odo: We can't create a component using image builder - redhat-openjdk18-openshift:1.4

Bug

We can’t create a component using the redhat-openjdk18-openshift:1.4 and this command odo create redhat-openjdk18-openshift:1.4 sb2 --local ./src as initContainer will fail to start and will report such error

oc logs  sb2-springbootapp-1-f79q2 -c copy-files-to-volume
mkdir: cannot create directory '/mnt/app-root.setup-volume': Permission denied
tar: /opt/app-root: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: This does not look like a tar archive
tar: Exiting with failure status due to previous errors
mv: cannot stat '/mnt/app-root.setup-volume': No such file or directory

Here is the pod’s resource created by odo

apiVersion: v1
kind: Pod
metadata:
  annotations:
    alpha.image.policy.openshift.io/resolve-names: '*'
    openshift.io/deployment-config.latest-version: '4'
    openshift.io/deployment-config.name: sb2-springbootapp
    openshift.io/deployment.name: sb2-springbootapp-4
    openshift.io/scc: anyuid
  creationTimestamp: '2019-01-31T10:42:13Z'
  generateName: sb2-springbootapp-4-
  labels:
    deployment: sb2-springbootapp-4
    deploymentconfig: sb2-springbootapp
  name: sb2-springbootapp-4-f2qkm
  namespace: demo
  ownerReferences:
    - apiVersion: v1
      blockOwnerDeletion: true
      controller: true
      kind: ReplicationController
      name: sb2-springbootapp-4
      uid: dd034d7e-2544-11e9-b20d-107b44b03540
  resourceVersion: '12478526'
  selfLink: /api/v1/namespaces/demo/pods/sb2-springbootapp-4-f2qkm
  uid: deaa6c85-2544-11e9-b20d-107b44b03540
spec:
  containers:
    - args:
        - '-c'
        - /var/lib/supervisord/conf/supervisor.conf
      command:
        - /var/lib/supervisord/bin/supervisord
      env:
        - name: ODO_S2I_DEPLOYMENT_DIR
          value: /deployments
        - name: ODO_S2I_SCRIPTS_URL
          value: /usr/local/s2i
        - name: ODO_S2I_SCRIPTS_PROTOCOL
          value: 'image://'
        - name: ODO_S2I_SRC_BIN_PATH
          value: /tmp
      image: >-
        registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift@sha256:6c009f430da02bdcff618a7dcd085d7d22547263eeebfb8d6377a4cf6f58769d
      imagePullPolicy: IfNotPresent
      name: sb2-springbootapp
      ports:
        - containerPort: 8080
          name: 8080-tcp
          protocol: TCP
        - containerPort: 8443
          name: 8443-tcp
          protocol: TCP
        - containerPort: 8778
          name: 8778-tcp
          protocol: TCP
      resources: {}
      securityContext:
        capabilities:
          drop:
            - MKNOD

As you can see, the annotation openshift.io/scc is defined as anyuid and not as restricted when we make a test on minishift and by consequence the scc is not defined as such

securityContext:
        capabilities:
          drop:
            - KILL
            - MKNOD
            - SETGID
            - SETUID
        runAsUser: 1000160000

odo version: 0.0.17 cluster: okd 3.11 running on centos7

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 15 (15 by maintainers)

Most upvoted comments

I can resolve this problem after changing the SCC of the serviceaccount used to create the pod from anyuid to restricted

oc adm policy add-scc-to-user restricted -z default        
scc "restricted" added to: ["system:serviceaccount:demo:default"]

Questions:

Do we have to change the UID/permissions needed/used to create within the initcontainer - >mkdir -p $DEST.setup-volume ?
Do we have to document somewhere this problem and tell to the DevOps guy what to od ?

cmoulliard on Jan 31, 2019