From b47819276b4bd6720aba494e61fe3d936228f662 Mon Sep 17 00:00:00 2001 From: Isteb4k Date: Fri, 13 Dec 2024 11:05:24 +0100 Subject: [PATCH] feat(cdi): remove init container with root privileges Signed-off-by: Isteb4k --- ...dd-format-conversion-for-pvc-cloning.patch | 93 ++++--------------- 1 file changed, 16 insertions(+), 77 deletions(-) diff --git a/images/cdi-artifact/patches/017-add-format-conversion-for-pvc-cloning.patch b/images/cdi-artifact/patches/017-add-format-conversion-for-pvc-cloning.patch index 7f7d65644..226e138b0 100644 --- a/images/cdi-artifact/patches/017-add-format-conversion-for-pvc-cloning.patch +++ b/images/cdi-artifact/patches/017-add-format-conversion-for-pvc-cloning.patch @@ -1,25 +1,8 @@ diff --git a/pkg/controller/upload-controller.go b/pkg/controller/upload-controller.go -index f251cae5d..99f5494dc 100644 +index f251cae5d..a925aa2c1 100644 --- a/pkg/controller/upload-controller.go +++ b/pkg/controller/upload-controller.go -@@ -45,6 +45,8 @@ import ( - "sigs.k8s.io/controller-runtime/pkg/source" - - cdiv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1" -+ sdkapi "kubevirt.io/controller-lifecycle-operator-sdk/api" -+ - "kubevirt.io/containerized-data-importer/pkg/common" - cc "kubevirt.io/containerized-data-importer/pkg/controller/common" - featuregates "kubevirt.io/containerized-data-importer/pkg/feature-gates" -@@ -54,7 +56,6 @@ import ( - "kubevirt.io/containerized-data-importer/pkg/util/cert/generator" - "kubevirt.io/containerized-data-importer/pkg/util/naming" - cryptowatch "kubevirt.io/containerized-data-importer/pkg/util/tls-crypto-watch" -- sdkapi "kubevirt.io/controller-lifecycle-operator-sdk/api" - ) - - const ( -@@ -430,7 +431,7 @@ func (r *UploadReconciler) createUploadPodForPvc(pvc *corev1.PersistentVolumeCla +@@ -430,7 +430,7 @@ func (r *UploadReconciler) createUploadPodForPvc(pvc *corev1.PersistentVolumeCla args := UploadPodArgs{ Name: podName, PVC: pvc, @@ -28,7 +11,7 @@ index f251cae5d..99f5494dc 100644 ClientName: clientName, FilesystemOverhead: string(fsOverhead), ServerCert: serverCert, -@@ -723,11 +724,7 @@ func addUploadControllerWatches(mgr manager.Manager, uploadController controller +@@ -723,11 +723,7 @@ func addUploadControllerWatches(mgr manager.Manager, uploadController controller return nil } @@ -41,51 +24,8 @@ index f251cae5d..99f5494dc 100644 return naming.GetResourceName(pvc.Name, common.ScratchNameSuffix) } -@@ -801,6 +798,8 @@ func (r *UploadReconciler) makeUploadPodSpec(args UploadPodArgs, resourceRequire - cc.SetNodeNameIfPopulator(args.PVC, &pod.Spec) - cc.SetRestrictedSecurityContext(&pod.Spec) - -+ pod.Spec.InitContainers = r.makeUploadPodInitContainers(args) -+ - return pod - } - -@@ -904,6 +903,33 @@ func (r *UploadReconciler) makeUploadPodContainers(args UploadPodArgs, resourceR - return containers - } - -+func (r *UploadReconciler) makeUploadPodInitContainers(args UploadPodArgs) []corev1.Container { -+ if args.PVC == nil || len(args.PVC.Spec.AccessModes) == 0 || args.PVC.Spec.AccessModes[0] != corev1.ReadWriteMany { -+ return nil -+ } -+ -+ if cc.GetVolumeMode(args.PVC) == corev1.PersistentVolumeBlock { -+ return nil -+ } -+ -+ containers := []corev1.Container{ -+ { -+ Name: "chmod-" + common.UploadServerPodname, -+ Image: r.image, -+ ImagePullPolicy: corev1.PullPolicy(r.pullPolicy), -+ Command: []string{"sh", "-c", "chmod 775 " + common.UploadServerDataDir}, -+ VolumeMounts: []corev1.VolumeMount{ -+ { -+ Name: cc.DataVolName, -+ MountPath: common.UploadServerDataDir, -+ }, -+ }, -+ }, -+ } -+ -+ return containers -+} -+ - func (r *UploadReconciler) makeUploadPodVolumes(args UploadPodArgs) []corev1.Volume { - volumes := []corev1.Volume{ - { diff --git a/pkg/uploadserver/uploadserver.go b/pkg/uploadserver/uploadserver.go -index aa9e5ab68..845981a1a 100644 +index aa9e5ab68..02c4cb467 100644 --- a/pkg/uploadserver/uploadserver.go +++ b/pkg/uploadserver/uploadserver.go @@ -29,6 +29,7 @@ import ( @@ -96,7 +36,7 @@ index aa9e5ab68..845981a1a 100644 "os" "strings" "sync" -@@ -36,11 +37,14 @@ import ( +@@ -36,11 +37,13 @@ import ( "github.com/golang/snappy" "github.com/pkg/errors" @@ -105,13 +45,12 @@ index aa9e5ab68..845981a1a 100644 "k8s.io/klog/v2" cdiv1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1" -+ "kubevirt.io/containerized-data-importer/pkg/common" + "kubevirt.io/containerized-data-importer/pkg/image" "kubevirt.io/containerized-data-importer/pkg/importer" "kubevirt.io/containerized-data-importer/pkg/util" cryptowatch "kubevirt.io/containerized-data-importer/pkg/util/tls-crypto-watch" -@@ -491,7 +495,7 @@ func newAsyncUploadStreamProcessor(stream io.ReadCloser, dest, imageSize string, +@@ -491,7 +494,7 @@ func newAsyncUploadStreamProcessor(stream io.ReadCloser, dest, imageSize string, func newUploadStreamProcessor(stream io.ReadCloser, dest, imageSize string, filesystemOverhead float64, preallocation bool, sourceContentType string, dvContentType cdiv1.DataVolumeContentType) (bool, error) { stream = newContentReader(stream, sourceContentType) if isCloneTarget(sourceContentType) { @@ -120,7 +59,7 @@ index aa9e5ab68..845981a1a 100644 } // Clone block device to block device or file system -@@ -501,7 +505,7 @@ func newUploadStreamProcessor(stream io.ReadCloser, dest, imageSize string, file +@@ -501,7 +504,7 @@ func newUploadStreamProcessor(stream io.ReadCloser, dest, imageSize string, file return processor.PreallocationApplied(), err } @@ -129,7 +68,7 @@ index aa9e5ab68..845981a1a 100644 if contentType == common.FilesystemCloneContentType { if dest != common.WriteBlockPath { return fileToFileCloneProcessor(stream) -@@ -516,16 +520,79 @@ func cloneProcessor(stream io.ReadCloser, contentType, dest string, preallocate +@@ -516,16 +519,79 @@ func cloneProcessor(stream io.ReadCloser, contentType, dest string, preallocate } defer stream.Close() @@ -153,22 +92,22 @@ index aa9e5ab68..845981a1a 100644 + } + + err = importer.CleanAll(dest) - if err != nil { -- return false, err ++ if err != nil { + return false, fmt.Errorf("failed to clean all: %w", err) - } - -- klog.Infof("Read %d bytes, wrote %d bytes to %s", bytesRead, bytesWrittenn, dest) ++ } ++ + format, err := util.GetFormat(dest) + if err != nil { + return false, fmt.Errorf("failed to get format: %w", err) + } + + err = image.NewQEMUOperations().ConvertToFormatStream(parsedScratchPath, format, dest, false) -+ if err != nil { + if err != nil { +- return false, err + return false, fmt.Errorf("failed to convert: %w", err) -+ } -+ + } + +- klog.Infof("Read %d bytes, wrote %d bytes to %s", bytesRead, bytesWrittenn, dest) + klog.Infof("Read %d bytes, wrote %d bytes to %s", bytesRead, bytesWritten, dest) return false, nil