Bug 1377480

Summary: Integrated Docker Registry That Mounts an NFS volume needs to run as privileged
Product: OpenShift Container Platform Reporter: Dave Sullivan <dsulliva>
Component: DocumentationAssignee: Vikram Goyal <vigoyal>
Status: CLOSED WONTFIX QA Contact: Vikram Goyal <vigoyal>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 3.2.1CC: aos-bugs, bmcelvee, jokerman, mmccomas, rhowe, tohughes
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-24 15:57:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dave Sullivan 2016-09-19 20:31:26 UTC 
Document URL: 

https://access.redhat.com/documentation/en/openshift-enterprise/version-3.2/installation-and-configuration/#install-config-install-docker-registry

Section Number and Name: 

2.7.2.2.1



Describe the issue: 


Or, to attach an existing NFS volume to the registry:

oc volume deploymentconfigs/docker-registry \
     --add --overwrite --name=registry-storage --mount-path=/registry \
     --source='{"nfs": { "server": "<fqdn>", "path": "/path/to/export"}}'


When you try to do this without adding scc privileges the docker registry fails without any real good reason why.

Suggestions for improvement: 

After the Or line noted above suggesting adding something like.

Note: Mounting an nfs share requires privileged security context to be set on the registry

oadm policy add-scc-to-user privileged system:serviceaccount:default:registry

Additional information: 

Seems like the oc volume command should do that for us automatically maybe.

Regardless seems like an error should be logged to better help determine the underlying issue.

Two scripts to create/delete registry.

Note you might have to edit scc 

oc edit scc privileged #for full cleanup

[root@m01-useast1a-c001 ~]# cat create_registry.sh 
#!/bin/bash

echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"registry"}}' | oc create -n default -f - 


#oadm policy add-scc-to-user privileged registry
oadm policy add-scc-to-user privileged system:serviceaccount:default:registry

oadm registry --config=/etc/origin/master/admin.kubeconfig \
    --service-account=registry \
    --images='registry.access.redhat.com/openshift3/ose-${component}:${version}' \
    --selector='region=primary,zone=east' 

oc volume deploymentconfigs/docker-registry \
     --add --overwrite --name=registry-storage --mount-path=/registry \
     --source='{"nfs": { "server": "10.0.2.172", "path": "/"}}'

[root@m01-useast1a-c001 ~]# cat delete_registry.sh 
oc delete dc/docker-registry
oc delete svc/docker-registry
oc delete sa/registry
for i in $(oc get secrets | grep registry | awk '{print $1}')
do 
  echo "deleting secret/$i"
  oc delete secret/$i
done
Comment 1 Dave Sullivan 2016-09-19 21:00:09 UTC 
I'm curious if ansible registry setup has capabilities to handle this?

Will have to look.
Comment 3 Ryan Howe 2016-11-11 16:13:59 UTC 
We do this automatically for 3.1 versions: 

https://github.com/openshift/openshift-ansible/blob/master/playbooks/common/openshift-cluster/openshift_hosted.yml#L42-L49


-TASK where we add the the registry and router SA to priv scc:

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_serviceaccounts/tasks/main.yml#L27-L34


In 3.3 does the `oadm router` command add its SA to the right SCC or is it bootstrapped? (I also might be missing somthing in the installer that does it only for the router)  


This is a DOCS issue most likely as the registry can run as restricted but if you wish to directly mount a volume not using a PV or PVC then you will need to add the SA of the registry to a SCC that has the permissions to do so. 

Instead of adding it to privledged we should add it to hostmount-anyuid 

# oadm policy add-scc-to-user hostmount-anyuid  \ 
system:serviceaccount:default:registry

The release note that describes what changed with SCC and volumes : 

https://docs.openshift.com/enterprise/3.2/release_notes/ose_3_2_release_notes.html#ose-32-security