Skip to content

Add "NET_RAW" to ironic-endpoint-keepalived#782

Merged
metal3-io-bot merged 1 commit intometal3-io:masterfrom
Nordix:fix-add-cap-bote
Feb 1, 2021
Merged

Add "NET_RAW" to ironic-endpoint-keepalived#782
metal3-io-bot merged 1 commit intometal3-io:masterfrom
Nordix:fix-add-cap-bote

Conversation

@liu-bote
Copy link

@liu-bote liu-bote commented Jan 28, 2021
edited
Loading

The capability 'NET_RAW' is needed to open a raw socket in ironic-endpoint-keepalived otherwise the container will fail.

@metal3-io-bot
Copy link
Contributor

metal3-io-bot commented Jan 28, 2021

Hi @Insullone. Thanks for your PR.

I'm waiting for a metal3-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@metal3-io-bot metal3-io-bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 28, 2021
@namnx228
Copy link
Member

namnx228 commented Jan 28, 2021

/test/integration
/test-centos-integration
/assign @maelk
/cc @kashifest @furkatgofurov7

@namnx228
Copy link
Member

namnx228 commented Jan 28, 2021

lgtm

@furkatgofurov7
Copy link
Member

furkatgofurov7 commented Jan 28, 2021

/test-integration

@Xenwar
Copy link
Member

Xenwar commented Jan 28, 2021

/lgtm

@metal3-io-bot
Copy link
Contributor

metal3-io-bot commented Jan 28, 2021

@Xenwar: adding LGTM is restricted to approvers and reviewers in OWNERS files.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@smoshiur1237
Copy link
Member

smoshiur1237 commented Jan 29, 2021

LGTM.

@fmuyassarov
Copy link
Member

fmuyassarov commented Jan 29, 2021

/ok-to-test

@metal3-io-bot metal3-io-bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 29, 2021
@kashifest
Copy link
Member

kashifest commented Jan 29, 2021

/lgtm

@metal3-io-bot metal3-io-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 29, 2021
furkatgofurov7
furkatgofurov7 reviewed Jan 31, 2021
View reviewed changes
Copy link
Member

@furkatgofurov7 furkatgofurov7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a blocker though, question inline:

ironic-deployment/keepalived/keepalived_patch.yaml
securityContext:
capabilities:
add: ["NET_ADMIN"]
add: ["NET_ADMIN", "NET_RAW"]
Copy link
Member

@furkatgofurov7 furkatgofurov7 Jan 31, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any other alternative to avoid adding this capability in order to fix the issue with ironic-endpoint? The reason I was curious is mainly that this might be a security flaw.

Copy link
Member

@kashifest kashifest Feb 1, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@furkatgofurov7 I am having difficulty understanding how adding these two capabilities is a security flaw, Yes you should not add these capabilities to untrusted containers, but for your own trusted containers, if you dont add them and if your container needs them, it will simply not work.

Copy link
Member

@furkatgofurov7 furkatgofurov7 Feb 1, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I was not sure, if this is in the context of untrusted containers, my understanding was, it can be any container.

@metal3-io-bot
Copy link
Contributor

metal3-io-bot commented Feb 1, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Insullone, maelk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@metal3-io-bot metal3-io-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 1, 2021
@metal3-io-bot metal3-io-bot merged commit aa9b416 into metal3-io:master Feb 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kashifest kashifest Awaiting requested review from kashifest

2 more reviewers

@furkatgofurov7 furkatgofurov7 furkatgofurov7 left review comments

@maelk maelk maelk approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@maelk maelk

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@liu-bote @metal3-io-bot @namnx228 @furkatgofurov7 @Xenwar @smoshiur1237 @fmuyassarov @kashifest @maelk