Bug 1888227

Summary: Failed to deploy some of container image on the recent OCP 4.6 nightly build
Product: OpenShift Container Platform Reporter: Jeeva Kandasamy <jkandasa>
Component: NodeAssignee: Peter Hunt <pehunt>
Node sub component: Kubelet QA Contact: Sunil Choudhary <schoudha>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: afield, aos-bugs, dwalsh, jokerman, mburke, nagrawal, tsweeney
Version: 4.6   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:26:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeeva Kandasamy 2020-10-14 12:54:39 UTC 
In the recent OCP 4.6 nightly build, We are unable to deploy one of our elasticsearch community image. 
It is working good on 4.6.0-0.nightly-2020-09-21-030155
But failing on 4.6.0-0.nightly-2020-10-03-051134 also on OCP 4.6.0-rc.4

In our case it is elasticesarch. I believe this issue will be applicable to some other images too.

Issue (on the container log):
chroot: cannot change root directory to /: Operation not permitted

Steps to reproduce:
oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/test/elasticsearch.yml -n default

Is there any change in the recent OCP 4.6 nightly builds?
Is there any workaround to fix this issue?
Comment 1 Peter Hunt 2020-10-14 15:11:55 UTC 
we recently dropped the linux capability SYS_CHROOT by default (whereas before we were giving all pods it). I am preparing a PR to add that capability (after I test my change is indeed the required one).
Comment 2 Peter Hunt 2020-10-14 16:17:10 UTC 
fixed in attached PR
Comment 4 Jeeva Kandasamy 2020-10-15 09:50:35 UTC 
(In reply to Peter Hunt from comment #2)
> fixed in attached PR

Thanks, Peter!
The fix works as expected and thank you for the PR.

Quick note for the easy reference, if some one looking into this issue.

spec:
  containers:
    securityContext:
      capabilities:
        add: ["SYS_CHROOT"]
Comment 10 errata-xmlrpc 2021-02-24 15:26:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633