diff --git a/cmd/server.go b/cmd/server.go index 5fba439837cf..ef6943a953bf 100644 --- a/cmd/server.go +++ b/cmd/server.go @@ -23,8 +23,6 @@ import ( "syscall" "time" - "github.com/Mirantis/mke/pkg/performance" - "github.com/avast/retry-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -36,6 +34,7 @@ import ( "github.com/Mirantis/mke/pkg/component/server" "github.com/Mirantis/mke/pkg/component/worker" "github.com/Mirantis/mke/pkg/constant" + "github.com/Mirantis/mke/pkg/performance" "github.com/Mirantis/mke/pkg/util" "github.com/Mirantis/mke/pkg/apis/v1beta1" @@ -89,10 +88,16 @@ func startServer(ctx *cli.Context) error { if err != nil { return err } - componentManager := component.NewManager() + + // create directories early with the proper permissions + if err = util.InitDirectory(constant.DataDir, constant.DataDirMode); err != nil { + return err + } if err := util.InitDirectory(constant.CertRootDir, constant.CertRootDirMode); err != nil { return err } + + componentManager := component.NewManager() certificateManager := certificate.Manager{} var join = false diff --git a/inttest/footloose-alpine/Dockerfile b/inttest/footloose-alpine/Dockerfile index 9d70afc12084..0238485961b1 100644 --- a/inttest/footloose-alpine/Dockerfile +++ b/inttest/footloose-alpine/Dockerfile @@ -18,6 +18,8 @@ RUN echo "#!/bin/sh" > /etc/local.d/machine-id.start \ && echo "fi" >> /etc/local.d/machine-id.start \ && chmod +x /etc/local.d/machine-id.start +RUN adduser -H -S -s /sbin/nologin etcd + # Put kubectl into place to ease up debugging RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.19.0/bin/linux/amd64/kubectl \ && chmod +x ./kubectl \ diff --git a/pkg/certificate/manager.go b/pkg/certificate/manager.go index cb78b453ba1c..87b27ff9d6fc 100644 --- a/pkg/certificate/manager.go +++ b/pkg/certificate/manager.go @@ -63,10 +63,6 @@ func (m *Manager) EnsureCA(name, cn string) error { return nil } - if err := util.InitDirectory(filepath.Dir(keyFile), constant.CertRootDirMode); err != nil { - return errors.Wrapf(err, "failed to create pki dir") - } - req := new(csr.CertificateRequest) req.KeyRequest = csr.NewKeyRequest() req.KeyRequest.A = "rsa" diff --git a/pkg/component/server/etcd.go b/pkg/component/server/etcd.go index e9dfbca4f24f..09c4dfcf6099 100644 --- a/pkg/component/server/etcd.go +++ b/pkg/component/server/etcd.go @@ -65,13 +65,24 @@ func (e *Etcd) Init() error { if err != nil { logrus.Warning(errors.Wrap(err, "Running etcd as root")) } + e.gid, _ = util.GetGID(constant.Group) err = util.InitDirectory(constant.EtcdDataDir, constant.EtcdDataDirMode) // https://docs.datadoghq.com/security_monitoring/default_rules/cis-kubernetes-1.5.1-1.1.11/ if err != nil { return errors.Wrapf(err, "failed to create %s", constant.EtcdDataDir) } - e.gid, _ = util.GetGID(constant.Group) + err = util.InitDirectory(constant.EtcdCertDir, constant.EtcdCertDirMode) // https://docs.datadoghq.com/security_monitoring/default_rules/cis-kubernetes-1.5.1-4.1.7/ + if err != nil { + return errors.Wrapf(err, "failed to create etcd cert dir") + } + + for _, f := range []string{constant.EtcdDataDir, constant.EtcdCertDir} { + err = os.Chown(f, e.uid, e.gid) + if err != nil { + return err + } + } for _, f := range []string{ "ca.crt", @@ -130,10 +141,6 @@ func (e *Etcd) Run() error { if util.FileExists(etcdCaCert) && util.FileExists(etcdCaCertKey) { logrus.Warnf("etcd ca certs already exists, not gonna overwrite. If you wish to re-sync them, delete the existing ones.") } else { - err := util.InitDirectory(filepath.Dir(etcdCaCertKey), constant.CertSecureMode) // https://docs.datadoghq.com/security_monitoring/default_rules/cis-kubernetes-1.5.1-4.1.7/ - if err != nil { - return errors.Wrapf(err, "failed to create etcd cert dir") - } err = ioutil.WriteFile(etcdCaCertKey, etcdResponse.CA.Key, constant.CertSecureMode) if err != nil { return err @@ -143,6 +150,11 @@ func (e *Etcd) Run() error { if err != nil { return err } + for _, f := range []string{filepath.Dir(etcdCaCertKey), etcdCaCertKey, etcdCaCert} { + if err := os.Chown(f, e.uid, e.gid); err != nil { + return err + } + } } args = append(args, fmt.Sprintf("--initial-cluster=%s", strings.Join(etcdResponse.InitialCluster, ","))) diff --git a/pkg/constant/constant.go b/pkg/constant/constant.go index 3421b23660b6..8a0d82373f22 100644 --- a/pkg/constant/constant.go +++ b/pkg/constant/constant.go @@ -27,7 +27,7 @@ const ( // CertRootDir defines the root location for all pki related artifacts CertRootDir = "/var/lib/mke/pki" // CertRootDirMode is the expected directory permissions for CertRootDir. - CertRootDirMode = 0750 + CertRootDirMode = 0751 //EtcdCertDir contains etcd certificates EtcdCertDir = "/var/lib/mke/pki/etcd" // EtcdCertDirMode is the expected directory permissions for EtcdCertDir