Merge pull request #109 from rollandf/updates-26.1.x

rollandf · web-flow · commit 64f16c3cce4a · 2025-12-23T12:35:37.000+02:00
Cherry-pick downstream PRs into 26.1.x
diff --git a/bindata/manifests/daemon/daemonset.yaml b/bindata/manifests/daemon/daemonset.yaml
@@ -141,6 +141,8 @@ spec:
               mkdir -p /host/var/lib/sriov/
               cp /usr/bin/sriov-network-config-daemon /host/var/lib/sriov/sriov-network-config-daemon
               chcon -t bin_t /host/var/lib/sriov/sriov-network-config-daemon || true # Allow systemd to run the file, use pipe true to not failed if the system doesn't have selinux or apparmor enabled
+              cp /bindata/scripts/kargs.sh /host/var/lib/sriov/kargs.sh
+              chcon -t bin_t /host/var/lib/sriov/kargs.sh | true # Allow systemd to run the file, use pipe true to not failed if the system doesn't have selinux or apparmor enabled
           securityContext:
             privileged: true
           resources:
diff --git a/bindata/scripts/kargs.sh b/bindata/scripts/kargs.sh
@@ -21,14 +21,21 @@ command=$1
 shift
 declare -a kargs=( "$@" )
 ret=0
-args=$(chroot /host/ cat /proc/cmdline)
 
-IS_OS_UBUNTU=true; [[ "$(chroot /host/ grep -i ubuntu /etc/os-release -c)" == "0" ]] && IS_OS_UBUNTU=false
+if [[ -d "/bindata/scripts" ]];then
+    chroot_path="/host/"
+else
+    chroot_path="/"
+fi
+
+args=$(chroot "$chroot_path" cat /proc/cmdline)
+
+IS_OS_UBUNTU=true; [[ "$(chroot "$chroot_path" grep -i ubuntu /etc/os-release -c)" == "0" ]] && IS_OS_UBUNTU=false
 
 if ${IS_OS_UBUNTU} ; then
     grub_config="/etc/default/grub"
     # Operate on the copy of the file
-    cp /host/${grub_config} /tmp/grub
+    cp ${chroot_path}/${grub_config} /tmp/grub
 
     for t in "${kargs[@]}";do
         if [[ $command == "add" ]];then
@@ -51,8 +58,8 @@ if ${IS_OS_UBUNTU} ; then
 
             if [ $found == false ];then
                 # Append to the end of the line
-                t="${arr[@]} ${t}"
-                sed -i "s/\(^\s*GRUB_CMDLINE_LINUX_DEFAULT=\"\)\(.*\)\"/\1${t}\"/" /tmp/grub
+                new_param="${arr[@]} ${t}"
+                sed -i "s/\(^\s*$g\"\)\(.*\)\"/\1${new_param}\"/" /tmp/grub
                 let ret++
             fi
         fi
@@ -64,7 +71,6 @@ if ${IS_OS_UBUNTU} ; then
                 while read line;do
                     if [[ "$line" =~ GRUB_CMDLINE_LINUX ]];then
                         IFS='"' read g param q <<< "$line"
-
                         arr=($param)
                         new_param=""
 
@@ -82,52 +88,52 @@ if ${IS_OS_UBUNTU} ; then
 
     if [ $ret -ne 0 ];then
         # Update grub only if there were changes
-        cp /tmp/grub /host/${grub_config}
-        chroot "/host" update-grub
+        cp /tmp/grub ${chroot_path}/${grub_config}
+        chroot "$chroot_path" update-grub
     fi
 
