Drop privileged from manila-share StatefulSet#597
Conversation
Unlike some valid use cases for glance and cinder, we never require a privileged Pod for manila-share. It can be run (even kolla) using Manila user and kolla group, which is sufficient to distribute config files and start the service. Signed-off-by: Francesco Pantano <fpantano@redhat.com>
|
Build failed (check pipeline). Post ❌ openstack-k8s-operators-content-provider FAILURE in 5m 37s |
|
recheck |
|
/lgtm thank you @fmount! Agree. beyond the init actions, the operational parts for the share manager service (reading/writing files) doesn't need to be privileged on the host because the users have access. we might need to run privileged if we ever introduce a driver that needs to operate on a filesystem/device on the host (this could include dbus for instance). Currently, we don't support such drivers with this operator. If/when we do, we can make this conditional on the fact that someone is deploying with such a storage backend driver. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fmount, gouthampacha The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Build failed (check pipeline). Post ✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 05m 22s |
@gouthampacha Not sure why this worked for me in unidelta but not in crc. I guess I have to redeploy it manually and check what's going on because I do not see logs here. Holding the patch until I reproduce and figure out the reason of the failure. |
This patch removes the var-lib-manila hostPath mount from manila-share. This is not required, especially from the host where the pod is scheduled. Signed-off-by: Francesco Pantano <fpantano@redhat.com>
|
New changes are detected. LGTM label has been removed. |
| SubPath: "my.cnf", | ||
| ReadOnly: true, | ||
| }, | ||
| /*{ |
| var dirOrCreate = corev1.HostPathDirectoryOrCreate | ||
|
|
||
| shareVolumes := []corev1.Volume{ | ||
| { |
There was a problem hiding this comment.
@gouthampacha quick checking on this and looks like we do not require /var/lib/manila to be in the host. We might have different requirements for lvm in the future but for now removing this hostPath should allow us to not require a privileged container.
Tests on unidelta looks ok, but let's see the CI in action.
There was a problem hiding this comment.
tests look good, removing the dnm label!
Unlike some valid use cases for
glanceandcinder, we never require aprivilegedPodformanila-share.It can be always run using
Manilauserandkollagroup, which is sufficient to distribute config files and start the service.Jira: OSPRH-32347