From 54961c3d757e7fc8ecddc45dda09a1f5b2828c1c Mon Sep 17 00:00:00 2001
From: Oleg Zhurakivskyy <oleg.zhurakivskyy@intel.com>
Date: Thu, 5 May 2022 10:00:51 +0300
Subject: [PATCH] idxd: Make root filesystem read-only

Signed-off-by: Oleg Zhurakivskyy <oleg.zhurakivskyy@intel.com>
---
 .../intel-idxd-config-initcontainer.Dockerfile    |  9 ++++++---
 demo/idxd-init.sh                                 |  4 ++--
 .../dsa_initcontainer/dsa_initcontainer.yaml      |  5 +++++
 .../iaa_initcontainer/iaa_initcontainer.yaml      |  5 +++++
 pkg/controllers/dsa/controller.go                 | 15 +++++++++++++--
 pkg/controllers/iaa/controller.go                 | 15 +++++++++++++--
 6 files changed, 44 insertions(+), 9 deletions(-)

diff --git a/build/docker/intel-idxd-config-initcontainer.Dockerfile b/build/docker/intel-idxd-config-initcontainer.Dockerfile
index 18d9898d..ff57f337 100644
--- a/build/docker/intel-idxd-config-initcontainer.Dockerfile
+++ b/build/docker/intel-idxd-config-initcontainer.Dockerfile
@@ -1,4 +1,4 @@
-# Copyright 2021 Intel Corporation. All Rights Reserved.
+# Copyright 2021-2022 Intel Corporation. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -57,8 +57,11 @@ RUN ldconfig && mkdir -p /licenses/accel-config
 COPY --from=builder /usr/bin/accel-config /usr/bin/
 COPY --from=builder /accel-config.tar.gz /licenses/accel-config/
 
-ADD demo/idxd-init.sh /idxd-init/
+ADD demo/idxd-init.sh /usr/local/bin/
 ADD demo/dsa.conf /idxd-init/
+ADD demo/iaa.conf /idxd-init/
+
+RUN mkdir /idxd-init/scratch
 
 WORKDIR /idxd-init
-ENTRYPOINT bash idxd-init.sh
+ENTRYPOINT bash /usr/local/bin/idxd-init.sh
diff --git a/demo/idxd-init.sh b/demo/idxd-init.sh
index 1f5a29c6..1e981a02 100755
--- a/demo/idxd-init.sh
+++ b/demo/idxd-init.sh
@@ -28,8 +28,8 @@ for i in $(accel-config list --idle | jq '.[].dev' | sed -ne "s/\"$DEV\([0-9]\+\
 
     [ -f "conf/$DEV-$NODE_NAME.conf" ] && config="conf/$DEV-$NODE_NAME.conf"
 
-    sed "s/X/${i}/g" < "$config" > "$dev.conf"
+    sed "s/X/${i}/g" < "$config" > scratch/"$dev.conf"
 
-    cmd accel-config load-config -e -c "$dev.conf"
+    cmd accel-config load-config -e -c scratch/"$dev.conf"
 
