Bug 1373555

Summary: Unable to run auditd on OpenShift
Product: OpenShift Container Platform Reporter: Miheer Salunke <misalunk>
Component: openshift-controller-managerAssignee: Paul Weil <pweil>
Status: CLOSED NOTABUG QA Contact: zhou ying <yinzhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.2.0CC: aos-bugs, misalunk, ndordet, pweil
Target Milestone: ---Keywords: UpcomingRelease
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-07 13:07:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Miheer Salunke 2016-09-06 15:00:50 UTC
Description of problem:

Unable to run auditd on OpenShift
When running auditd with docker, it's run well. When trying to apply the same configuration in OpenShift the pod CrashLoopBackOff with the error : 

config_manager init complete
Error sending status request (Connection refused)
Error sending enable request (Connection refused)
Unable to set initial audit startup state to 'enable', exiting
The audit daemon is exiting.
Error setting audit daemon pid (Connection refused)


You can find the Dockerfile here : https://github.com/ndox/docker-auditd

Version-Release number of selected component (if applicable):
Openshift Enterprise 3.2.0

How reproducible:
On customer side

Steps to Reproduce:
1.Mentioned in the description
2.
3.

Actual results:
auditd doesn't work on openshift

Expected results:
auditd shall work on openshift

Additional info:

Comment 7 Nicolas Dordet 2016-09-07 07:17:19 UTC
Adding those lines on DC makes it works :

    spec:
      hostPID: true
      hostIPC: true
      hostNetwork: true


I didn't find any documentation on it. Maybe documentation may be updated with these elements.

Maybe you can close the bug and update documentation ?

Comment 8 Paul Weil 2016-09-07 12:43:34 UTC
@Nicolas: happy to update docs if necessary.  Where were you expecting to find this in documentation?  It is mentioned that SCC can be used to control access to the fields in https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints and the specific fields are part of the api documentation.  However since usage of those fields is pretty use case dependent I'm not sure that there is a great place for it.

Comment 9 Nicolas Dordet 2016-09-07 13:06:42 UTC
Yes OK my bad, I didn't go to the API part. In fact when doing a search in the search bar on the documentation site (for example "IPC") you didn't get result pointing to API pages.

I think you can close this issue.

Thanks