NO-JIRA: Stop exposing the entire host filesystem

assets/tuned/manifests/ds-tuned.yaml

@@ -71,8 +71,8 @@ spec:
           name: var-lib-kubelet
           mountPropagation: HostToContainer
           readOnly: true
-        - mountPath: /host
-          name: host
+        - mountPath: /host/var/lib
+          name: host-var-lib
           mountPropagation: HostToContainer
         env:
           - name: WATCH_NAMESPACE
@@ -132,10 +132,10 @@ spec:
           path: /var/lib/kubelet
           type: Directory
         name: var-lib-kubelet
-      - name: host
-        hostPath:
-          path: /
+      - hostPath:
+          path: /var/lib
           type: Directory
+        name: host-var-lib
       dnsPolicy: ClusterFirst
       nodeSelector:
         kubernetes.io/os: linux

test/e2e/basic/metrics_cert_rotation.go

@@ -59,9 +59,8 @@ var _ = ginkgo.Describe("[basic][metrics] Node Tuning Operator certificate rotat
 				secretCertContents := string(tlsSecret.Data["tls.crt"])
 
 				operatorPodIP := operatorPod.Status.PodIP
-				// We need chroot because host may be using system libraries incompatible with the container
-				// image system libraries.  Alternatively, use container-shipped openssl.
-				opensslCmd := "/usr/sbin/chroot /host /usr/bin/openssl s_client -connect " + operatorPodIP + ":60000 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'"
+				// Use container-shipped openssl.
+				opensslCmd := "/usr/bin/openssl s_client -connect " + operatorPodIP + ":60000 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'"
 
 				serverCertContents, err := util.ExecCmdInPod(tunedPod, "/bin/bash", "-c", opensslCmd)
 				gomega.Expect(err).NotTo(gomega.HaveOccurred())

test/e2e/basic/sysctl_d_override.go

@@ -21,15 +21,15 @@ var _ = ginkgo.Describe("[basic][sysctl_d_override] Node Tuning Operator /etc/sy
 	const (
 		sysctlVar               = "net.ipv4.neigh.default.gc_thresh1"
 		sysctlValSet            = "256"
-		sysctlFile              = "/host/etc/sysctl.d/zzz.conf"
+		sysctlFile              = "/rootfs/etc/sysctl.d/zzz.conf"
 		profileSysctlOverride   = "../testing_manifests/sysctl_override.yaml"
 		nodeLabelSysctlOverride = "tuned.openshift.io/sysctl-override"
 	)
 
 	ginkgo.Context("sysctl.d override", func() {
 		var (
-			node *coreapi.Node
-			pod  *coreapi.Pod
+			node        *coreapi.Node
+			pod, mcdPod *coreapi.Pod
 		)
 
 		// Cleanup code to roll back cluster changes done by this test even if it fails in the middle of ginkgo.It()
@@ -39,8 +39,8 @@ var _ = ginkgo.Describe("[basic][sysctl_d_override] Node Tuning Operator /etc/sy
 			if node != nil {
 				util.ExecAndLogCommand("oc", "label", "node", "--overwrite", node.Name, nodeLabelSysctlOverride+"-")
 			}
-			if pod != nil {
-				util.ExecAndLogCommand("oc", "exec", "-n", ntoconfig.WatchNamespace(), pod.Name, "--", "rm", sysctlFile)
+			if mcdPod != nil {
+				util.ExecAndLogCommand("oc", "exec", "-n", util.MCONamespace, mcdPod.Name, "--", "rm", sysctlFile)
 			}
 			util.ExecAndLogCommand("oc", "delete", "-n", ntoconfig.WatchNamespace(), "-f", profileSysctlOverride)
 		})
@@ -62,6 +62,9 @@ var _ = ginkgo.Describe("[basic][sysctl_d_override] Node Tuning Operator /etc/sy
 			pod, err = util.GetTunedForNode(cs, node)
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
+			mcdPod, err = util.GetMCDForNode(cs, node)
+			gomega.Expect(err).NotTo(gomega.HaveOccurred())
+
 			// Expect the default worker node profile applied prior to getting any current values.
 			ginkgo.By(fmt.Sprintf("waiting for TuneD profile %s on node %s", util.GetDefaultWorkerProfile(node), node.Name))
 			err = util.WaitForProfileConditionStatus(cs, pollInterval, waitDuration, node.Name, util.GetDefaultWorkerProfile(node), tunedv1.TunedProfileApplied, coreapi.ConditionTrue)
@@ -72,11 +75,11 @@ var _ = ginkgo.Describe("[basic][sysctl_d_override] Node Tuning Operator /etc/sy
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
 			ginkgo.By(fmt.Sprintf("writing %s override file on the host with %s=%s", sysctlFile, sysctlVar, sysctlValSet))
-			_, _, err = util.ExecAndLogCommand("oc", "exec", "-n", ntoconfig.WatchNamespace(), pod.Name, "--", "sh", "-c",
+			_, _, err = util.ExecAndLogCommand("oc", "exec", "-n", util.MCONamespace, mcdPod.Name, "--", "sh", "-c",
 				fmt.Sprintf("echo %s=%s > %s; sync %s", sysctlVar, sysctlValSet, sysctlFile, sysctlFile))
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
-			util.ExecAndLogCommand("oc", "rsh", "-n", ntoconfig.WatchNamespace(), pod.Name, "cat", sysctlFile)
+			util.ExecAndLogCommand("oc", "rsh", "-n", util.MCONamespace, mcdPod.Name, "cat", sysctlFile)
 
