needs to operate on a filesystem/device on the host (this could include dbus for instance). Currently, we don't support such drivers with this operator. If/when we do, we can make this conditional on the fact that someone is deploying with such a storage backend driver.

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fmount, gouthampacha

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [fmount,gouthampacha]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@centosinfra-prod-github-app

Copy link
Copy Markdown

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/feb30f4b26dc4c8098399c99fe1b18aa

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 05m 22s
manila-operator-kuttl FAILURE in 53m 05s
manila-operator-tempest FAILURE in 1h 45m 19s

@fmount

fmount commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator Author

Build failed (check pipeline). Post recheck (without leading slash) to rerun all jobs. Make sure the failure cause has been resolved before you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/feb30f4b26dc4c8098399c99fe1b18aa

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 05m 22s ❌ manila-operator-kuttl FAILURE in 53m 05s ❌ manila-operator-tempest FAILURE in 1h 45m 19s

@gouthampacha Not sure why this worked for me in unidelta but not in crc. I guess I have to redeploy it manually and check what's going on because I do not see logs here. Holding the patch until I reproduce and figure out the reason of the failure.

This patch removes the var-lib-manila hostPath mount from manila-share.
This is not required, especially from the host where the pod is
scheduled.

Signed-off-by: Francesco Pantano <fpantano@redhat.com>
@openshift-ci openshift-ci Bot removed the lgtm label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

New changes are detected. LGTM label has been removed.

SubPath: "my.cnf",
ReadOnly: true,
},
/*{

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was a leftover

var dirOrCreate = corev1.HostPathDirectoryOrCreate

shareVolumes := []corev1.Volume{
{

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gouthampacha quick checking on this and looks like we do not require /var/lib/manila to be in the host. We might have different requirements for lvm in the future but for now removing this hostPath should allow us to not require a privileged container.

Tests on unidelta looks ok, but let's see the CI in action.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tests look good, removing the dnm label!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants