NOTIC: Add rights to manage daemonsets

nebius · Dec 16, 2024 · 49f0d9a · 49f0d9a
1 parent dc1be9d
commit 49f0d9a
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 15 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -39,6 +39,7 @@ rules:
 - apiGroups:
   - apps
   resources:
+  - daemonsets
   - deployments
   - statefulsets
   verbs:

diff --git a/helm/soperator/templates/manager-rbac.yaml b/helm/soperator/templates/manager-rbac.yaml
@@ -40,6 +40,7 @@ rules:
 - apiGroups:
   - apps
   resources:
+  - daemonsets
   - deployments
   - statefulsets
   verbs:

diff --git a/images/jail/scripts/createuser.sh b/images/jail/scripts/createuser.sh
@@ -3,8 +3,7 @@
 set -e
 
 if [[ $# -eq 0 ]] || [[ "$*" == *"-h"* ]] || [[ "$*" == *"--help"* ]]; then
-    echo "Usage: createuser <username> [--with-password] [--without-sudo] [--without-docker]"
-    echo "       [--without-ssh-key] [<args for adduser...>]"
+    echo "Usage: createuser <username> [--with-password] [--without-sudo] [--without-docker] [<args for adduser...>]"
     exit 0
 fi
 
@@ -46,18 +45,29 @@ if [[ "$*" != *"--without-docker"* ]]; then
     add_to_group docker
 fi
 
-if [ -n "$ssh_public_key" ]; then
-    home_dir=$(eval echo "~$username")
-    ssh_dir="$home_dir/.ssh"
-    if [ ! -d "$ssh_dir" ]; then
-        mkdir -p "$ssh_dir"
-        chown "$username:$username" "$ssh_dir"
-        chmod 700 "$ssh_dir"
-    fi
+home_dir=$(eval echo "~$username")
+ssh_dir="$home_dir/.ssh"
+authorized_keys="$ssh_dir/authorized_keys"
+internal_key="$ssh_dir/id_ecdsa"
 
-    authorized_keys="$ssh_dir/authorized_keys"
-    echo "Saving SSH key to '${authorized_keys}'"
-    echo "$ssh_public_key" >> "$authorized_keys"
+if [ ! -d "$ssh_dir" ]; then
+    mkdir -p "$ssh_dir"
+    chown "$username:$username" "$ssh_dir"
+    chmod 700 "$ssh_dir"
+fi
+
+if [ ! -f "$authorized_keys" ]; then
+    touch "$authorized_keys"
     chown "$username:$username" "$authorized_keys"
     chmod 600 "$authorized_keys"
 fi
+
+if [ -n "$ssh_public_key" ]; then
+    echo "Saving SSH key to '${authorized_keys}' ..."
+    echo "$ssh_public_key" >> "$authorized_keys"
+fi
+
+echo "Generating an internal SSH key pair ..."
+ssh-keygen -t ecdsa -f "$internal_key" -N ''
+chown "$username:$username" "$internal_key" "$internal_key.pub"
+cat "$internal_key.pub" >> "$authorized_keys"
diff --git a/images/worker/docker/daemon.json b/images/worker/docker/daemon.json
@@ -1,6 +1,6 @@
 {
   "hosts": [
-    "unix:///var/run/docker.sock",
+    "unix:///var/run/docker.sock"
   ],
   "runtimes": {
     "nvidia": {

diff --git a/internal/controller/clustercontroller/reconcile.go b/internal/controller/clustercontroller/reconcile.go
@@ -67,6 +67,7 @@ import (
 //+kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;update;patch;delete;create
 //+kubebuilder:rbac:groups=k8s.mariadb.com,resources=mariadbs,verbs=get;list;watch;update;patch;delete;create
 //+kubebuilder:rbac:groups=k8s.mariadb.com,resources=grants,verbs=get;list;watch;update;patch;delete;create
+//+kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;update;patch;delete;create
 
 // SlurmClusterReconciler reconciles a SlurmCluster object
 type SlurmClusterReconciler struct {

diff --git a/internal/render/common/configmap.go b/internal/render/common/configmap.go
@@ -266,7 +266,6 @@ func RenderConfigMapSecurityLimits(componentType consts.ComponentType, cluster *
 
 func generateUnlimitedSecurityLimitsConfig() renderutils.ConfigFile {
 	res := &renderutils.MultilineStringConfig{}
-	res.AddLine("#Empty security limits file")
 	res.AddLine("# Set core file size to unlimited (-c)")
 	res.AddLine("*    soft    core        unlimited")
 	res.AddLine("*    hard    core        unlimited")