     echo $ret
     exit 0
 fi
 
-if chroot /host/ test -f /run/ostree-booted ; then
+if chroot "$chroot_path" test -f /run/ostree-booted ; then
     for t in "${kargs[@]}";do
         if [[ $command == "add" ]];then
           if [[ $args != *${t}* ]];then
-              if chroot /host/ rpm-ostree kargs | grep -vq ${t}; then
-                  chroot /host/ rpm-ostree kargs --append ${t} > /dev/null 2>&1
+              if chroot "$chroot_path" rpm-ostree kargs | grep -vq ${t}; then
+                  chroot "$chroot_path" rpm-ostree kargs --append ${t} > /dev/null 2>&1
               fi
               let ret++
           fi
         fi
         if [[ $command == "remove" ]];then
           if [[ $args == *${t}* ]];then
-                if chroot /host/ rpm-ostree kargs | grep -q ${t}; then
-                    chroot /host/ rpm-ostree kargs --delete ${t} > /dev/null 2>&1
+                if chroot "$chroot_path" rpm-ostree kargs | grep -q ${t}; then
+                    chroot "$chroot_path" rpm-ostree kargs --delete ${t} > /dev/null 2>&1
                 fi
                 let ret++
             fi
         fi
     done
 else
-    chroot /host/ which grubby > /dev/null 2>&1
+    chroot "$chroot_path" which grubby > /dev/null 2>&1
     # if grubby is not there, let's tell it
     if [ $? -ne 0 ]; then
         exit 127
     fi
     for t in "${kargs[@]}";do
       if [[ $command == "add" ]];then
         if [[ $args != *${t}* ]];then
-            if chroot /host/ grubby --info=DEFAULT | grep args | grep -vq ${t}; then
-                chroot /host/ grubby --update-kernel=DEFAULT --args=${t} > /dev/null 2>&1
+            if chroot "$chroot_path" grubby --info=DEFAULT | grep args | grep -vq ${t}; then
+                chroot "$chroot_path" grubby --update-kernel=DEFAULT --args=${t} > /dev/null 2>&1
             fi
             let ret++
         fi
       fi
       if [[ $command == "remove" ]];then
           if [[ $args == *${t}* ]];then
-            if chroot /host/ grubby --info=DEFAULT | grep args | grep -q ${t}; then
-                chroot /host/ grubby --update-kernel=DEFAULT --remove-args=${t} > /dev/null 2>&1
+            if chroot "$chroot_path" grubby --info=DEFAULT | grep args | grep -q ${t}; then
+                chroot "$chroot_path" grubby --update-kernel=DEFAULT --remove-args=${t} > /dev/null 2>&1
             fi
             let ret++
           fi
diff --git a/deployment/sriov-network-operator-chart/templates/operator.yaml b/deployment/sriov-network-operator-chart/templates/operator.yaml
@@ -50,6 +50,14 @@ spec:
             requests:
               cpu: 100m
               memory: 100Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: WATCH_NAMESPACE
               valueFrom:
diff --git a/deployment/sriov-network-operator-chart/templates/pre-delete-webooks.yaml b/deployment/sriov-network-operator-chart/templates/pre-delete-webooks.yaml
@@ -23,6 +23,14 @@ spec:
       containers:
         - name: cleanup
           image: {{ .Values.images.operator }}
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
           command:
             - sriov-network-operator-config-cleanup
           args:
diff --git a/pkg/daemon/daemon.go b/pkg/daemon/daemon.go
@@ -341,12 +341,12 @@ func (dn *NodeReconciler) checkSystemdStatus() (*hosttypes.SriovResult, bool, er
 
 	// check if the service exist
 	if serviceEnabled && postNetworkServiceEnabled {
-		exist = true
 		sriovResult, err = dn.hostHelpers.ReadSriovResult()
 		if err != nil {
 			funcLog.Error(err, "failed to load sriov result file from host")
 			return nil, false, err
 		}
+		exist = sriovResult != nil
 	}
 	return sriovResult, exist, nil
 }
diff --git a/pkg/daemon/daemon_test.go b/pkg/daemon/daemon_test.go
@@ -68,7 +68,7 @@ var (
 )
 
 const (
-	waitTime  = 30 * time.Minute
+	waitTime  = 2 * time.Minute
 	retryTime = 5 * time.Second
 	nodeName  = "node1"
 )
@@ -137,6 +137,7 @@ var _ = Describe("Daemon Controller", Ordered, func() {
 		// general
 		hostHelper.EXPECT().Chroot(gomock.Any()).Return(func() error { return nil }, nil).AnyTimes()
 		hostHelper.EXPECT().RunCommand("/bin/sh", gomock.Any(), gomock.Any(), gomock.Any()).Return("", "", nil).AnyTimes()
+		hostHelper.EXPECT().RunCommand("/bin/bash", gomock.Any(), gomock.Any(), gomock.Any()).Return("", "", nil).AnyTimes()
 
 		discoverSriovReturn.Store(&[]sriovnetworkv1.InterfaceExt{})
 
diff --git a/pkg/daemon/plugin_test.go b/pkg/daemon/plugin_test.go
diff --git a/pkg/host/internal/network/network.go b/pkg/host/internal/network/network.go
@@ -458,6 +458,9 @@ func (n *network) DiscoverRDMASubsystem() (string, error) {
 func (n *network) SetRDMASubsystem(mode string) error {
 	log.Log.Info("SetRDMASubsystem(): Updating RDMA subsystem mode", "mode", mode)
 	path := filepath.Join(vars.FilesystemRoot, consts.Host, "etc", "modprobe.d", "sriov_network_operator_modules_config.conf")
+	if _, err := os.Stat(filepath.Join(vars.FilesystemRoot, consts.Host)); errors.Is(err, os.ErrNotExist) {
+		path = filepath.Join(vars.FilesystemRoot, "/etc", "modprobe.d", "sriov_network_operator_modules_config.conf")
+	}
 
 	if mode == "" {
 		err := os.Remove(path)
diff --git a/pkg/platforms/openshift/openshift_test.go b/pkg/platforms/openshift/openshift_test.go
diff --git a/pkg/platforms/platforms.go b/pkg/platforms/platforms.go
diff --git a/pkg/plugins/generic/generic_plugin.go b/pkg/plugins/generic/generic_plugin.go
@@ -19,6 +19,7 @@ package generic
 import (
 	"errors"
 	"fmt"
+	"os"
 	"syscall"
 
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -96,7 +97,8 @@ type genericPluginOptions struct {
 	skipBridgeConfiguration bool
 }
 
-const scriptsPath = "bindata/scripts/kargs.sh"
+const daemonScriptsPath = "/bindata/scripts/kargs.sh"
+const systemdScriptsPath = "/var/lib/sriov/kargs.sh"
 
 // Initialize our plugin and set up initial values
 func NewGenericPlugin(helpers helper.HostHelpersInterface, options ...Option) (plugin.VendorPlugin, error) {
@@ -285,7 +287,11 @@ func needDriverCheckVdpaType(state *sriovnetworkv1.SriovNetworkNodeState, driver
 // editKernelArg Tries to add the kernel args via ostree or grubby.
 func editKernelArg(helper helper.HostHelpersInterface, mode, karg string) error {
 	log.Log.Info("generic plugin editKernelArg()", "mode", mode, "karg", karg)
-	_, _, err := helper.RunCommand("/bin/sh", scriptsPath, mode, karg)
+	script := daemonScriptsPath
+	if _, err := os.Stat(consts.Host); errors.Is(err, os.ErrNotExist) {
+		script = systemdScriptsPath
+	}
+	_, _, err := helper.RunCommand("/bin/bash", script, mode, karg)
 	if err != nil {
 		// if grubby is not there log and assume kernel args are set correctly.
 		if utils.IsCommandNotFound(err) {
diff --git a/pkg/render/render.go b/pkg/render/render.go
@@ -79,7 +79,7 @@ func RenderDir(manifestDir string, d *RenderData) ([]*unstructured.Unstructured,
 			return nil
 		}
 
-		objs, err := RenderTemplate(path, d)
+		objs, err := RenderFileTemplate(path, d)
 		if err != nil {
 			return err
 		}
@@ -92,10 +92,14 @@ func RenderDir(manifestDir string, d *RenderData) ([]*unstructured.Unstructured,
 	return out, nil
 }
 
-// RenderTemplate reads, renders, and attempts to parse a yaml or
+func RenderTemplate(template string, d *RenderData) (*bytes.Buffer, error) {
+	return renderTemplate(template, d)
+}
+
+// RenderFileTemplate reads, renders, and attempts to parse a yaml or
 // json file representing one or more k8s api objects
-func RenderTemplate(path string, d *RenderData) ([]*unstructured.Unstructured, error) {
-	rendered, err := renderTemplate(path, d)
+func RenderFileTemplate(path string, d *RenderData) ([]*unstructured.Unstructured, error) {
+	rendered, err := renderFileTemplate(path, d)
 	if err != nil {
 		return nil, err
 	}
@@ -127,8 +131,8 @@ func RenderTemplate(path string, d *RenderData) ([]*unstructured.Unstructured, e
 	return out, nil
 }
 
-func renderTemplate(path string, d *RenderData) (*bytes.Buffer, error) {
-	tmpl := template.New(path).Option("missingkey=error")
+func renderTemplate(rawTemplate string, d *RenderData) (*bytes.Buffer, error) {
+	tmpl := template.New("template").Option("missingkey=error")
 	if d.Funcs != nil {
 		tmpl.Funcs(d.Funcs)
 	}
@@ -137,23 +141,27 @@ func renderTemplate(path string, d *RenderData) (*bytes.Buffer, error) {
 	tmpl.Funcs(template.FuncMap{"getOr": getOr, "isSet": isSet})
 	tmpl.Funcs(sprig.TxtFuncMap())
 
-	source, err := os.ReadFile(path)
-	if err != nil {
-		return nil, errors.Wrapf(err, "failed to read manifest %s", path)
-	}
-
-	if _, err := tmpl.Parse(string(source)); err != nil {
-		return nil, errors.Wrapf(err, "failed to parse manifest %s as template", path)
+	if _, err := tmpl.Parse(rawTemplate); err != nil {
+		return nil, errors.Wrapf(err, "failed to parse manifest %s as template", rawTemplate)
 	}
 
 	rendered := bytes.Buffer{}
 	if err := tmpl.Execute(&rendered, d.Data); err != nil {
-		return nil, errors.Wrapf(err, "failed to render manifest %s", path)
+		return nil, errors.Wrapf(err, "failed to render manifest %s", rawTemplate)
 	}
 
 	return &rendered, nil
 }
 
+func renderFileTemplate(path string, d *RenderData) (*bytes.Buffer, error) {
+	source, err := os.ReadFile(path)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to read manifest %s", path)
+	}
+
+	return renderTemplate(string(source[:]), d)
+}
+
 func formateDeviceList(devs []DeviceInfo) string {
 	out := ""
 	for _, dev := range devs {
@@ -247,7 +255,7 @@ func filterTemplates(toFilter map[string]string, path string, d *RenderData) err
 		}
 
 		// Render the template file
-		renderedData, err := renderTemplate(path, d)
+		renderedData, err := renderFileTemplate(path, d)
 		if err != nil {
 			return err
 		}
diff --git a/pkg/render/render_test.go b/pkg/render/render_test.go
@@ -28,7 +28,7 @@ func TestRenderSimple(t *testing.T) {
 
 	d := MakeRenderData()
 
-	o1, err := RenderTemplate("testdata/manifests/simple.yaml", &d)
+	o1, err := RenderFileTemplate("testdata/manifests/simple.yaml", &d)
 	g.Expect(err).NotTo(HaveOccurred())
 
 	g.Expect(o1).To(HaveLen(1))
@@ -52,7 +52,7 @@ func TestRenderSimple(t *testing.T) {
 	g.Expect(o1[0].MarshalJSON()).To(MatchJSON(expected))
 
 	// test that json parses the same
-	o2, err := RenderTemplate("testdata/manifests/simple.json", &d)
+	o2, err := RenderFileTemplate("testdata/manifests/simple.json", &d)
 	g.Expect(err).NotTo(HaveOccurred())
 	g.Expect(o2).To(Equal(o1))
 }
@@ -63,7 +63,7 @@ func TestRenderMultiple(t *testing.T) {
 	p := "testdata/manifests/multiple.yaml"
 	d := MakeRenderData()
 
-	o, err := RenderTemplate(p, &d)
+	o, err := RenderFileTemplate(p, &d)
 	g.Expect(err).NotTo(HaveOccurred())
 
 	g.Expect(o).To(HaveLen(3))
@@ -80,19 +80,19 @@ func TestTemplate(t *testing.T) {
 
 	// Test that missing variables are detected
 	d := MakeRenderData()
-	_, err := RenderTemplate(p, &d)
+	_, err := RenderFileTemplate(p, &d)
 	g.Expect(err).To(HaveOccurred())
 	g.Expect(err.Error()).To(HaveSuffix(`function "fname" not defined`))
 
 	// Set expected function (but not variable)
 	d.Funcs["fname"] = func(s string) string { return "test-" + s }
-	_, err = RenderTemplate(p, &d)
+	_, err = RenderFileTemplate(p, &d)
 	g.Expect(err).To(HaveOccurred())
 	g.Expect(err.Error()).To(HaveSuffix(`has no entry for key "Namespace"`))
 
 	// now we can render
 	d.Data["Namespace"] = "myns"
-	o, err := RenderTemplate(p, &d)
+	o, err := RenderFileTemplate(p, &d)
 	g.Expect(err).NotTo(HaveOccurred())
 
 	g.Expect(o[0].GetName()).To(Equal("test-podname"))
@@ -111,7 +111,7 @@ func TestTemplateWithEmptyObject(t *testing.T) {
 
 	d := MakeRenderData()
 	d.Data["Enable"] = true
-	o, err := RenderTemplate(p, &d)
+	o, err := RenderFileTemplate(p, &d)
 	g.Expect(err).NotTo(HaveOccurred())
 
 	g.Expect(len(o)).To(Equal(2))

Original file line number	Diff line number	Diff line change
`@@ -341,12 +341,12 @@ func (dn NodeReconciler) checkSystemdStatus() (hosttypes.SriovResult, bool, er`
`341`	`341`
`342`	`342`	`// check if the service exist`
`343`	`343`	`if serviceEnabled && postNetworkServiceEnabled {`
`344`		`- exist = true`
`345`	`344`	`sriovResult, err = dn.hostHelpers.ReadSriovResult()`
`346`	`345`	`if err != nil {`
`347`	`346`	`funcLog.Error(err, "failed to load sriov result file from host")`
`348`	`347`	`return nil, false, err`
`349`	`348`	`}`
	`349`	`+ exist = sriovResult != nil`
`350`	`350`	`}`
`351`	`351`	`return sriovResult, exist, nil`
`352`	`352`	`}`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ var (`
`68`	`68`	`)`
`69`	`69`
`70`	`70`	`const (`
`71`		`- waitTime = 30 * time.Minute`
	`71`	`+ waitTime = 2 * time.Minute`
`72`	`72`	`retryTime = 5 * time.Second`
`73`	`73`	`nodeName = "node1"`
`74`	`74`	`)`
`@@ -137,6 +137,7 @@ var _ = Describe("Daemon Controller", Ordered, func() {`
`137`	`137`	`// general`
`138`	`138`	`hostHelper.EXPECT().Chroot(gomock.Any()).Return(func() error { return nil }, nil).AnyTimes()`
`139`	`139`	`hostHelper.EXPECT().RunCommand("/bin/sh", gomock.Any(), gomock.Any(), gomock.Any()).Return("", "", nil).AnyTimes()`
	`140`	`+ hostHelper.EXPECT().RunCommand("/bin/bash", gomock.Any(), gomock.Any(), gomock.Any()).Return("", "", nil).AnyTimes()`
`140`	`141`
`141`	`142`	`discoverSriovReturn.Store(&[]sriovnetworkv1.InterfaceExt{})`
`142`	`143`