Bug 966766

Summary:	Certain cartridge files should default to being "locked"
Product:	OpenShift Online	Reporter:	Jhon Honce <jhonce>
Component:	Image	Assignee:	Dan McPherson <dmcphers>
Status:	CLOSED CURRENTRELEASE	QA Contact:	libra bugs <libra-bugs>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	2.x	CC:	bmeng, dmcphers, xtian
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-01-30 00:47:46 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jhon Honce 2013-05-23 22:05:57 UTC

Description of problem:

These files should always be "locked":
* OPENSHIFT_<SHORT_NAME>_DIR
* OPENSHIFT_<SHORT_NAME>_IDENT
* metadata/manifest.yml
* metadata/managed_files.yml

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
Given files are not writeable by the application developer

Additional info:

Comment 1 Jhon Honce 2013-05-23 22:06:51 UTC

Fixed in https://github.com/openshift/origin-server/pull/2623

Comment 2 Xiaoli Tian 2013-05-28 05:29:46 UTC

Tested it on devenv_3277:

Create any type of application, manifest files and managed_files.yml are root owned, only root has the permission to write:

[rubyapp-domx1.dev.rhcloud.com metadata]\> ls -lh
total 12K
-rw-r--r--. 1 root 51a43b995696d0070d000021  792 May 28 01:07 jenkins_shell_command
-rw-r--r--. 1 root 51a43b995696d0070d000021  160 May 26 12:37 managed_files.yml
-rw-r--r--. 1 root 51a43b995696d0070d000021 3.1K May 26 12:37 manifest.yml
[rubyapp-domx1.dev.rhcloud.com metadata]\> echo "test" >>manifest.yml 
bash: manifest.yml: Permission denied
[rubyapp-domx1.dev.rhcloud.com metadata]\> echo "test" >>managed_files.yml 
bash: managed_files.yml: Permission denied\


But OPENSHIFT_<SHORT_NAME>_DIR  and * OPENSHIFT_<SHORT_NAME>_IDENT could still be writable by application developers:
[rubyapp-domx1.dev.rhcloud.com env]\> ls -lh
total 16K
-rw-r--r--. 1 51a43b995696d0070d000021 51a43b995696d0070d000021 49 May 28 01:07 OPENSHIFT_RUBY_DIR
-rw-r--r--. 1 51a43b995696d0070d000021 51a43b995696d0070d000021 21 May 28 01:07 OPENSHIFT_RUBY_IDENT
-rw-r--r--. 1 root                     51a43b995696d0070d000021 56 May 28 01:07 OPENSHIFT_RUBY_LOG_DIR
-rw-r--r--. 1 51a43b995696d0070d000021 51a43b995696d0070d000021  4 May 28 01:07 OPENSHIFT_RUBY_VERSION

[rubyapp-domx1.dev.rhcloud.com env]\> cat OPENSHIFT_RUBY_DIR 
/var/lib/openshift/51a43b995696d0070d000021/ruby/

[rubyapp-domx1.dev.rhcloud.com env]\> echo "/var/lib/openshift/51a43b995696d0070d000021" >> OPENSHIFT_RUBY_DIR

[rubyapp-domx1.dev.rhcloud.com env]\> cat  OPENSHIFT_RUBY_DIR
/var/lib/openshift/51a43b995696d0070d000021/ruby//var/lib/openshift/51a43b995696d0070d000021

[rubyapp-domx1.dev.rhcloud.com env]\> cat OPENSHIFT_RUBY_IDENT 
redhat:ruby:1.8:0.0.1
[rubyapp-domx1.dev.rhcloud.com env]\> echo redhat > OPENSHIFT_RUBY_IDENT 
[rubyapp-domx1.dev.rhcloud.com env]\> cat OPENSHIFT_RUBY_IDENT 
redhat

[rubyapp-domx1.dev.rhcloud.com env]\> echo test >> OPENSHIFT_RUBY_LOG_DIR 
bash: OPENSHIFT_RUBY_LOG_DIR: Permission denied

Comment 3 Xiaoli Tian 2013-05-28 06:25:18 UTC

After trying more, find that OPENSHIFT_<SHORT_NAME>_DIR and OPENSHIFT_<SHORT_NAME>_IDENT is fixed in some of the cartridges(perl-5.10, zend-5.6, nodejs-0.6, php-5.3) ,  but not fixed for the remaining cartridges.

List the fixed the result and non-fixed result below:

1) The fixed cartridges result:
perl-5.10
[perlapp1-domx1.dev.rhcloud.com env]\> ls -lh
total 20K
-rw-r--r--. 1 root c8174368c74111e2afc522000aa64188  57 May 27 22:53 OPENSHIFT_PERL_DIR
-rw-r--r--. 1 root c8174368c74111e2afc522000aa64188  22 May 27 22:53 OPENSHIFT_PERL_IDENT
-rw-r--r--. 1 root c8174368c74111e2afc522000aa64188  64 May 27 22:53 OPENSHIFT_PERL_LOG_DIR
-rw-r--r--. 1 root c8174368c74111e2afc522000aa64188   5 May 26 12:36 OPENSHIFT_PERL_VERSION
-rw-r--r--. 1 root c8174368c74111e2afc522000aa64188 155 May 27 22:53 PERL5LIB

