From cc00e3fd923796ab10c0375d6dddbe3759b84ddd Mon Sep 17 00:00:00 2001 From: Alan Meadows Date: Wed, 11 Apr 2018 08:52:30 -0700 Subject: [PATCH] Allow ntpd service to be optional This allows ntpd to be disabled in both the privileged rack and region controllers for use cases where we do not wish these processes to conflict with ntpd on the physical host running the containers. This method as opposed to overriding sysvinit style scripts and potentially other ways to launch ntpd that may exist appears to be the safest way to ensure it does not ever run. Change-Id: Ib52727becc1849a2a75d2d62d1c51553047a8fcf --- charts/maas/templates/bin/_ntpd.sh.tpl | 7 +++++++ charts/maas/templates/configmap-bin.yaml | 2 ++ charts/maas/templates/deployment-rack.yaml | 6 ++++++ charts/maas/templates/statefulset-region.yaml | 6 ++++++ charts/maas/values.yaml | 6 ++++++ 5 files changed, 27 insertions(+) create mode 100644 charts/maas/templates/bin/_ntpd.sh.tpl diff --git a/charts/maas/templates/bin/_ntpd.sh.tpl b/charts/maas/templates/bin/_ntpd.sh.tpl new file mode 100644 index 0000000..35292a0 --- /dev/null +++ b/charts/maas/templates/bin/_ntpd.sh.tpl @@ -0,0 +1,7 @@ +#!/bin/sh + +# This is a stub ntpd process that will simply do nothing + +while true; do + sleep 1000 +done \ No newline at end of file diff --git a/charts/maas/templates/configmap-bin.yaml b/charts/maas/templates/configmap-bin.yaml index f448d5e..7dae307 100644 --- a/charts/maas/templates/configmap-bin.yaml +++ b/charts/maas/templates/configmap-bin.yaml @@ -39,3 +39,5 @@ data: {{ tuple "bin/_register-rack-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} maas-test.sh: | {{ tuple "bin/_maas-test.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + ntpd.sh: | +{{ tuple "bin/_ntpd.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} diff --git a/charts/maas/templates/deployment-rack.yaml b/charts/maas/templates/deployment-rack.yaml index ce89d79..202c78e 100644 --- a/charts/maas/templates/deployment-rack.yaml +++ b/charts/maas/templates/deployment-rack.yaml @@ -69,6 +69,12 @@ spec: securityContext: privileged: true volumeMounts: +{{- if .Values.conf.maas.ntp.disable_ntpd_rack }} + - name: maas-bin + mountPath: /usr/sbin/ntpd + subPath: ntpd.sh + readOnly: true +{{- end }} - name: maas-bin mountPath: /tmp/start.sh subPath: start.sh diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml index 9a80810..4a82a53 100644 --- a/charts/maas/templates/statefulset-region.yaml +++ b/charts/maas/templates/statefulset-region.yaml @@ -96,6 +96,12 @@ spec: mountPath: /etc/nsswitch.conf subPath: nsswitch.conf readOnly: true +{{- if .Values.conf.maas.ntp.disable_ntpd_region }} + - name: maas-bin + mountPath: /usr/sbin/ntpd + subPath: ntpd.sh + readOnly: true +{{- end }} {{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }} volumes: - name: maas-etc diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml index 43f0f41..8b8f4bb 100644 --- a/charts/maas/values.yaml +++ b/charts/maas/values.yaml @@ -129,6 +129,12 @@ conf: url: maas_url: null ntp: + # These options allow you to mock out the ntpd binary within the container + # by overwriting it with a script that simply sleeps - this is useful in + # environments where you do not wish these privileged containers to try and + # run ntpd that may conflict with the baremetal host + disable_ntpd_region: false + disable_ntpd_rack: false # Use external only points region and rack serves and deployed nodes directly # at external NTP servers. Otherwise we have nodes -> rack -> region -> external use_external_only: false