idxd: Make root filesystem read-only

Signed-off-by: Oleg Zhurakivskyy <oleg.zhurakivskyy@intel.com>

Author: ozhuraki

build/docker/intel-idxd-config-initcontainer.Dockerfile

@@ -1,4 +1,4 @@
-# Copyright 2021 Intel Corporation. All Rights Reserved.
+# Copyright 2021-2022 Intel Corporation. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -57,8 +57,11 @@ RUN ldconfig && mkdir -p /licenses/accel-config
 COPY --from=builder /usr/bin/accel-config /usr/bin/
 COPY --from=builder /accel-config.tar.gz /licenses/accel-config/
 
-ADD demo/idxd-init.sh /idxd-init/
+ADD demo/idxd-init.sh /usr/local/bin/
 ADD demo/dsa.conf /idxd-init/
+ADD demo/iaa.conf /idxd-init/
+
+RUN mkdir /idxd-init/scratch
 
 WORKDIR /idxd-init
-ENTRYPOINT bash idxd-init.sh
+ENTRYPOINT bash /usr/local/bin/idxd-init.sh

demo/idxd-init.sh

@@ -28,8 +28,8 @@ for i in $(accel-config list --idle | jq '.[].dev' | sed -ne "s/\"$DEV\([0-9]\+\
 
     [ -f "conf/$DEV-$NODE_NAME.conf" ] && config="conf/$DEV-$NODE_NAME.conf"
 
-    sed "s/X/${i}/g" < "$config" > "$dev.conf"
+    sed "s/X/${i}/g" < "$config" > scratch/"$dev.conf"
 
-    cmd accel-config load-config -e -c "$dev.conf"
+    cmd accel-config load-config -e -c scratch/"$dev.conf"
 
 done

deployments/dsa_plugin/overlays/dsa_initcontainer/dsa_initcontainer.yaml

@@ -14,16 +14,21 @@ spec:
                 fieldPath: spec.nodeName
         image: intel/intel-idxd-config-initcontainer:devel
         securityContext:
+          readOnlyRootFilesystem: true
           privileged: true
         volumeMounts:
         - mountPath: /sys/devices
           name: sys-devices
         - mountPath: /idxd-init/conf
           name: intel-dsa-config-volume
+        - mountPath: /idxd-init/scratch
+          name: scratch
       volumes:
       - name: sys-devices
         hostPath:
           path: /sys/devices
       - name: intel-dsa-config-volume
         configMap:
           name: intel-dsa-config
+      - name: scratch
+        emptyDir: {}

deployments/iaa_plugin/overlays/iaa_initcontainer/iaa_initcontainer.yaml

@@ -16,16 +16,21 @@ spec:
             value: "iaa"
         image: intel/intel-idxd-config-initcontainer:devel
         securityContext:
+          readOnlyRootFilesystem: true
           privileged: true
         volumeMounts:
         - mountPath: /sys/devices
           name: sys-devices
         - mountPath: /idxd-init/conf
           name: intel-iaa-config-volume
+        - mountPath: /idxd-init/scratch
+          name: scratch
       volumes:
       - name: sys-devices
         hostPath:
           path: /sys/devices
       - name: intel-iaa-config-volume
         configMap:
           name: intel-iaa-config
+      - name: scratch
+        emptyDir: {}

pkg/controllers/dsa/controller.go

@@ -98,7 +98,7 @@ func removeInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.DsaDevicePlugin)
 	newVolumes := []v1.Volume{}
 
 	for _, volume := range ds.Spec.Template.Spec.Volumes {
-		if volume.Name == "intel-dsa-config-volume" || volume.Name == "sys-devices" {
+		if volume.Name == "intel-dsa-config-volume" || volume.Name == "sys-devices" || volume.Name == "scratch" {
 			continue
 		}
 
@@ -130,13 +130,18 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.DsaDevicePlugin) {
 			},
 		},
 		SecurityContext: &v1.SecurityContext{
-			Privileged: &yes,
+			ReadOnlyRootFilesystem: &yes,
+			Privileged:             &yes,
 		},
 		VolumeMounts: []v1.VolumeMount{
 			{
 				Name:      "sys-devices",
 				MountPath: "/sys/devices",
 			},
+			{
+				Name:      "scratch",
+				MountPath: "/idxd-init/scratch",
+			},
 		},
 	})
 	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
@@ -147,6 +152,12 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.DsaDevicePlugin) {
 			},
 		},
 	})
+	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
+		Name: "scratch",
+		VolumeSource: v1.VolumeSource{
+			EmptyDir: &v1.EmptyDirVolumeSource{},
+		},
+	})
 
 	if dp.Spec.ProvisioningConfig != "" {
 		ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{

pkg/controllers/iaa/controller.go

@@ -96,7 +96,7 @@ func removeInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.IaaDevicePlugin)
 	newVolumes := []v1.Volume{}
 
 	for _, volume := range ds.Spec.Template.Spec.Volumes {
-		if volume.Name == "intel-iaa-config-volume" || volume.Name == "sys-devices" {
+		if volume.Name == "intel-iaa-config-volume" || volume.Name == "sys-devices" || volume.Name == "scratch" {
 			continue
 		}
 
@@ -128,13 +128,18 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.IaaDevicePlugin) {
 			},
 		},
 		SecurityContext: &v1.SecurityContext{
-			Privileged: &yes,
+			ReadOnlyRootFilesystem: &yes,
+			Privileged:             &yes,
 		},
 		VolumeMounts: []v1.VolumeMount{
 			{
 				Name:      "sys-devices",
 				MountPath: "/sys/devices",
 			},
+			{
+				Name:      "scratch",
+				MountPath: "/idxd-init/scratch",
+			},
 		},
 	})
 	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
@@ -145,6 +150,12 @@ func addInitContainer(ds *apps.DaemonSet, dp *devicepluginv1.IaaDevicePlugin) {
 			},
 		},
 	})
+	ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{
+		Name: "scratch",
+		VolumeSource: v1.VolumeSource{
+			EmptyDir: &v1.EmptyDirVolumeSource{},
+		},
+	})
 
 	if dp.Spec.ProvisioningConfig != "" {
 		ds.Spec.Template.Spec.Volumes = append(ds.Spec.Template.Spec.Volumes, v1.Volume{