Bug 1271611

Summary: Permission denied when write to the dir for aws ebs volume mounted with selinux is permissive
Product: OKD Reporter: Chao Yang <chaoyang>
Component: StorageAssignee: Sami Wagiaalla <swagiaal>
Status: CLOSED NOTABUG QA Contact: Liang Xia <lxia>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: aos-bugs, bchilds, chaoyang, mmcgrath
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-02 15:29:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chao Yang 2015-10-14 11:30:49 UTC 
Description of problem:
Permission denied when write to the dir for aws ebs volume mounted 

Version-Release number of selected component (if applicable):
oc v1.0.6-328-gdf1f19e
kubernetes v1.1.0-alpha.1-653-g86b4e77

How reproducible:
always

Steps to Reproduce:
1.create a pod
apiVersion: v1
kind: Pod
metadata:
  name: aws-web
spec:
  containers:
    - name: web
      image: jhou/hello-openshift
      ports:
        - name: web
          containerPort: 80
          protocol: tcp
      volumeMounts:
        - name: html-volume
          mountPath: "/usr/share/nginx/html"
  volumes:
    - name: html-volume
      awsElasticBlockStore:
        volumeID: aws://us-east-1d/vol-dabedb20
        fsType: ext4

[root@ip-172-18-12-131 ~]# oc get pods
NAME      READY     STATUS    RESTARTS   AGE
aws-web   1/1       Running   0          26m

2. set the selinux to permissive
setenforce 0

3.check the write permission

[root@ip-172-18-12-131 ~]# oc exec aws-web -ti -- bash
bash-4.2$ touch /usr/share/nginx/html/file1
touch: cannot touch '/usr/share/nginx/html/file1': Permission denied


Actual results:
could not write to the dir aws ebs volume mounted

Expected results:
should have write permission

Additional info:
"read“ permission iscorrect
Comment 1 Sami Wagiaalla 2015-10-29 13:31:56 UTC 
Please provide the following:

oc exec aws-web id
and
ls -Zd <path to where the disk is mounted on the host>

It is likely that the user in the container does not match the owner of the device in which case this is not a bug.
Comment 2 Chao Yang 2015-11-02 03:03:00 UTC 
Hi, see the results like below:

bash-4.2$ ls -Zd /usr/share/nginx/html/
drwxrwsr-x. root 1000020000 system_u:object_r:svirt_sandbox_file_t:s0:c0,c5 /usr/share/nginx/html/


[root@ip-172-18-9-96 ~]# oc exec aws-web id
uid=1000020000 gid=0(root)
Comment 3 Sami Wagiaalla 2015-11-02 15:29:32 UTC 
Okay so this is not a bug.
The volume is owned by root, but the user inside the container is 1000020000. Either change the volume owner to 1000020000 or add the group from the volume (which also happens to be 1000020000) as a SupplementalGroup