Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-70163

CBO: remove the writable ironic-ca-cert mount

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None
    • 2
    • None
    • None
    • None
    • None
    • Metal Platform 281, Metal Platform 282, Metal Platform 283
    • 3
    • Done
    • Bug Fix
    • Hide
      * Before this update, Ironic wrote to the Read-only `/certs/ca/ironic` path because of a missing `ironic-ca-cert` path setting. As a consequence, deployment failed. With this release, Ironic does not write to the Read-only path, which improves system stability. (link:https://issues.redhat.com/browse/OCPBUGS-70163[OCPBUGS-70163])

      After enabling readOnlyRootFileSystem for ironic containers, we had to use an extra ironic-ca-cert mount due to ironic trying to write at the readOnly IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt path. And fixing the issue of unset IRONIC_CACERT_FILE in ironic-image repo ( pr - https://github.com/openshift/ironic-image/pull/753 ) by using the already writable /conf directory, we no longer need the extra ironic-ca-cert mount, thus reducing the attack surface for the containers.
      Show
      * Before this update, Ironic wrote to the Read-only `/certs/ca/ironic` path because of a missing `ironic-ca-cert` path setting. As a consequence, deployment failed. With this release, Ironic does not write to the Read-only path, which improves system stability. (link: https://issues.redhat.com/browse/OCPBUGS-70163 [ OCPBUGS-70163 ]) After enabling readOnlyRootFileSystem for ironic containers, we had to use an extra ironic-ca-cert mount due to ironic trying to write at the readOnly IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt path. And fixing the issue of unset IRONIC_CACERT_FILE in ironic-image repo ( pr - https://github.com/openshift/ironic-image/pull/753 ) by using the already writable /conf directory, we no longer need the extra ironic-ca-cert mount, thus reducing the attack surface for the containers.
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-67216. The following is the description of the original issue:

      Description of problem:

      
After fixing the issue of ironic writing to the readOnly "/certs/ca/ironic" path when the ironic-ca-cert path is not set, remove the writable ironic-ca-cert mount at "/certs/ca/ironic" path.

              hroy@redhat.com Himanshu Roy
              hroy@redhat.com Himanshu Roy
              None
              None
              Jad Haj Yahya Jad Haj Yahya
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: