Bug 1393568

Summary: Using nfs as a direct volume for the docker-registry yields error about nfs is not allowed
Product: OpenShift Container Platform Reporter: Eric Jones <erjones>
Component: StorageAssignee: Pavel Pospisil <ppospisi>
Status: CLOSED ERRATA QA Contact: Jianwei Hou <jhou>
Severity: high Docs Contact:
Priority: high    
Version: 3.3.0CC: aos-bugs, bchilds, erich, rhowe, tdawson, vigoyal
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-18 12:51:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Eric Jones 2016-11-09 21:34:23 UTC 
Description of problem:
Using the second command in our documentation [0] about adding storage to the docker-registry directly attaches an nfs share to the DC/pod. This kicks off a new deployment of the registry pod which then fails with the following error message:

Error creating: pods "docker-registry-#-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.volumes[0]: Invalid value: "nfs": nfs volumes are not allowed to be used]


[0] https://docs.openshift.com/container-platform/3.3/install_config/registry/deploy_registry_existing_clusters.html#registry-production-use

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Deploy a docker-registry
2. Run the command [1] to attach the nfs share
3. Let the deployer pod run

[1] oc volume deploymentconfigs/docker-registry \
     --add --overwrite --name=registry-storage --mount-path=/registry \
     --source='{"nfs": { "server": "<fqdn>", "path": "/path/to/export"}}'

Actual results:
pod fails to deploy, claiming nfs are not allowed to be used

Expected results:
Attach the nfs share to the pod

Additional info:
Creating a PV/PVC out of the same NFS share appears to work fine.
Comment 1 Pavel Pospisil 2016-11-11 06:24:17 UTC 
Citing the bug description:
Additional info:
Creating a PV/PVC out of the same NFS share appears to work fine.

So there is a workaround:
1. create an NFS PV and PVC.
2. attach the PVC to the registry.

Therefore, I'm lowering priority.
Comment 2 Pavel Pospisil 2016-11-11 12:36:34 UTC 
IMHO, this bug shouldn't be a blocker for OSE 3.4 release because:
- It's reported by a customer for OSE 3.3.
- It's not a regression bug.
- From the error message it seems like a configuration issue.
- As mentioned by Eric Jones a workaround exists.
Comment 3 Pavel Pospisil 2016-11-11 13:06:02 UTC 
The error message says:
"[spec.containers[0].securityContext.volumes[0]: Invalid value: "nfs": nfs volumes are not allowed to be used]"
That's why I would like to know if the NFS is enabled in the master configuration file. Probably, the master configuration file might have changed after the OSE 3.2 -> 3.3 upgrade.

IMHO, it can be similar configuration problem as described in this issue: https://github.com/openshift/origin/issues/11473
That's why I would like to know what SCCs are configured. And whether there was an SCC created to be used by the docker-registry.
Comment 5 Ryan Howe 2016-11-11 15:35:28 UTC 
This is a docs bug, as the registry by default is assigned to SCC restricted which does not allow direct mounting of NFS volumes. 

https://docs.openshift.com/enterprise/3.2/release_notes/ose_3_2_release_notes.html#ose-32-security



To fix this add the SA for the registry to a SCC that can mount the NFS 

Example: 
# oc adm policy add-scc-to-user hostmount-anyuid
    system:serviceaccount:default:registry
Comment 8 Pavel Pospisil 2016-11-16 10:49:23 UTC 
Created pull request: https://github.com/openshift/openshift-docs/pull/3233
Comment 9 Pavel Pospisil 2016-11-16 15:44:26 UTC 
The pull request was merged.
Comment 10 Jianwei Hou 2016-11-17 03:22:02 UTC 
Verified that the doc using NFS as direct mount for docker registry is removed.
Comment 12 errata-xmlrpc 2017-01-18 12:51:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0066