Stop running auxiliary containers with maximum priveleges

None of the Metal3 components actually require --privileged. Instead, disable the SELinux isolation to allow the containers to mount host directories. Also don't expose sushy-tools and vbmc to the host networking. For this all to work, stop using a pod for these containers. I'm not sure why we even do that in the first place.
openshift-metal3 · Nov 23, 2023 · 629c0af · 629c0af
1 parent e20da06
commit 629c0af
Showing 1 changed file with 11 additions and 17 deletions.
diff --git a/04_setup_ironic.sh b/04_setup_ironic.sh
@@ -171,14 +171,6 @@ for name in ironic ironic-api ironic-conductor ironic-inspector dnsmasq httpd-${
     sudo podman ps --all | grep -w " $name$" && sudo podman rm $name -f
 done
 
-# Remove existing pod
-if  sudo podman pod exists ironic-pod ; then
-    sudo podman pod rm ironic-pod -f
-fi
-
-# Create pod
-sudo podman pod create -n ironic-pod
-
 IRONIC_IMAGE=${IRONIC_LOCAL_IMAGE:-$IRONIC_IMAGE}
 
 for IMAGE in ${IRONIC_IMAGE} ${VBMC_IMAGE} ${SUSHY_TOOLS_IMAGE} ; do
@@ -205,7 +197,7 @@ fi
 
 # cached images to the bootstrap VM
 sudo -E podman pull --authfile "${PULL_SECRET_FILE}" "${IRONIC_IMAGE}" || echo "WARNING: Could not pull latest $IRONIC_IMAGE; will try to use cached images instead"
-sudo podman run -d --net host --privileged --name httpd-${PROVISIONING_NETWORK_NAME} --pod ironic-pod \
+sudo podman run -d --net host --name httpd-${PROVISIONING_NETWORK_NAME} \
      --env PROVISIONING_INTERFACE=${PROVISIONING_NETWORK_NAME} \
      -v $IRONIC_DATA_DIR:/shared --entrypoint /bin/runhttpd ${IRONIC_IMAGE}
 
@@ -214,8 +206,8 @@ if [ -n "${IRONIC_IPA_DOWNLOADER_LOCAL_IMAGE:-}" ];
 then
   sudo -E podman pull --authfile $PULL_SECRET_FILE $IRONIC_IPA_DOWNLOADER_LOCAL_IMAGE
 
-  sudo podman run -d --net host --privileged --name ipa-downloader --pod ironic-pod \
-     -v $IRONIC_DATA_DIR:/shared ${IRONIC_IPA_DOWNLOADER_LOCAL_IMAGE} /usr/local/bin/get-resource.sh
+  sudo podman run -d --name ipa-downloader -v $IRONIC_DATA_DIR:/shared \
+      ${IRONIC_IPA_DOWNLOADER_LOCAL_IMAGE} /usr/local/bin/get-resource.sh
 
   # Units have been introduced in 2.x
   if printf '2.0.0\n%s\n' "$PODMAN_VERSION" | sort -V -C; then
@@ -242,15 +234,17 @@ if [ "$NODES_PLATFORM" = "libvirt" ]; then
         # has told us the process isn't there but sometimes when it
         # dies it leaves the file.
         sudo rm -f $WORKING_DIR/virtualbmc/vbmc/master.pid
-        sudo podman run -d --net host --privileged --name vbmc --pod ironic-pod \
-             -v "$WORKING_DIR/virtualbmc/vbmc":/root/.vbmc -v "/root/.ssh":/root/ssh \
-             "${VBMC_IMAGE}"
+        IPMI_PORT_RANGE="$VBMC_BASE_PORT-$VBMC_MAX_PORT"
+        sudo podman run -d -p 623:623/udp -p $IPMI_PORT_RANGE:$IPMI_PORT_RANGE/udp  \
+            --security-opt label=disable --name vbmc \
+            -v "$WORKING_DIR/virtualbmc/vbmc":/root/.vbmc -v "/root/.ssh":/root/ssh \
+            -v /run/libvirt:/run/libvirt "${VBMC_IMAGE}"
     fi
 
     if ! is_running sushy-tools; then
-        sudo podman run -d --net host --privileged --name sushy-tools --pod ironic-pod \
-             -v "$WORKING_DIR/virtualbmc/sushy-tools":/root/sushy -v "/root/.ssh":/root/ssh \
-             "${SUSHY_TOOLS_IMAGE}"
+        sudo podman run -d -p 8000:8000 --security-opt label=disable --name sushy-tools \
+            -v "$WORKING_DIR/virtualbmc/sushy-tools":/root/sushy -v "/root/.ssh":/root/ssh \
+            -v /run/libvirt:/run/libvirt "${SUSHY_TOOLS_IMAGE}"
     fi
 fi