Added security context and changed init container logic for onos

[breathbath]

…rds atomix

[Andrea-Campanella]

@pierventre @charlesmcchan @kuujo @hwchiu can you please take a look at this one too ?

[Andrea-Campanella]

again might be worth run-in with these two disabled by default @kuujo thoughts ?

[breathbath]

no because default should be a secure setup and if a user wants to make it insecure he should do it explicitly otherwise we provide a non-secure definition by default

[hwchiu]

Do we have any user with UID 1000 and group with GID 2000 in all images?

[breathbath]

I think this will be enforced by k8s

[charlesmcchan]

Everything else LGTM. We should test this in TOST/SEBA.

[charlesmcchan]

It is not very clear what this user and group are. May be better to use name or add a comment.

[breathbath]

no, k8s security context identifies a root user as a user having non-numbers in the id, so even admin or some123 will be considered to be root so we have to use numeric ids

[hwchiu]

I ran your changed in my environment but the ONOS container failed to start up.

╰─$ kc get pods
kNAME                         READY   STATUS    RESTARTS   AGE
debug-pod-5b5c57fccd-9ztxv   1/1     Running   0          6d3h
github-221-atomix-0          1/1     Running   0          49s
github-221-atomix-1          1/1     Running   0          49s
github-221-atomix-2          1/1     Running   0          49s
github-221-onos-classic-0    0/1     Error     2          49s
github-221-onos-classic-1    0/1     Error     2          49s
github-221-onos-classic-2    0/1     Error     2          49s
╰─$ kc logs -f github-221-onos-classic-0
./bin/onos-service: line 26: cd: /root/onos: Permission denied

It looks like some files are root accessed only and are installed during the docker build time ?
cc @Andrea-Campanella @charlesmcchan

[Andrea-Campanella]

I ran your changed in my environment but the ONOS container failed to start up.

╰─$ kc get pods
kNAME                         READY   STATUS    RESTARTS   AGE
debug-pod-5b5c57fccd-9ztxv   1/1     Running   0          6d3h
github-221-atomix-0          1/1     Running   0          49s
github-221-atomix-1          1/1     Running   0          49s
github-221-atomix-2          1/1     Running   0          49s
github-221-onos-classic-0    0/1     Error     2          49s
github-221-onos-classic-1    0/1     Error     2          49s
github-221-onos-classic-2    0/1     Error     2          49s
╰─$ kc logs -f github-221-onos-classic-0
./bin/onos-service: line 26: cd: /root/onos: Permission denied

It looks like some files are root accessed only and are installed during the docker build time ?
cc @Andrea-Campanella @charlesmcchan

it's missing the changes required in the ONOS docker file @breathbath is upstreaming those (pending ONOS gerrit issues here in Europe)

[Andrea-Campanella]

I ran your changed in my environment but the ONOS container failed to start up.

╰─$ kc get pods
kNAME                         READY   STATUS    RESTARTS   AGE
debug-pod-5b5c57fccd-9ztxv   1/1     Running   0          6d3h
github-221-atomix-0          1/1     Running   0          49s
github-221-atomix-1          1/1     Running   0          49s
github-221-atomix-2          1/1     Running   0          49s
github-221-onos-classic-0    0/1     Error     2          49s
github-221-onos-classic-1    0/1     Error     2          49s
github-221-onos-classic-2    0/1     Error     2          49s
╰─$ kc logs -f github-221-onos-classic-0
./bin/onos-service: line 26: cd: /root/onos: Permission denied

It looks like some files are root accessed only and are installed during the docker build time ?
cc @Andrea-Campanella @charlesmcchan

it's missing the changes required in the ONOS docker file @breathbath is upstreaming those (pending ONOS gerrit issues here in Europe)

@hwchiu can you try building ONOS with https://gerrit.onosproject.org/c/onos/+/24146 and then using this chart ?

[charlesmcchan]

Be careful. Our released docker images were not built with this new Dockerfile.
This helm chart change still will not work with our released docker images.

[breathbath]

Be careful. Our released docker images were not built with this new Dockerfile.
This helm chart change still will not work with our released docker images.

That's why the helm charts should reference hardcoded references to released docker images otherwise you cannot guarantee compatibility in future incompatible changes as well. Obviously you cannot prevent the incompatible changes to appear.

[charlesmcchan]

Be careful. Our released docker images were not built with this new Dockerfile.
This helm chart change still will not work with our released docker images.

That's why the helm charts should reference hardcoded references to released docker images otherwise you cannot guarantee compatibility in future incompatible changes as well. Obviously you cannot prevent the incompatible changes to appear.

Yes. I was just saying that we need to release a new ONOS and TOST image based on the new Dockerfile, and update the default image version in the helm chart accordingly before we can merge this.

[hwchiu]

I ran your changed in my environment but the ONOS container failed to start up.

╰─$ kc get pods
kNAME                         READY   STATUS    RESTARTS   AGE
debug-pod-5b5c57fccd-9ztxv   1/1     Running   0          6d3h
github-221-atomix-0          1/1     Running   0          49s
github-221-atomix-1          1/1     Running   0          49s
github-221-atomix-2          1/1     Running   0          49s
github-221-onos-classic-0    0/1     Error     2          49s
github-221-onos-classic-1    0/1     Error     2          49s
github-221-onos-classic-2    0/1     Error     2          49s
╰─$ kc logs -f github-221-onos-classic-0
./bin/onos-service: line 26: cd: /root/onos: Permission denied

It looks like some files are root accessed only and are installed during the docker build time ?
cc @Andrea-Campanella @charlesmcchan

it's missing the changes required in the ONOS docker file @breathbath is upstreaming those (pending ONOS gerrit issues here in Europe)

@hwchiu can you try building ONOS with https://gerrit.onosproject.org/c/onos/+/24146 and then using this chart ?

ok, I will test it in the next two days.

[hwchiu]

@breathbath @Andrea-Campanella
I tried the Gerrit patch you pointed out but get the following error.

touch: cannot touch '/src/onos/apps/org.onosproject.openflow-base/active': Permission denied

Update:
I fixed the issue by changing the owner after copying files.
Kubernetes pods are running but the readiness probe still fail.

Readiness probe failed: sh: 1: /root/onos/bin/check-onos-status: Permission denied

It looks like we need to fix location of all mounted files.

[breathbath]

hey @hwchiu thanks for testing. I've made some changes to the dockerfile, can we verify the setup with the latest changes?
https://gerrit.onosproject.org/c/onos/+/24146/6/Dockerfile?

[hwchiu]

hey @hwchiu thanks for testing. I've made some changes to the dockerfile, can we verify the setup with the latest changes?
https://gerrit.onosproject.org/c/onos/+/24146/6/Dockerfile?

I tried but had the different issue. see my post above.
Readiness probe failed: sh: 1: /root/onos/bin/check-onos-status: Permission denied

These files are mounted to the container in the run time, if we aren't the root, we should not mount files into /root directory.

[hwchiu]

@breathbath
Since you changed the WORKDIR from the root/onos to src/onos in this patch https://gerrit.onosproject.org/c/onos/+/24146/6/Dockerfile, please help to mount point in the k8s yaml so that all required files are mounted into the correct location src/onos.

[onf-bot]

Can one of the admins verify this patch?