 			ginkgo.By(fmt.Sprintf("deleting Pod %s", pod.Name))
 			_, _, err = util.ExecAndLogCommand("oc", "delete", "-n", ntoconfig.WatchNamespace(), "pod", pod.Name, "--wait")
@@ -118,7 +121,7 @@ var _ = ginkgo.Describe("[basic][sysctl_d_override] Node Tuning Operator /etc/sy
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
 			ginkgo.By(fmt.Sprintf("removing %s override file on the host", sysctlFile))
-			_, _, err = util.ExecAndLogCommand("oc", "exec", "-n", ntoconfig.WatchNamespace(), pod.Name, "--", "rm", sysctlFile)
+			_, _, err = util.ExecAndLogCommand("oc", "exec", "-n", util.MCONamespace, mcdPod.Name, "--", "rm", sysctlFile)
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
 			ginkgo.By(fmt.Sprintf("deleting Pod %s", pod.Name))

test/e2e/core/cluster_version.go

@@ -17,7 +17,7 @@ var _ = ginkgo.Describe("[core][cluster_version] Node Tuning Operator host, cont
 		node *coreapi.Node
 	)
 
-	ginkgo.It("host, container OS and cluster version retrievable", func() {
+	ginkgo.It("container OS and cluster version retrievable", func() {
 		ginkgo.By("getting a list of worker nodes")
 		nodes, err := util.GetNodesByRole(cs, "worker")
 		gomega.Expect(err).NotTo(gomega.HaveOccurred())
@@ -28,13 +28,8 @@ var _ = ginkgo.Describe("[core][cluster_version] Node Tuning Operator host, cont
 		pod, err := util.GetTunedForNode(cs, node)
 		gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
-		ginkgo.By(fmt.Sprintf("getting the host OS version on node %s", node.Name))
-		out, err := util.ExecCmdInPod(pod, "cat", "/host/etc/os-release")
-		gomega.Expect(err).NotTo(gomega.HaveOccurred())
-		util.Logf("%s", out)
-
 		ginkgo.By("getting the TuneD container OS version")
-		out, err = util.ExecCmdInPod(pod, "cat", "/etc/os-release")
+		out, err := util.ExecCmdInPod(pod, "cat", "/etc/os-release")
 		gomega.Expect(err).NotTo(gomega.HaveOccurred())
 		util.Logf("%s", out)
 

test/e2e/util/util.go

@@ -29,6 +29,8 @@ const (
 	DefaultMasterProfile = "openshift-control-plane"
 	// The default worker profile.  See: assets/tuned/manifests/default-cr-tuned.yaml
 	DefaultWorkerProfile = "openshift-node"
+	// MCO namespace
+	MCONamespace = "openshift-machine-config-operator"
 )
 
 // Logf formats using the default formats for its operands and writes to
@@ -80,6 +82,26 @@ func GetTunedForNode(cs *framework.ClientSet, node *corev1.Node) (*corev1.Pod, e
 	return &podList.Items[0], nil
 }
 
+// GetMCDForNode returns a MCD Pod that runs on a given node.
+func GetMCDForNode(cs *framework.ClientSet, node *corev1.Node) (*corev1.Pod, error) {
+	listOptions := metav1.ListOptions{
+		FieldSelector: fields.SelectorFromSet(fields.Set{"spec.nodeName": node.Name}).String(),
+	}
+	listOptions.LabelSelector = labels.SelectorFromSet(labels.Set{"k8s-app": "machine-config-daemon"}).String()
+
+	podList, err := cs.Pods(MCONamespace).List(context.TODO(), listOptions)
+	if err != nil {
+		return nil, err
+	}
+	if len(podList.Items) != 1 {
+		if len(podList.Items) == 0 {
+			return nil, fmt.Errorf("failed to find MCD for node %s", node.Name)
+		}
+		return nil, fmt.Errorf("too many (%d) MCD Pods for node %s", len(podList.Items), node.Name)
+	}
+	return &podList.Items[0], nil
+}
+
 // GetNodeTuningOperator returns the node tuning operator Pod.
 // If more than one operator Pod is running will return the first Pod found.
 func GetNodeTuningOperatorPod(cs *framework.ClientSet) (*corev1.Pod, error) {