Bug 1039726

Summary: old nodejs apps have root-owned dependency symlinks
Product: OpenShift Online Reporter: Andy Grimm <agrimm>
Component: ContainersAssignee: Dan Mace <dmace>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.xCC: bmeng, jgoulding
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-30 00:52:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andy Grimm 2013-12-09 21:04:43 UTC 
A user reported problems doing a git push to an old nodejs-0.6 app.  I looked at his gear and found that the the rsync from app-deployments/<timestamp>/dependencies/ to app-root/runtime/dependencies/ because there were root-owned symlinks in nodejs/node_modules/ and rsync was trying to make the ownership match the deployment directory's links.

I compared his gear to various other nodejs gears on the same node, and I found that old gears have these links owned by root, while in newer gears, they are owned by the user.  I suspect that many other users with old nodejs apps (created before June 6th or so) have this same problem, and we just haven't heard from many of them yet.

The workaround is to simply delete the root-owned symlinks and do another git push.  It seems like it would be fairly straightforward to add this to a gear migration script, but it's worth mentioning that doing a chown as root did not work (maybe due to selinux policy of some sort?); I had to remove the links and repopulate them.
Comment 1 Dan Mace 2013-12-10 15:38:58 UTC 
https://github.com/openshift/li/pull/2222
Comment 2 openshift-github-bot 2013-12-10 17:18:43 UTC 
Commit pushed to master at https://github.com/openshift/li

https://github.com/openshift/li/commit/3b70512681c28bdd451bf308beaceb032df11890
Bug 1039726: Fix ownership of files in deployments dirs during upgrade
Comment 3 openshift-github-bot 2013-12-10 18:15:39 UTC 
Commit pushed to master at https://github.com/openshift/li

https://github.com/openshift/li/commit/fb1563dfb101080a9c449d5464aaafbf99c57aeb
Bug 1039726: Fix ownership of files in deployments dirs during upgrade
Comment 4 Meng Bo 2013-12-11 07:12:58 UTC 
Manually change the owner and the selinux label for the nodejs app to simulate the issue.

[root@ip-10-45-150-206 runtime]# ls -Zd build-dependencies dependencies
drwxr-x---. root root system_u:object_r:openshift_var_lib_t:s0 build-dependencies
drwxr-x---. root root system_u:object_r:openshift_var_lib_t:s0 dependencies

After upgrade to devenv_4120 (where the fix merged), and migrate the gears. The ownership issue has been fixed.

[root@ip-10-45-150-206 runtime]# ls -Zd build-dependencies dependencies
drwxr-x---. 52a8074851549dbc38000052 52a8074851549dbc38000052 system_u:object_r:openshift_var_lib_t:s0:c0,c1002 build-dependencies
drwxr-x---. 52a8074851549dbc38000052 52a8074851549dbc38000052 system_u:object_r:openshift_var_lib_t:s0:c0,c1002 dependencies

Will move the bug to verified once the fix is merged into stage branch.
Comment 5 Meng Bo 2013-12-11 07:24:23 UTC 
For the symlink part,

Before upgrade:
[root@ip-10-45-150-206 nodejs]# ls -Z node_modules
lrwxrwxrwx. root                     root                     unconfined_u:object_r:openshift_var_lib_t:s0 node_modules -> /var/lib/openshift/52a8074851549dbc38000052/app-root/runtime/dependencies/nodejs/node_modules

After upgrade:
[root@ip-10-45-150-206 nodejs]# ls -Z node_modules
lrwxrwxrwx. 52a8074851549dbc38000052 52a8074851549dbc38000052 system_u:object_r:openshift_var_lib_t:s0:c0,c1002 node_modules -> /var/lib/openshift/52a8074851549dbc38000052/app-root/runtime/dependencies/nodejs/node_modules
Comment 6 Meng Bo 2013-12-12 07:44:25 UTC 
@dan
Will this fix pulled to STAGE for sprint37? I found there are two PRs for this fix on STG, but did not get the ami which contains the PRs.
Comment 7 Dan Mace 2013-12-12 14:09:23 UTC 
Meng,

It didn't make the stage cut, so we'll be applying the patch manually later on.
Comment 9 Meng Bo 2013-12-13 06:07:39 UTC 
The fix has been merged into devenv-stage_613

Checked on devnev-stage_613, issue has been fixed.

After migrate, the owner_ship has been updated

lrwxrwxrwx. 52aa9f60931fa01f34000007 52aa9f60931fa01f34000007 system_u:object_r:openshift_var_lib_t:s0:c0,c1000 node_modules -> /var/lib/openshift/52aa9f60931fa01f34000007/app-root/runtime/dependencies/nodejs/node_modules