Bug 1264699

Summary: kubernetes do not respect tpmfiles.d policy
Product: [Fedora] Fedora Reporter: M. Scherer <mscherer>
Component: kubernetesAssignee: Jan Chaloupka <jchaloup>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: eparis, golang-updates, jcajka, jchaloup, lsm5, nhorman, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kubernetes-1.2.0-0.24.git4a3f9c5.fc24 kubernetes-1.2.0-0.24.git4a3f9c5.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-10 05:57:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Add /run ownership in the specfile none

Description M. Scherer 2015-09-20 21:02:28 UTC 
Description of problem:
/run/kubernetes is listed as unowned. 

]
That's against policy:
https://fedoraproject.org/wiki/Packaging:Tmpfiles.d

Version-Release number of selected component (if applicable):
kubernetes-1.1.0-0.5.gite44c8e6.fc22.x86_64


How reproducible:
each time

Steps to Reproduce:
1. install kubernetes
2. verify with rpm -qf 


Actual results:
# rpm -qf /run/kubernetes/
file /run/kubernetes is not owned by any package


Expected results:
file is owned, and with the right permission.

Additional info:

This also mean that something create /run/kubernetes/ owned as root:root, which prevent kubernetes-apiserver from starting:

Sep 20 14:01:15 gluster2 kube-apiserver[17759]: E0920 14:01:15.230961   17759 server.go:485] Unable to listen for secure (open /var/run/kubernetes/apiserver.crt: no such file or directory); will try again.


And likely linked to http://ask.projectatomic.io/en/question/199/missing-apiservercrt-unable-to-listen-for-secure/

Here is a trivial patch to add that.
Comment 1 M. Scherer 2015-09-20 21:03:40 UTC 
Created attachment 1075354 [details]
Add /run ownership in the specfile
Comment 2 Jan Chaloupka 2015-09-23 08:13:25 UTC 
Thanks for that.
Comment 3 Jan Chaloupka 2016-06-28 13:08:27 UTC 
Installing the latest kubernetes built in rawhide I can see only files generated by kubelet:

ls /run/kubernetes/
kubelet.crt  kubelet.key
Comment 4 Jan Chaloupka 2016-06-28 13:28:41 UTC 
kube-apiserver needs the directory as well (--cert-dir="/var/run/kubernetes") [1].

As kube-apiserver service is run under kube user and kubelet can be installed on the same host, the owner of the directory must be kube. Contrib is already covering that [2]. So, only the ownership of the directory is really missing.

[1] http://kubernetes.io/docs/admin/kube-apiserver/
[2] https://github.com/kubernetes/contrib/blob/master/init/systemd/tmpfiles.d/kubernetes.conf
Comment 5 Fedora Update System 2016-06-28 15:29:53 UTC 
kubernetes-1.2.0-0.23.git4a3f9c5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-34357c1671
Comment 6 Fedora Update System 2016-06-28 15:30:41 UTC 
kubernetes-1.2.0-0.23.git4a3f9c5.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-38a8c6915d
Comment 7 Fedora Update System 2016-06-29 10:45:23 UTC 
kubernetes-1.2.0-0.24.git4a3f9c5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f612484f9e
Comment 8 Fedora Update System 2016-06-29 10:45:53 UTC 
kubernetes-1.2.0-0.24.git4a3f9c5.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-223c8e5da7
Comment 9 Fedora Update System 2016-06-30 22:27:09 UTC 
kubernetes-1.2.0-0.24.git4a3f9c5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-223c8e5da7
Comment 10 Fedora Update System 2016-06-30 22:54:42 UTC 
kubernetes-1.2.0-0.24.git4a3f9c5.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f612484f9e
Comment 11 Fedora Update System 2016-07-10 05:57:16 UTC 
kubernetes-1.2.0-0.24.git4a3f9c5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2016-07-14 00:24:47 UTC 
kubernetes-1.2.0-0.24.git4a3f9c5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.