origin: Wrong permissions used on pv directories in oc cluster up.
When using oc cluster up (1.5.0-rc.0), the persistent volume directories are created with permission 0770. Eg:
4 drwxr-xr-x 103 root root 4096 Mar 22 02:53 .
4 drwxr-xr-x 3 root root 4096 Mar 22 02:52 ..
4 drwxrwx--- 2 root root 4096 Mar 22 02:52 pv0001
4 drwxrwx--- 2 root root 4096 Mar 22 02:52 pv0002
4 drwxrwx--- 2 root root 4096 Mar 22 02:52 pv0003
This will work fine if images are being forced to run as assigned uid, and thus end up defaulting to run as group root, as can still write to directory via the group when persistent volume mounted.
This will also work if images are run as root as still run as group root in that case, as well as fact directory is owned by root.
This will fail though if using anyuid and the image was set up to run with some other assigned uid.
So if the image had UID 1001 and that mapped to a valid user in the passwd file which used group users, it will be prevented from being able to see inside of the directory as o+rwx is missing on the dirctory.
Version
v1.5.0-rc.0
Steps To Reproduce
Use oc cluster up.
Grant anyuid role to project by running oc adm policy add-scc-to-user anyuid -z default -n myproject.
Run any image which has USER set to be some user in the passwd file which doesn’t have group of root.
Mount persistent volume into container.
Try and access the mounted directory.
$ ls -las
ls: cannot open directory .: Permission denied
Current Result
Application in container cannot access the persistent volume.
Expected Result
Application should be able to access the persistent volume.
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 33 (13 by maintainers)
Should add that workaround is to run:
after
oc cluster uphas been started.You need to wait a while since pv directories are created in background and that may take a little while.
@glennodickson This issue is about a corner case that people would in most cases never encounter. This is because it relates to using images not built to best practices.
Is there a reason or a specific problem you are having which made you think this issue was a good place to comment as you did?
Must agree. I’ve been using Openshift for sometime now and it’s been rather tricky to get stuff to work. When things don’t work (like persistence) consecutively you can’t help but feel rather discouraged. I’ve continued on as I do see value but in comparison to other platforms it needs to work more reliably. Example moving to Nexus 3 has been a pain with some permission issue as a developer I just need it to work so I can progress.
I do think Openshift has a lot to offer just frustrated at the moment!
“oc cluster up” is the fastest and easiest way for a developer with Docker installed to start running an OpenShift cluster that lets them test, develop, and iterate locally on apps.
It is not
On Wed, Mar 22, 2017 at 10:36 PM, Steve Kuznetsov notifications@github.com wrote:
Unless they are smart developers and use something like oc-cluster or similar which lowers the entry barrier. Still confused on what oc cluster is meant for. 😐