Last active
May 10, 2024 00:30
-
-
Save JohnStrunk/72953876611edea05be7fd302ea6e8ea to your computer and use it in GitHub Desktop.
Block access to privileged container
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # PVC for a block device we want to access | |
| kind: PersistentVolumeClaim | |
| apiVersion: v1 | |
| metadata: | |
| name: block-pvc | |
| spec: | |
| storageClassName: local-block | |
| accessModes: | |
| - ReadWriteOnce | |
| volumeMode: Block | |
| resources: | |
| requests: | |
| storage: 10Gi | |
| --- | |
| kind: Pod | |
| apiVersion: v1 | |
| metadata: | |
| name: centos | |
| spec: | |
| initContainers: | |
| # This init container just makes a copy of the block device file into the | |
| # shared volume so that the privileged container can pick it up. | |
| - name: blkdevmapper | |
| image: centos:7 | |
| command: ["/bin/bash", "-c"] | |
| args: ["cp -a /blkdev /mnt/blkdev"] | |
| volumeDevices: | |
| - name: block | |
| devicePath: "/blkdev" | |
| volumeMounts: | |
| - mountPath: "/mnt" | |
| name: blkdevbridge | |
| containers: | |
| - name: centos | |
| image: centos:7 | |
| command: ["/bin/bash", "-c"] | |
| args: ["yum install -y lvm2 && sleep infinity"] | |
| args: | |
| # From existing gluster containers: | |
| # - Disable udev | |
| # - Disable lvmetad | |
| # Additional stuff: | |
| # - Change lv scanning to also look in /mnt (where we put the PV block device) | |
| # - Change device filter rules to only see devices in /mnt | |
| # The crazy sed line for filter is so that it only replaces the 1st occurrence | |
| - >- | |
| yum install -y lvm2 && | |
| sed -i -e "s#udev_sync = 1#udev_sync = 0#" /etc/lvm/lvm.conf && | |
| sed -i -e "s#udev_rules = 1#udev_rules = 0#" /etc/lvm/lvm.conf && | |
| sed -i -e "s#use_lvmetad = 1#use_lvmetad = 0#" /etc/lvm/lvm.conf && | |
| sed -i -e 's#scan = \[ "/dev" \]#scan = [ "/dev", "/mnt" ]#' | |
| /etc/lvm/lvm.conf && | |
| sed -i -e '0,/# filter =.*/{s%# filter =.*% | |
| filter = [ "a|^/mnt/.*|", "r|.*/|" ]%}' | |
| /etc/lvm/lvm.conf && | |
| sleep infinity | |
| securityContext: | |
| privileged: true | |
| # We would like this container to act as though the following were | |
| # possible: | |
| # volumeDevices: | |
| # - name: block | |
| # devicePath: "/mnt/blkdev" | |
| volumeMounts: | |
| - mountPath: "/mnt" | |
| name: blkdevbridge | |
| volumes: | |
| - name: block | |
| persistentVolumeClaim: | |
| claimName: block-pvc | |
| # This is a volume shared between the unprivileged init container and the | |
| # privileged main container so that we can get the block volume in. | |
| - name: blkdevbridge | |
| emptyDir: | |
| medium: Memory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Came across this and did some googling to figure out how the sed command works
'0,/# filter =.*/{s%# filter =.*% filter = [ "a|^/mnt/.*|", "r|.*/|" ]%}'0,/# filter =.*/{SED_COMMAND}# filter =.*/{s%# filter =.*% filter = [ "a|^/mnt/.*|", "r|.*/|" ]%}# filter =.*withfilter = [ "a|^/mnt/.*|", "r|.*/|" ]%