Bug 1420541

Summary: Unable to set Supplemental Groups or fsGroup for the registry via the command line.
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: RFEAssignee: Michal Fojtik <mfojtik>
Status: CLOSED DEFERRED QA Contact: ge liu <geliu>
Severity: high Docs Contact:
Priority: medium    
Version: 3.4.0CC: aos-bugs, geliu, haowang, jmalde, jokerman, mbarrett, mfojtik, mmccomas, pweil, trankin
Target Milestone: ---Keywords: RFE
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-12 13:54:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2017-02-08 22:50:43 UTC 
Description of problem:

There is not easy way with via the registry deployer to set Supplemental Groups or fsGroup. These would need to be manually added after a deploy. In which case the registry would deploy fine but hit issues when getting images pushed because it does not have permissions to write to the PV that is attached. 

There needs to be an option via the `oadm registry` command so that an admin can set SupplementalGroups or fsGroup. This would also be needed so that the installer is able to deploy the registry with volumes that need this set. 

https://bugzilla.redhat.com/show_bug.cgi?id=1420526
Comment 1 Michal Fojtik 2017-04-07 13:46:07 UTC 
PR: https://github.com/openshift/origin/pull/12951
Comment 2 Michal Fojtik 2017-04-24 08:52:12 UTC 
The PR was merged, please see https://github.com/openshift/origin/pull/12951/files#diff-df3b6baf7e3b18ed4b1ff84012467504R189 for the new command line options for testing.

I will update the documentation shortly.
Comment 3 ge liu 2017-04-25 10:28:41 UTC 
Tried to set '--supplemental-groups' successfully, but set '--fs-group' fails:

1). delete default installed registry

2). create registry and set 'fs-group' option:
 # oadm registry --fs-group=2000020000

the pods stay in deploying status for a long time, 

# oc get pods
NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-1-deploy   1/1       Running   0          3m


check the pods details:

 securityContext:
    fsGroup: 1000030000
    seLinuxOptions:
      level: s0:c6,c0
  serviceAccount: deployer
  serviceAccountName: deployer
  terminationGracePeriodSeconds: 10


tried in two new installed env, and got same result.
Comment 7 Eric Rich 2018-03-12 13:54:36 UTC 
This bug has been identified as a dated (created more than 3 months ago) bug. 
This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, 
however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. 

As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, 
as it is currently not part of the products immediate priorities.

Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.
Comment 8 Red Hat Bugzilla 2023-09-15 00:01:15 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days