 done
diff --git a/deployments/dsa_plugin/overlays/dsa_initcontainer/dsa_initcontainer.yaml b/deployments/dsa_plugin/overlays/dsa_initcontainer/dsa_initcontainer.yaml
index 9f2880f4..c844ca08 100644
--- a/deployments/dsa_plugin/overlays/dsa_initcontainer/dsa_initcontainer.yaml
+++ b/deployments/dsa_plugin/overlays/dsa_initcontainer/dsa_initcontainer.yaml
@@ -14,12 +14,15 @@ spec:
                 fieldPath: spec.nodeName
         image: intel/intel-idxd-config-initcontainer:devel
         securityContext:
+          readOnlyRootFilesystem: true
           privileged: true
         volumeMounts:
         - mountPath: /sys/devices
           name: sys-devices
         - mountPath: /idxd-init/conf
           name: intel-dsa-config-volume
+        - mountPath: /idxd-init/scratch
+          name: scratch
       volumes:
       - name: sys-devices
         hostPath:
@@ -27,3 +30,5 @@ spec:
       - name: intel-dsa-config-volume
         configMap:
           name: intel-dsa-config
+      - name: scratch
+        emptyDir: {}
diff --git a/deployments/iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml b/deployments/iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml
index 09559439..0d31bd0c 100644
--- a/deployments/iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml
+++ b/deployments/iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml
@@ -16,12 +16,15 @@ spec:
             value: "iaa"
         image: intel/intel-idxd-config-initcontainer:devel
         securityContext:
+          readOnlyRootFilesystem: true
           privileged: true
         volumeMounts:
         - mountPath: /sys/devices
           name: sys-devices
         - mountPath: /idxd-init/conf
           name: intel-iaa-config-volume
+        - mountPath: /idxd-init/scratch
+          name: scratch
       volumes:
       - name: sys-devices
         hostPath:
@@ -29,3 +32,5 @@ spec:
       - name: intel-iaa-config-volume
         configMap:
           name: intel-iaa-config
+      - name: scratch
+        emptyDir: {}
diff --git a/pkg/controllers/dsa/controller.go b/pkg/controllers/dsa/controller.go
index be9b3b75..71b32192 100644
--- a/pkg/controllers/dsa/controller.go
+++ b/pkg/controllers/dsa/controller.go
@@ -98,7 +98,7 @@ func removeInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.DsaDevicePlugin)
 	newVolumes := []v1.Volume{}
 
 	for _, volume := range ds.Spec.Template.Spec.Volumes {
-		if volume.Name == "intel-dsa-config-volume" || volume.Name == "sys-devices" {
+		if volume.Name == "intel-dsa-config-volume" || volume.Name == "sys-devices" || volume.Name == "scratch" {
 			continue
 		}
 
@@ -130,13 +130,18 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.DsaDevicePlugin) {
 			},
 		},
 		SecurityContext: &v1.SecurityContext{
-			Privileged: &yes,
+			ReadOnlyRootFilesystem: &yes,
+			Privileged:             &yes,
 		},
 		VolumeMounts: []v1.VolumeMount{
 			{
 				Name:      "sys-devices",
 				MountPath: "/sys/devices",
 			},
+			{
+				Name:      "scratch",
+				MountPath: "/idxd-init/scratch",
+			},
 		},
 	})
 	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
@@ -147,6 +152,12 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.DsaDevicePlugin) {
 			},
 		},
 	})
+	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
+		Name: "scratch",
+		VolumeSource: v1.VolumeSource{
+			EmptyDir: &v1.EmptyDirVolumeSource{},
+		},
+	})
 
 	if dp.Spec.ProvisioningConfig != "" {
 		ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
diff --git a/pkg/controllers/iaa/controller.go b/pkg/controllers/iaa/controller.go
index 7d7fb2b2..d1d58f9b 100644
--- a/pkg/controllers/iaa/controller.go
+++ b/pkg/controllers/iaa/controller.go
@@ -96,7 +96,7 @@ func removeInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.IaaDevicePlugin)
 	newVolumes := []v1.Volume{}
 
 	for _, volume := range ds.Spec.Template.Spec.Volumes {
-		if volume.Name == "intel-iaa-config-volume" || volume.Name == "sys-devices" {
+		if volume.Name == "intel-iaa-config-volume" || volume.Name == "sys-devices" || volume.Name == "scratch" {
 			continue
 		}
 
@@ -128,13 +128,18 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.IaaDevicePlugin) {
 			},
 		},
 		SecurityContext: &v1.SecurityContext{
-			Privileged: &yes,
+			ReadOnlyRootFilesystem: &yes,
+			Privileged:             &yes,
 		},
 		VolumeMounts: []v1.VolumeMount{
 			{
 				Name:      "sys-devices",
 				MountPath: "/sys/devices",
 			},
+			{
+				Name:      "scratch",
+				MountPath: "/idxd-init/scratch",
+			},
 		},
 	})
 	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
@@ -145,6 +150,12 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.IaaDevicePlugin) {
 			},
 		},
 	})
+	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
+		Name: "scratch",
+		VolumeSource: v1.VolumeSource{
+			EmptyDir: &v1.EmptyDirVolumeSource{},
+		},
+	})
 
 	if dp.Spec.ProvisioningConfig != "" {
 		ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{