Merge pull request #996 from ozhuraki/idxd-config-ro

idxd: Don't use root filesystem when working with templates
2025-06-03 03:59:37 +00:00 · 2022-05-05 12:24:04 +03:00 · 2022-05-05 12:24:04 +03:00 · f17f473f5e
commit f17f473f5e
parent 33ec3a6c71 54961c3d75
6 changed files with 44 additions and 9 deletions
--- a/build/docker/intel-idxd-config-initcontainer.Dockerfile
+++ b/build/docker/intel-idxd-config-initcontainer.Dockerfile
@ -1,4 +1,4 @@
-# Copyright 2021 Intel Corporation. All Rights Reserved.
+# Copyright 2021-2022 Intel Corporation. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -57,8 +57,11 @@ RUN ldconfig && mkdir -p /licenses/accel-config
 COPY --from=builder /usr/bin/accel-config /usr/bin/
 COPY --from=builder /accel-config.tar.gz /licenses/accel-config/

-ADD demo/idxd-init.sh /idxd-init/
+ADD demo/idxd-init.sh /usr/local/bin/
 ADD demo/dsa.conf /idxd-init/
+ADD demo/iaa.conf /idxd-init/
+
+RUN mkdir /idxd-init/scratch

 WORKDIR /idxd-init
-ENTRYPOINT bash idxd-init.sh
+ENTRYPOINT bash /usr/local/bin/idxd-init.sh
--- a/demo/idxd-init.sh
+++ b/demo/idxd-init.sh
@ -28,8 +28,8 @@ for i in $(accel-config list --idle | jq '.[].dev' | sed -ne "s/\"$DEV\([0-9]\+\

    [ -f "conf/$DEV-$NODE_NAME.conf" ] && config="conf/$DEV-$NODE_NAME.conf"

-    sed "s/X/${i}/g" < "$config" > "$dev.conf"
+    sed "s/X/${i}/g" < "$config" > scratch/"$dev.conf"

-    cmd accel-config load-config -e -c "$dev.conf"
+    cmd accel-config load-config -e -c scratch/"$dev.conf"

 done
--- a/deployments/dsa_plugin/overlays/dsa_initcontainer/dsa_initcontainer.yaml
+++ b/deployments/dsa_plugin/overlays/dsa_initcontainer/dsa_initcontainer.yaml
@ -14,12 +14,15 @@ spec:
                fieldPath: spec.nodeName
        image: intel/intel-idxd-config-initcontainer:devel
        securityContext:
+          readOnlyRootFilesystem: true
          privileged: true
        volumeMounts:
        - mountPath: /sys/devices
          name: sys-devices
        - mountPath: /idxd-init/conf
          name: intel-dsa-config-volume
+        - mountPath: /idxd-init/scratch
+          name: scratch
      volumes:
      - name: sys-devices
        hostPath:
@ -27,3 +30,5 @@ spec:
      - name: intel-dsa-config-volume
        configMap:
          name: intel-dsa-config
+      - name: scratch
+        emptyDir: {}
--- a/deployments/iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml
+++ b/deployments/iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml
@ -16,12 +16,15 @@ spec:
            value: "iaa"
        image: intel/intel-idxd-config-initcontainer:devel
        securityContext:
+          readOnlyRootFilesystem: true
          privileged: true
        volumeMounts:
        - mountPath: /sys/devices
          name: sys-devices
        - mountPath: /idxd-init/conf
          name: intel-iaa-config-volume
+        - mountPath: /idxd-init/scratch
+          name: scratch
      volumes:
      - name: sys-devices
        hostPath:
@ -29,3 +32,5 @@ spec:
      - name: intel-iaa-config-volume
        configMap:
          name: intel-iaa-config
+      - name: scratch
+        emptyDir: {}
--- a/pkg/controllers/dsa/controller.go
+++ b/pkg/controllers/dsa/controller.go
@ -98,7 +98,7 @@ func removeInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.DsaDevicePlugin)
 	newVolumes := []v1.Volume{}

 	for _, volume := range ds.Spec.Template.Spec.Volumes {
-		if volume.Name == "intel-dsa-config-volume" || volume.Name == "sys-devices" {
+		if volume.Name == "intel-dsa-config-volume" || volume.Name == "sys-devices" || volume.Name == "scratch" {
 			continue
 		}

@ -130,13 +130,18 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.DsaDevicePlugin) {
 			},
 		},
 		SecurityContext: &v1.SecurityContext{
-			Privileged: &yes,
+			ReadOnlyRootFilesystem: &yes,
+			Privileged:             &yes,
 		},
 		VolumeMounts: []v1.VolumeMount{
 			{
 				Name:      "sys-devices",
 				MountPath: "/sys/devices",
 			},
+			{
+				Name:      "scratch",
+				MountPath: "/idxd-init/scratch",
+			},
 		},
 	})
 	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
@ -147,6 +152,12 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.DsaDevicePlugin) {
 			},
 		},
 	})
+	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
+		Name: "scratch",
+		VolumeSource: v1.VolumeSource{
+			EmptyDir: &v1.EmptyDirVolumeSource{},
+		},
+	})

 	if dp.Spec.ProvisioningConfig != "" {
 		ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
--- a/pkg/controllers/iaa/controller.go
+++ b/pkg/controllers/iaa/controller.go
@ -96,7 +96,7 @@ func removeInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.IaaDevicePlugin)
 	newVolumes := []v1.Volume{}

 	for _, volume := range ds.Spec.Template.Spec.Volumes {
-		if volume.Name == "intel-iaa-config-volume" || volume.Name == "sys-devices" {
+		if volume.Name == "intel-iaa-config-volume" || volume.Name == "sys-devices" || volume.Name == "scratch" {
 			continue
 		}

@ -128,13 +128,18 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.IaaDevicePlugin) {
 			},
 		},
 		SecurityContext: &v1.SecurityContext{
-			Privileged: &yes,
+			ReadOnlyRootFilesystem: &yes,
+			Privileged:             &yes,
 		},
 		VolumeMounts: []v1.VolumeMount{
 			{
 				Name:      "sys-devices",
 				MountPath: "/sys/devices",
 			},
+			{
+				Name:      "scratch",
+				MountPath: "/idxd-init/scratch",
+			},
 		},
 	})
 	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
@ -145,6 +150,12 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.IaaDevicePlugin) {
 			},
 		},
 	})
+	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
+		Name: "scratch",
+		VolumeSource: v1.VolumeSource{
+			EmptyDir: &v1.EmptyDirVolumeSource{},
+		},
+	})

 	if dp.Spec.ProvisioningConfig != "" {
 		ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{