Bug 1537872

Summary: Azure need set virt_use_samba
Product: OpenShift Container Platform Reporter: Wenqi He <wehe>
Component: InstallerAssignee: Kenny Woodson <kwoodson>
Status: CLOSED ERRATA QA Contact: Wenqi He <wehe>
Severity: high Docs Contact:
Priority: high    
Version: 3.9.0CC: aos-bugs, hchen, jokerman, mmccomas, xtian
Target Milestone: ---   
Target Release: 3.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
To enable support for storage devices on Azure the seboolean virt_use_samba is required.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 18:01:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Wenqi He 2018-01-24 03:10:29 UTC 
Description of problem:
To test and use azure file storage, need to install samba-client, samba-common, and cifs-utils on all nodes by defualt and enable the SELinux booleans
$ /usr/sbin/setsebool -P virt_use_samba on


Version-Release number of the following components:
rpm -q openshift-ansible
openshift-ansible-3.9.0-0.22.0.git.0.0e9d896.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install OCP on Azure
2.
3.

Actual results:
No packages of samba-client, samba-common, and cifs-utils installed by default

Expected results:
Install these package by default and enable the SELinux booleans
$ /usr/sbin/setsebool -P virt_use_samba on

Official doc is here: https://docs.openshift.com/container-platform/latest/install_config/persistent_storage/persistent_storage_azure_file.html


Additional info:
Comment 1 Scott Dodson 2018-01-24 18:37:36 UTC 
Possible dupe or at least related to https://bugzilla.redhat.com/show_bug.cgi?id=1536362

Huamin, can you help us figure out the right fix for this and your bug? Are they dupes? do we need to add all these additional packages as dependencies?
Comment 2 hchen 2018-01-29 18:55:51 UTC 
Hi Scott, 
Yes, we need cifs-utils but we don't need samba-common or samba-client to turn on samba selinux. 

The openshift doc [1] appears to come from Azure file Linux requirement [2]. It is a general requirement for Linux hosts that use either samba or mount.cifs to mount cifs share. But on openshift/kubernetes, we don't use samba command at all. We don't need these packages.

1. https://github.com/openshift/openshift-docs/blame/master/install_config/persistent_storage/persistent_storage_azure_file.adoc
2. https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-linux
Comment 3 Wenqi He 2018-02-06 09:49:21 UTC 
I tried with below version:
openshift v3.9.0-0.36.0
kubernetes v1.9.1+a0ce1bc657

I think we need at least to enable the SELinux booleans of virt_use_samba, otherwise, azure file cannot be used. Please see bug #1536362#c9
Comment 4 Kenny Woodson 2018-02-22 14:41:59 UTC 
Suggested fix: https://github.com/openshift/openshift-ansible/pull/7246
Comment 5 Wenqi He 2018-02-28 07:32:19 UTC 
Tested with below version:
openshift-ansible-3.9.1-1.git.0.9862628.el7.noarch.rpm

$oc version
openshift v3.9.1
kubernetes v1.9.1+a0ce1bc657

Now the virt_use_samba is on by default:
# getsebool -a | grep virt_use_samba
virt_use_samba --> on
Comment 6 Shanna Chan 2018-04-25 23:59:49 UTC 
I have problem testing with 3.9.14 on Azure using Azure file
1. $getsebool -a |grep virt_use_samb
   virt_use_samba --> on
2. pv
apiVersion: "v1"
kind: "PersistentVolume"
metadata:
  name: "pv0001" 
spec:
  capacity:
    storage: "1Gi" 
  accessModes:
    - "ReadWriteMany"
  azureFile: 
    secretName: azure-secret 
    shareName: ocptestfile
    readOnly: false 
  mountOptions:
    - uid=1000150000
    - dir_mode=0777
    - file_mode=0777 
3. what container is running, I am still getting permission denied.
h-4.2$ ls -lZ
-rw-rw-r--. default    root       system_u:object_r:container_file_t:s0:c9,c12 README.md
drwxrwxr-x. default    root       system_u:object_r:container_file_t:s0:c9,c12 css
drwxrwxr-x. default    root       system_u:object_r:container_file_t:s0:c9,c12 includes
-rw-rw-r--. default    root       system_u:object_r:container_file_t:s0:c9,c12 index.php
-rw-rw-r--. default    root       system_u:object_r:container_file_t:s0:c9,c12 info.php
-rw-rw-r--. default    root       system_u:object_r:container_file_t:s0:c9,c12 listfiles.php
-rw-rw-r--. default    root       system_u:object_r:container_file_t:s0:c9,c12 upload.php
drwxrwxrwx. 1000150000 1000150000 system_u:object_r:cifs_t:s0      uploaded
sh-4.2$ cd upload
upload.php  uploaded/
sh-4.2$ cd upload
upload.php  uploaded/
sh-4.2$ cd uploaded
sh-4.2$ ls
ls: cannot open directory .: Permission denied
sh-4.2$
Comment 7 Wenqi He 2018-04-26 02:37:48 UTC 
(In reply to Shanna Chan from comment #6)
> I have problem testing with 3.9.14 on Azure using Azure file

What's your id in you project?
$ id 

The project has a user id range, you need to adjust it and set it accordingly.
I suggest you just remove the "- uid=1000150000" in the pv mountOptions, and then try again.
Comment 9 errata-xmlrpc 2018-06-27 18:01:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2013