Bug 1230586
| Summary: | Pod can not read it's NFS volume files when the node has selinux enforced | |||
|---|---|---|---|---|
| Product: | OKD | Reporter: | Jianwei Hou <jhou> | |
| Component: | Storage | Assignee: | Jhon Honce <jhonce> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Liang Xia <lxia> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 3.x | CC: | jhonce, jialiu, libra-bugs | |
| Target Milestone: | --- | |||
| Target Release: | 3.x | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1231100 (view as bug list) | Environment: | ||
| Last Closed: | 2015-07-07 23:48:10 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1231100 | |||
Seem like this is docker selinux issue in RHEL7.1, all the docker mount operation (docker run --volume=[]) would be denied by selinux when system is in enforcing mode, not care about if it is NFS mount. docker-1.6.2-8.el7.x86_64 docker-selinux-1.6.2-8.el7.x86_64 selinux-policy-3.13.1-23.el7_1.7.noarch selinux-policy-targeted-3.13.1-23.el7_1.7.noarch Running setsebool virt_use_nfs 1 should resolve the issue. Verified with: openshift v0.6.0.1-38-g0e02a6b kubernetes v0.17.1-804-g496be63 # getsebool virt_use_nfs virt_use_nfs --> on NFS works now. |
Description of problem: Given the environment has selinux enforced, create a pod with nfs volume, run 'ls' against the mount path of the nfs volume from the pod, caught error 'permission denied'. Version-Release number of selected component (if applicable): openshift v0.6.0.0-55-g733cf86 kubernetes v0.17.1-804-g496be6 How reproducible: Always Steps to Reproduce: 1. Create PV, PVC and Pod PV: ``` { "apiVersion": "v1", "kind": "PersistentVolume", "metadata": { "name": "nfs" }, "spec": { "capacity": { "storage": "5Gi" }, "accessModes": [ "ReadWriteOnce" ], "nfs": { "path": "/nfsshare", "server": "10.66.79.155" } } } ``` PVC: ``` { "apiVersion": "v1", "kind": "PersistentVolumeClaim", "metadata": { "name": "nfsc" }, "spec": { "accessModes": [ "ReadWriteOnce" ], "resources": { "requests": { "storage": "5Gi" } } } } ``` Pod: ``` { "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "mypod", "labels": { "name": "frontendhttp" } }, "spec": { "containers": [{ "name": "myfrontend", "image": "nginx", "ports": [{ "containerPort": 80, "name": "http-server" }], "volumeMounts": [{ "mountPath": "/usr/share/nginx/html", "name": "pvol" }] }], "volumes": [{ "name": "pvol", "persistentVolumeClaim": { "claimName": "nfsc" } }] } } ``` 2. oc get pods, make sure the pod is running 3. List files of mountPath '/usr/share/nginx/html' from the pod oc exec -p mypod ls /usr/share/nginx/html 4. Set selinux to permissive setenforce 0 5. Repeat step 3 Actual results: After step 3: # oc exec -p mypod ls /usr/share/nginx/html ls: cannot open directory /usr/share/nginx/html: Permission denied error: Error executing remote command: Error executing command in container: Error executing in Docker Container: 2 After step 5: Could be able to list the files of the nfs volume # oc exec -p mypod ls /usr/share/nginx/html test1 test2 test_retain Expected results: Should successfully list the files Additional info: