Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-1097

FIO: Unnecessary re-inits and leftover daemonSets

    XMLWordPrintable

Details

    • 3
    • False
    • False
    • Hide
      Previously, while the operator was reconciling File Integrity CRDs, it would pause scanning until the reconcilation was done. This caused an overly aggressive re-initiatization process on nodes not impacted by the reconciliation. It also resulted in unnecessary daemonsets for machine config pools that are unrelated to the file integrity being changed.

      FIO 1.3.0 gracefully handles these cases and only pauses AIDE scanning for nodes that are affected by file integrity changes.
      Show
      Previously, while the operator was reconciling File Integrity CRDs, it would pause scanning until the reconcilation was done. This caused an overly aggressive re-initiatization process on nodes not impacted by the reconciliation. It also resulted in unnecessary daemonsets for machine config pools that are unrelated to the file integrity being changed. FIO 1.3.0 gracefully handles these cases and only pauses AIDE scanning for nodes that are affected by file integrity changes.
    • CMP Sprint 62, CMP Sprint 63, CMP Sprint 64

    Description

      During node reconciliation, the fileIntegrity is annotated to hold (a trigger to pause the AIDE daemon's scan loop during the update period) based on the update status of a singular node.

      If a FileIntegrity instance covers multiple nodes in separate MCPs (i.e., a blank FileIntegrity.Spec.NodeSelector, which covers the master MCP and worker MCP) and a single MCP receives a MC update, then a node reconcile outside of the MCP will trigger a re-init for the node and remove the holdoff annotation for the FileIntegrity.

      That's an unintentional re-init with two extra side effects:

      • The holdoff annotation on the FileIntegrity is added and removed multiple times as other nodes update. This causes the daemons to hold and release even if they are not updating.
      • It's been seen where updating only the master MCP a re-init daemonset created for a worker node is never deleted, presumably lost during an operator reschedule.

      Attachments

        Activity

          People

            wenshen@redhat.com Vincent Shen
            rhn-support-mrogers Matt Rogers (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: