daemon: mount writable /tmp for mstconfig lockfiles

[rollandf]

When running with readOnlyRootFilesystem enabled, mstconfig fails to create its lockfiles because the path /tmp/mstflint_lockfiles is hardcoded in the mstflint source code.

This patch adds an emptyDir volume mounted at /tmp to provide a writable location for these lockfiles while maintaining the security benefits of a read-only root filesystem for the rest of the container.

[github-actions]

Thanks for your PR,
To run vendors CIs, Maintainers can use one of:

• /test-all: To run all tests for all vendors.
• /test-e2e-all: To run all E2E tests for all vendors.
• /test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs, Maintainers can use one of:

• /skip-all: To skip all tests for all vendors.
• /skip-e2e-all: To skip all E2E tests for all vendors.
• /skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
  Best regards.

[heyvister1]

Nice and elegant. Thanks
I think that this should be also accepted by upstream

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds a writable /tmp directory to the sriov-network-config-daemon container to fix mstconfig failures when readOnlyRootFilesystem is enabled. The mstconfig tool (from mstflint) has a hardcoded path /tmp/mstflint_lockfiles for creating lockfiles during firmware configuration operations.

Changes:

• Added emptyDir volume named tmp
• Mounted the volume at /tmp in the daemon container

Impact:

• Fixes runtime failures when configuring Mellanox NIC firmware with read-only root filesystem
• Maintains security posture by keeping root filesystem read-only while providing minimal writable space
• Uses standard Kubernetes emptyDir pattern for temporary writable storage

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The change is minimal, well-scoped, and follows Kubernetes best practices by using emptyDir for temporary writable storage. It solves a real runtime failure without compromising security.
• No files require special attention

Important Files Changed

Filename	Overview
bindata/manifests/daemon/daemonset.yaml	Added emptyDir volume for /tmp to enable mstconfig lockfile creation with readOnlyRootFilesystem

Sequence Diagram

sequenceDiagram
    participant K8s as Kubernetes
    participant Pod as sriov-network-config-daemon Pod
    participant Container as Daemon Container
    participant EmptyDir as /tmp emptyDir Volume
    participant mstconfig as mstconfig Binary
    participant Lockfiles as /tmp/mstflint_lockfiles

    K8s->>Pod: Create DaemonSet Pod
    K8s->>EmptyDir: Create emptyDir volume (tmp)
    K8s->>Container: Start container with readOnlyRootFilesystem=true
    K8s->>Container: Mount emptyDir at /tmp
    
    Note over Container: Root filesystem is read-only
    Note over EmptyDir: /tmp is writable via emptyDir

    Container->>mstconfig: Execute mstconfig command
    mstconfig->>Lockfiles: Create lockfile at /tmp/mstflint_lockfiles
    Note over Lockfiles: Path hardcoded in mstflint source
    Lockfiles-->>mstconfig: Lockfile created successfully
    mstconfig->>Container: Configure NIC firmware
    mstconfig-->>Container: Operation complete
    
    Note over Container,EmptyDir: Security maintained: only /tmp is writable

Loading

[greptile-apps]

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}