diff options
author | Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com> | 2018-05-04 08:44:56 +0100 |
---|---|---|
committer | Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com> | 2018-05-09 17:47:18 +0100 |
commit | 88ae51b812da8547a6be0a67b31f72c230f5b9fe (patch) | |
tree | d83fe7486f63bcd1da481c092070e303ad50475c | |
parent | 6458b5ec9ea5bdac5b60f2edde8decefae16422f (diff) |
Avoid "volumeMounts" with "configMap" fixed permissions
To access to the container without using a password, the jumphost
RSA public key is copied to each container, using "volumeMounts"
defined as "configMap", to /root/.ssh/authorized_keys.
To work properly, the following permissions must be set:
- /root/.ssh: 700
- /root/.ssh/authorized_keys: 600
Because of [1][2], the mounted folders have fixed permissions and
cannot be modified.
[1]https://groups.google.com/forum/#!topic/kubernetes-dev/eTnfMJSqmaM
[2]https://github.com/kubernetes/kubernetes/issues/28317
JIRA: YARDSTICK-1149
Change-Id: I821064da56699c5b4f509d233c33e55af119fd56
Signed-off-by: Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com>
-rw-r--r-- | tests/opnfv/test_cases/opnfv_yardstick_tc080.yaml | 8 | ||||
-rw-r--r-- | tests/opnfv/test_cases/opnfv_yardstick_tc081.yaml | 4 | ||||
-rw-r--r-- | yardstick/orchestrator/kubernetes.py | 2 | ||||
-rw-r--r-- | yardstick/tests/unit/orchestrator/test_kubernetes.py | 2 |
4 files changed, 11 insertions, 5 deletions
diff --git a/tests/opnfv/test_cases/opnfv_yardstick_tc080.yaml b/tests/opnfv/test_cases/opnfv_yardstick_tc080.yaml index 0da296297..5fe902419 100644 --- a/tests/opnfv/test_cases/opnfv_yardstick_tc080.yaml +++ b/tests/opnfv/test_cases/opnfv_yardstick_tc080.yaml @@ -40,8 +40,12 @@ context: host: image: openretriever/yardstick command: /bin/bash - args: ['-c', 'chmod 700 ~/.ssh; chmod 600 ~/.ssh/*; service ssh restart;while true ; do sleep 10000; done'] + args: ['-c', 'mkdir /root/.ssh; cp /tmp/.ssh/authorized_keys ~/.ssh/.; + chmod 700 ~/.ssh; chmod 600 ~/.ssh/*; service ssh restart; + while true ; do sleep 10000; done'] target: image: openretriever/yardstick command: /bin/bash - args: ['-c', 'chmod 700 ~/.ssh; chmod 600 ~/.ssh/*; service ssh restart;while true ; do sleep 10000; done'] + args: ['-c', 'mkdir /root/.ssh; cp /tmp/.ssh/authorized_keys ~/.ssh/.; + chmod 700 ~/.ssh; chmod 600 ~/.ssh/*; service ssh restart; + while true ; do sleep 10000; done'] diff --git a/tests/opnfv/test_cases/opnfv_yardstick_tc081.yaml b/tests/opnfv/test_cases/opnfv_yardstick_tc081.yaml index fc7eb006c..fc6496bad 100644 --- a/tests/opnfv/test_cases/opnfv_yardstick_tc081.yaml +++ b/tests/opnfv/test_cases/opnfv_yardstick_tc081.yaml @@ -42,7 +42,9 @@ contexts: host: image: openretriever/yardstick command: /bin/bash - args: ['-c', 'chmod 700 ~/.ssh; chmod 600 ~/.ssh/*; service ssh restart;while true ; do sleep 10000; done'] + args: ['-c', 'mkdir /root/.ssh; cp /tmp/.ssh/authorized_keys ~/.ssh/.; + chmod 700 ~/.ssh; chmod 600 ~/.ssh/*; service ssh restart; + while true ; do sleep 10000; done'] - type: Heat name: openstack diff --git a/yardstick/orchestrator/kubernetes.py b/yardstick/orchestrator/kubernetes.py index 198eeac6d..ac3a09ed1 100644 --- a/yardstick/orchestrator/kubernetes.py +++ b/yardstick/orchestrator/kubernetes.py @@ -74,7 +74,7 @@ class KubernetesObject(object): def _add_container(self): container_name = '{}-container'.format(self.name) - ssh_key_mount_path = "/root/.ssh/" + ssh_key_mount_path = '/tmp/.ssh/' container = { "args": self.args, diff --git a/yardstick/tests/unit/orchestrator/test_kubernetes.py b/yardstick/tests/unit/orchestrator/test_kubernetes.py index f2bc5b0f4..58971f515 100644 --- a/yardstick/tests/unit/orchestrator/test_kubernetes.py +++ b/yardstick/tests/unit/orchestrator/test_kubernetes.py @@ -47,7 +47,7 @@ service ssh restart;while true ; do sleep 10000; done" "name": "host-k8s-86096c30-container", "volumeMounts": [ { - "mountPath": "/root/.ssh/", + "mountPath": "/tmp/.ssh/", "name": "k8s-86096c30-key" } ] |