How to enable NET_ADMIN permission to a pod with custom scc?

  1. Create custom scc: 
    $ oc whoami
system:admin
$ oc create -f scc.yaml

    This is the yaml file to create new scc:

    $ cat scc.yaml 
kind: SecurityContextConstraints
apiVersion: v1
metadata:
  name: my-scc
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
  - NET_ADMIN
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
users:
  - system:admin
  2. Create a serviceaccount in target namespace: 
    $ oc whoami
meiyan
$ oc new-project meiyan-scc-pod
$ oc create sa meiyansvcacct
  3. Bind the sa meiyansvcacct to custom scc: 
    $ oc whoami
system:admin
$ oc adm policy add-scc-to-user my-scc -z meiyansvcacct
  4. Modify priority of scc my-scc: 
    $ oc patch scc my-scc -p '{"priority":1}' --type merge
securitycontextconstraints.security.openshift.io/my-scc patched
  5. Create Pod in namespace: ``` apiVersion: v1 kind: Pod metadata: name: simple-pod spec: containers:
    • command:
    • /bin/sh
    • -c
    • | sleep infinity image: registry.access.redhat.com/rhel7/rhel-tools:latest imagePullPolicy: Always name: simple-deployment resources: {} securityContext: {} serviceAccount: meiyansvcacct ```
  6. Confirm the new pod is using custom scc: 
    $ oc get pod -o 'custom-columns=NAME:metadata.name,APPLIED SCC:metadata.annotations.openshift\.io/scc'
NAME         APPLIED SCC
simple-pod   my-scc
  7. WIP
Read More

How to enable NET_ADMIN permission to a deployment?

  1. Create a custom scc my-scc: 
    $ cat scc.yaml 
kind: SecurityContextConstraints
apiVersion: v1
metadata:
  name: my-scc
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
  - NET_ADMIN
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
users:
  - system:admin
  2. Create a new service account mysvcacct: 
    $ oc create sa mysvcacct -n $NAMESPACE
  3. Add SCC my-scc to SA mysvcacct: 
    $ oc adm policy add-scc-to-user my-scc -z mysvcacct
  4. Create a deployment with serviceAccountName and securityContext: ``` $ cat simple-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app: simple-deployment app.kubernetes.io/component: simple-deployment app.kubernetes.io/instance: simple-deployment app.kubernetes.io/part-of: simple-deployment app.openshift.io/runtime: redhat name: simple-deployment spec: replicas: 1 selector: matchLabels: app: simple-deployment type: Recreate template: metadata: labels: app: simple-deployment deploymentconfig: simple-deployment spec: serviceAccountName: mysvcacct containers:
    • image: registry.access.redhat.com/rhel7/rhel-tools:latest imagePullPolicy: Always name: simple-deployment command:
      • /bin/sh
      • -c
      • | sleep infinity resources: {} securityContext: capabilities: add:
        • NET_ADMIN ```
  5. Comfirm scc my-scc is used by the pod: 
    $ oc -n ${NAMESPACE} get pod -o 'custom-columns=NAME:metadata.name,APPLIED SCC:metadata.annotations.openshift\.io/scc'
NAME                                 APPLIED SCC
simple-deployment-5c675b55b6-6cr5t   my-scc
  6. Confirm ip route can be edited inside of the pod: 
    $ oc rsh simple-deployment-5c675b55b6-6cr5t
sh-4.2# ip r
default via 10.128.2.1 dev eth0 
10.128.0.0/14 dev eth0 
10.128.2.0/23 dev eth0 proto kernel scope link src 10.128.3.158 
172.30.0.0/16 via 10.128.2.1 dev eth0 
224.0.0.0/4 dev eth0 
sh-4.2# ip r del 224.0.0.0/4 dev eth0 
sh-4.2# ip r add 224.0.0.0/4 dev eth0 
sh-4.2#
Read More

How to update configurations for existing overcloud with director operator?

  1. Create new file workaround.yaml to pass new passwords: 
    [root@dell-r640-009 deploy]# tree
.
|-- tripleo_deploy_tarball
|   |-- net-config-two-nic-vlan-computedpdk-qe.yaml
|   |-- net-config-two-nic-vlan-computedpdksriov-qe.yaml
|   |-- net-config-two-nic-vlan-computehci_leaf1.yaml
|   |-- net-config-two-nic-vlan-computehci_leaf2.yaml
|   |-- net-config-two-nic-vlan-computehci.yaml
|   |-- net-config-two-nic-vlan-compute_leaf1.yaml
|   |-- net-config-two-nic-vlan-compute_leaf2.yaml
|   |-- net-config-two-nic-vlan-computesriov-qe.yaml
|   |-- net-config-two-nic-vlan-compute.yaml
|   `-- roles_data.yaml
`-- tripleo_heat_envs
 |-- cloud-names.yaml
 |-- containers-prepare-parameter.yaml
 |-- debug.yaml
 |-- network-common.yaml
 |-- network-environment.yaml
 |-- register-nic-templates.yaml
 |-- selinux.yaml
 |-- storage-backend.yaml
 |-- tls-certs.yaml
 |-- tls.yaml
 |-- updates.yaml
 `-- workarounds.yaml <-------------------------------
2 directories, 22 files
Read More

Installing packages with yum failed with error "unable to get local issuer certificate"

When installing packages or performing yum repolist:

# vi /var/log/dnf.log
2023-06-14T21:47:23-0400 DEBUG error: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://www.example.com/content/dist/layered/rhel8/x86_64/ansible/2.9/os/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate] (https://www.example.com/content/dist/layered/rhel8/x86_64/ansible/2.9/os/repodata/repomd.xml).
2023-06-14T21:47:23-0400 WARNING Errors during downloading metadata for repository 'rhosp-ansible-2.9':
  - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://www.example.com/content/dist/layered/rhel8/x86_64/ansible/2.9/os/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate]
Read More

PTP troubleshooting on openshift

Check NIC driver & firmware version

Login to openshift nodes with ptp pod running on: ``` sh-4.4# ethtool -i ens1f0 driver: ice version: 1.11.16 <——- driver version firmware-version: 4.20 0x8001778b 1.3346.0 <——— firmware version expansion-rom-version: bus-info: 0000:10:00.0 supports-statistics: yes supports-test: yes supports-eeprom-access: yes supports-register-dump: yes supports-priv-flags: yes

Read More