Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STOR-2126: Enable readOnlyFileSystem #229

Merged
merged 1 commit into from
Apr 8, 2025
Merged

STOR-2126: Enable readOnlyFileSystem #229

merged 1 commit into from
Apr 8, 2025
+27 −2

Conversation

dfajmon
Copy link
Contributor

@dfajmon dfajmon commented Feb 17, 2025
edited
Loading

Enable readOnlyFileSystem in the operator for security concerns.
Recommended for all containers running in kubernetes.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Feb 17, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 17, 2025
edited by openshift-ci bot
Loading

@dfajmon: This pull request references STOR-2126 which is a valid jira issue.

In response to this:

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 17, 2025
@openshift-ci openshift-ci bot requested review from gnufied and jsafrane February 17, 2025 15:31
@dfajmon dfajmon force-pushed the readOnlyFileSystem branch 4 times, most recently from 86a2d6d to 2d16c80 Compare March 3, 2025 15:08
@dfajmon
Copy link
Contributor Author

dfajmon commented Mar 3, 2025

/retest

1 similar comment
@dfajmon
Copy link
Contributor Author

dfajmon commented Mar 3, 2025

/retest

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 5, 2025
edited by openshift-ci bot
Loading

@dfajmon: This pull request references STOR-2126 which is a valid jira issue.

In response to this:

Enable readOnlyFileSystem in the operator for security concerns.
Recommended for all containers running in kubernetes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jsafrane
Copy link
Contributor

jsafrane commented Mar 7, 2025

/lgtm
/approve

@dfajmon
Copy link
Contributor Author

dfajmon commented Mar 7, 2025

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 7, 2025
@openshift-ci openshift-ci bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Mar 7, 2025
@dfajmon dfajmon force-pushed the readOnlyFileSystem branch from 2d16c80 to e815eb1 Compare March 20, 2025 09:23
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 20, 2025
@ropatil010
Copy link

/retest-required

@ropatil010
Copy link

Payload: 4.19.0-0.test-2025-03-25-131548-ci-ln-35vzyxt-latest
clusterbot: build 4.19,#229

// OCP-80702 [CSI-Driver-Operator] Check the deployments have parameter readOnlyRootFilesystem set to true and are up and running.
oc get deployment -n openshift-cluster-storage-operator
NAME READY UP-TO-DATE AVAILABLE AGE
cluster-storage-operator 1/1 1 1 7h6m
csi-snapshot-controller 2/2 2 2 7h3m
csi-snapshot-controller-operator 1/1 1 1 7h6m

oc get deployment/csi-snapshot-controller-operator -n openshift-cluster-storage-operator -o yaml
It has parameter readOnlyRootFilesystem: true

// OCP-80704 [CSI-Driver-Operator] Check the mount permissions should be set to "ro"
oc exec -it deployment/csi-snapshot-controller-operator -n openshift-cluster-storage-operator -- sh
sh-5.1$ mount | grep "on /" OR mount | grep "overlay"
overlay on / type overlay (ro,relatime,context="system_u:object_r:container_file_t:s0:c9,c12",lowerdir=/var/lib/containers/storage/overlay/l/QBRN47B5FD6CRJQMP2EKKY3JOQ:/var/lib/containers/storage/overlay/l/3JSVLRKVCFCN6PWMX74DDIO7YR:/var/lib/containers/storage/overlay/l/5A6CQRFXHWROGWUNA7ZGTQOSIN:/var/lib/containers/storage/overlay/l/WUPLY4XVHNYRYO2JF3ZHTRWEYW:/var/lib/containers/storage/overlay/l/CRPZJG6ADDQV7245Q3EE3RKNOK,upperdir=/var/lib/containers/storage/overlay/bd7e833ee454db5dd0bbc7c573cef5f113641c4b2832e7e33ea681b32c482837/diff,workdir=/var/lib/containers/storage/overlay/bd7e833ee454db5dd0bbc7c573cef5f113641c4b2832e7e33ea681b32c482837/work,volatile)

// OCP-80705 [CSI-Driver-Operator] Write data inside root volume should fail as Read-only file system.
sh-5.1$ touch /testfile.txt
touch: cannot touch '/testfile.txt': Read-only file system

// Regression Run
https://jenkins-csb-openshift-qe-mastern.dno.corp.redhat.com/job/ocp-common/job/ginkgo-test/290859/console
03-26 00:39:30.019 error: 1 fail, 116 pass, 169 skip (3h53m18s)
03-26 00:39:30.019 [sig-storage] STORAGE NonHyperShiftHOST-ROSA-OSD_CCS-Longduration-NonPreRelease-ARO-Author:jiasun-High-37783-[storage] Metric should report storage volume numbers per storage plugins and volume mode [Serial]
known issue: https://issues.redhat.com/browse/OCPBUGS-44815

@dfajmon dfajmon force-pushed the readOnlyFileSystem branch from e815eb1 to 9055a17 Compare April 3, 2025 07:54
@dfajmon
Copy link
Contributor Author

dfajmon commented Apr 3, 2025

/retest-required

@dfajmon dfajmon force-pushed the readOnlyFileSystem branch from 9055a17 to 62d484a Compare April 7, 2025 21:18
@dobsonj
Copy link
Member

dobsonj commented Apr 7, 2025

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 7, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 7, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dfajmon, dobsonj, jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dfajmon
Copy link
Contributor Author

dfajmon commented Apr 8, 2025

/retest

2 similar comments
@dfajmon
Copy link
Contributor Author

dfajmon commented Apr 8, 2025

/retest

@dfajmon
Copy link
Contributor Author

dfajmon commented Apr 8, 2025

/retest

@ropatil010
Copy link

Adding label based on execution result with latest commit: https://issues.redhat.com/browse/STOR-2289?focusedId=26947909&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-26947909
/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Apr 8, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Apr 8, 2025
edited by openshift-ci bot
Loading

@dfajmon: This pull request references STOR-2126 which is a valid jira issue.

In response to this:

Enable readOnlyFileSystem in the operator for security concerns.
Recommended for all containers running in kubernetes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 8, 2025

@dfajmon: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit cf99de9 into openshift:main Apr 8, 2025
14 checks passed
@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

Distgit: ose-cluster-csi-snapshot-controller-operator
This PR has been included in build ose-cluster-csi-snapshot-controller-operator-container-v4.19.0-202504090015.p0.gcf99de9.assembly.stream.el9.
All builds following this will include this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gnufied gnufied gnufied left review comments

@dobsonj dobsonj dobsonj left review comments

@jsafrane jsafrane Awaiting requested review from jsafrane

Assignees

@jsafrane jsafrane

@dobsonj dobsonj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@dfajmon @openshift-ci-robot @jsafrane @ropatil010 @dobsonj @openshift-bot @gnufied