NO-JIRA: Stop exposing the entire host filesystem #1085
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jmencak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
test/e2e/basic/sysctl_d_override.go
Outdated
| } | ||
| if pod != nil { | ||
| util.ExecAndLogCommand("oc", "exec", "-n", ntoconfig.WatchNamespace(), pod.Name, "--", "rm", sysctlFile) | ||
| util.ExecAndLogCommand("oc", "debug", fmt.Sprintf("no/%s", node.Name), "--", "rm", sysctlFile) |
There was a problem hiding this comment.
here and following: could you please elaborate why oc debug exposes less than oc exec? It seems equivalente (or perhaps worse) than what we have currently
There was a problem hiding this comment.
Thank you for looking! True, however, this is code in e2e tests. The main idea is not to expose the entire /host in Tuned pods. Happy to share internal links to customer questions why we are exposing the entire /host over Slack if you're interested.
Hmm, looks like we might not be able to use Also, |
Hi Jiri, Thank you for prompting me, We use openshift-node-tuning-operator namespace instead of ci-xxx ns when execute debug command. you can try this |
Aah, good point, thank you. NM, I've just switched to using MCO/MCD. I don't have a problem with either approach though. The ping was meant as a heads up so that I don't break any QE's tests that might use |
jmencak
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@jmencak: This pull request explicitly references no jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@jmencak I think you should be more explicit in the cover message and in the commit about the internal changes to test infrastructure. Apart from that it looks good to me. |
With the principle of least privilege in mind, stop exposing the
entirety of the host filesystem. Previously, we were mounting
the entire host filesystem to "/host". With this change, only
the necessary host directories for using TuneD are mounted and
a host's /var/lib directory for the operand's persistent
/var/lib/ocp-tuned directory.
Other changes
* For e2e tests, use MCD to write to host's /etc/sysctl.d/ since
we are no longer exposing the entire host filesystem for the NTO
operand.
jmencak
force-pushed
the
4.17-tuned-no-host
branch
from
18ad80f to
6a1398f
Compare
openshift-ci
bot
added
the
do-not-merge/hold
|
@jmencak are these kind of tests running on hypershift as well? |
Thank you for looking. No, I'm not aware of any lanes running these tests on HyperShift hosted clusters. In any case, this would not work prior this PR anyway. The "reboots" e2e tests rely on MCO. |
|
/retest |
|
@jmencak: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci
bot
added
lifecycle/rotten
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/remove-lifecycle rotten |
openshift-ci
bot
removed
the
lifecycle/rotten
With the principle of least privilege in mind, stop exposing the
entirety of the host filesystem. Previously, we were mounting
the entire host filesystem to "/host". With this change, only
the necessary host directories for using TuneD are mounted and
a host's /var/lib directory for the operand's persistent
/var/lib/ocp-tuned directory.
Other changes
we are no longer exposing the entire host filesystem for the NTO
operand.