Bug 1318764

Summary: EBS PV's are not given the right permissions when being used in Openshift 3.1
Product: OpenShift Container Platform Reporter: Matt Woodson <mwoodson>
Component: StorageAssignee: Paul Morie <pmorie>
Status: CLOSED NOTABUG QA Contact: Jianwei Hou <jhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.1.0CC: aos-bugs, pmorie
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-23 20:49:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Matt Woodson 2016-03-17 18:12:42 UTC 
Description of problem:

Ops team is creating PV's according to the Openshift 3.1 documentation found here:

https://docs.openshift.com/enterprise/3.1/install_config/persistent_storage/persistent_storage_aws.html

We are basically doing these steps:

1. create volume (same region, az as our OS cluster)
2. create the defintion yaml file on a master
3. add the pv via oc create

When Openshift goes to use the volume, it appears to format the volume, BUT the permssions are not correct and the pod is unable to write to the the volume.

I have spoke with Sami and we believe there is a right way to fix it and a work around.

1. FIX.  We have tested,  and confirmed working, adding fsGroup to the deployment config will correctly create the permissions on the volume.  I was told that Openshift does not add the "fsGroup" setting by default in 3.1, but should in 3.2.  This is hearsay at this point.

2. the workaround.  We need to format and change permissions of the volume when it is created.  This is much more work.


Version-Release number of selected component (if applicable):

3.1.1.6-4

How reproducible:

Very.


Steps to Reproduce:
1. Create volume (as mentioned above, no formatting)
2. Create an app with a persistent volume 
3. When openshift tries to use it, the pod will error.



Expected results:

The pod should mount the volume, format it, and correct the permissions.

Additional info:

In speaking with engineering, they stated:

<engineering> so, in 3.1 (if my memory serves correctly) the field was there which is why you were able to set it on the DC but the support for auto-populating it was not.  XXX put in a PR for 3.2 to set the SCC strategies so that they would start forcing values in that field
<engineering> prior to that you had to either manually set it or you had to set permissions on the directory manually so they were readable
<engineering> but in 3.1 it was found that auto-setting it was breaking almost any template that used volumes so it was set to RunAsAny to turn it off


This *might* be expected behavior of 3.1, but if it is, it's not documented properly.  Using the current docs does not provide a working PV setup.
Comment 1 Paul Morie 2016-03-17 21:21:11 UTC 
Matt, what SCC is your pod being matched against?  FSGroup should be set by default in the restricted and hostns SCCs now, but you will need to specify it for other SCCs.
Comment 2 Paul Morie 2016-03-18 17:30:21 UTC 
I talked to Matt yesterday on IRC and we established that his pod is being matched against the 'restricted' SCC.  He had to run, but we need to understand what the state of the SCC is as a next step.
Comment 3 Matt Woodson 2016-03-23 18:32:21 UTC 
In 3.1, the default "fsGroup" setting in the restricted Security Context needs to be changed to "MustRunAs" in order to allow Openshift to format and set the right permissions.

This can be done with the following command and will be incorporated into our config changes:

oc patch scc/restricted -p '{"fsGroup": {"type": "MustRunAs"}}'
Comment 4 Paul Morie 2016-03-23 20:49:24 UTC 
Closing since this is the expected behavior of 3.1