Bug 855763

Summary: /sandbox is not root owned for an old existing application
Product: OKD Reporter: Jianwei Hou <jhou>
Component: ContainersAssignee: Rob Millner <rmillner>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.xCC: mfisher
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-17 21:29:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jianwei Hou 2012-09-10 08:24:41 UTC 
Description of problem:
For an old existing application, after server upgrade and migrate, /sandbox is still not root owned.

Version-Release number of selected component (if applicable):
on INT, devenv

How reproducible:
Always

Steps to Reproduce:
1. Launch an old instance and create applications that cover all cartridges
2. Do server upgrade and migrate
3. ssh into old applications, ls -Zd /sandbox/
4. Create new applications and then repeat step 3
  
Actual results:
For old existing apps(all cartridges, including zend-5.6), /sandbox is not root owned.
[zend1-jhouup.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxrwxrwt. b642327973a74b23ab395daf80450cb6 root system_u:object_r:libra_tmp_t:s0:c0,c531 /sandbox/

For newly created zend-5.6 app, /sandbox is root owned
[zend3-jhouup.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxr-xr-x. root root system_u:object_r:libra_tmp_t:s0:c0,c537 /sandbox/

For newly created other cartriges, /sandbox is root owned, but user has access to it
[phpapp-jhouup.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxrwxrwt. root root system_u:object_r:libra_tmp_t:s0:c0,c535 /sandbox/

Expected results:
/sandbox should be root owned, and the permissions should be like:
drwxr-xr-t. root root unconfined_u:object_r:libra_tmp_t:s0:c0,c1001 /sandbox/

Additional info:
Launched new devenv build, and this problem is not reproduced. It is reproduced when upgrading from an older instance.
This problem exists for all cartridges. Need upgrade and migration to resolve.
Comment 1 Rob Millner 2012-09-11 18:36:45 UTC 
Release ticket updated with migration steps in comment #5.
Comment 2 Jianwei Hou 2012-09-13 05:26:57 UTC 
Verified this with work around script

After upgrade, run:
grep ':libra guest:' /etc/passwd | \
    cut -f 1 -d : | \
    while read dn; do \
        t="/var/lib/stickshift/${dn}/.sandbox/${dn}"; \
        mkdir -p "$t"; \
        chown root:root "$t"; \
        chmod 1755 "$t"; \
    done
to fix /sandbox ownership and migrate
Then check applications of all cartridges, now /sandbox is root owned.

[ruby19-234u.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxr-xr-t. root root system_u:object_r:libra_tmp_t:s0:c0,c509 /sandbox/