zend-5.6
[zendapp-domx1.dev.rhcloud.com 400163360719229891379200]\> ls -lh zend/env/
total 28K
-rw-r--r--. 1 root 400163360719229891379200 49 May 28 02:06 OPENSHIFT_ZEND_DIR
-rw-r--r--. 1 root 400163360719229891379200 21 May 28 02:06 OPENSHIFT_ZEND_IDENT
-rw-r--r--. 1 root 400163360719229891379200 56 May 28 02:06 OPENSHIFT_ZEND_LOG_DIR
-rw-r--r--. 1 root 400163360719229891379200  4 May 28 02:06 OPENSHIFT_ZEND_UID



nodejs-0.6

[nodejs-domx1.dev.rhcloud.com 51a449925696d0070d000024]\> ls -lh nodejs/env/
total 16K
-rw-r--r--. 1 root 51a449925696d0070d000024 51 May 28 02:07 OPENSHIFT_NODEJS_DIR
-rw-r--r--. 1 root 51a449925696d0070d000024 23 May 28 02:07 OPENSHIFT_NODEJS_IDENT
-rw-r--r--. 1 root 51a449925696d0070d000024 58 May 28 02:07 OPENSHIFT_NODEJS_LOG_DIR

php-5.3

[phpapp-domx1.dev.rhcloud.com env]\> ls -lh
total 20K
-rw-r--r--. 1 root 155534315137086200479744 48 May 28 01:33 OPENSHIFT_PHP_DIR
-rw-r--r--. 1 root 155534315137086200479744 20 May 28 01:33 OPENSHIFT_PHP_IDENT
-rw-r--r--. 1 root 155534315137086200479744 55 May 28 01:33 OPENSHIFT_PHP_LOG_DIR



2) The  non-fixed result

2a) For ruby-1.9 and ruby-1.8, both  OPENSHIFT_<SHORT_NAME>_DIR and OPENSHIFT_<SHORT_NAME>_IDENT could still be written by application developer:
[ruby19app-domx1.dev.rhcloud.com env]\> ls -lh 
-rw-r--r--. 1 191225326926730578886656 191225326926730578886656  49 May 28 01:32 OPENSHIFT_RUBY_DIR
-rw-r--r--. 1 191225326926730578886656 191225326926730578886656  21 May 28 01:32 OPENSHIFT_RUBY_IDENT
-rw-r--r--. 1 root                     191225326926730578886656  56 May 28 01:32 OPENSHIFT_RUBY_LOG_DIR

2b) For python-2.6/2.7/3.3, jbossews-1.0/2.0/, jbosseap-6.0, jbossas-7
OPENSHIFT_<SHORT_NAME>_DIR is not writable, but OPENSHIFT_<SHORT_NAME>_IDENT could still be writable:

python-2.6/2.7/3.3
[python26app-domx1.dev.rhcloud.com 51a441c55696d00867000020]\> ls -lh python/env/
total 24K
-rw-r--r--. 1 root                     51a441c55696d00867000020 51 May 28 01:34 OPENSHIFT_PYTHON_DIR
-rw-r--r--. 1 51a441c55696d00867000020 51a441c55696d00867000020 23 May 28 01:34 OPENSHIFT_PYTHON_IDENT
-rw-r--r--. 1 root                     51a441c55696d00867000020 58 May 28 01:34 OPENSHIFT_PYTHON_LOG_DIR

jbossas-7
-rw-r--r--. 1 root                             dee555dcc75811e28bc422000aa64188 60 May 28 01:38 OPENSHIFT_JBOSSAS_DIR
-rw-r--r--. 1 dee555dcc75811e28bc422000aa64188 dee555dcc75811e28bc422000aa64188 22 May 28 01:38 OPENSHIFT_JBOSSAS_IDENT


jbosseap/jbossews-2.0/1.0/
[jbosseapapp-domx1.dev.rhcloud.com 51a4480b5696d0070d000022]\> ls -lh jbosseap/env/|grep DIR
-rw-r--r--. 1 root                     51a4480b5696d0070d000022 53 May 28 02:00 OPENSHIFT_JBOSSEAP_DIR
-rw-r--r--. 1 root                     51a4480b5696d0070d000022 59 May 28 02:00 OPENSHIFT_JBOSSEAP_LOG_DIR
[jbosseapapp-domx1.dev.rhcloud.com 51a4480b5696d0070d000022]\> ls -lh jbosseap/env/|grep IDENT
-rw-r--r--. 1 51a4480b5696d0070d000022 51a4480b5696d0070d000022 25 May 28 02:00 OPENSHIFT_JBOSSEAP_IDENT

Comment 4 Jhon Honce 2013-05-28 21:18:28 UTC

Missed some manifest configurations 

Fixed in https://github.com/openshift/li/pull/1475
Fixed in https://github.com/openshift/origin-server/pull/2647

Comment 5 Meng Bo 2013-05-29 10:04:09 UTC

Checked on devenv_3282,

The managed_files.yml manifest.yml and OPENSHIFT_<SHORT_NAME>_DIR are have the right permission now, and cannot be modified by application developer.

But for OPENSHIFT_<SHORT_NAME>_IDENT, it is still owned by gear_user for some cartridges and can be modified by application developer.

The following cart still has the problem:
All ruby, all python and all jboss cartridges.
[root@ip-10-154-145-32 openshift]# find .|grep IDENT|xargs ls -l|grep -v root
-rw-r--r--. 1 234228346353422664990720         234228346353422664990720         21 May 29 05:13 ./234228346353422664990720/ruby/env/OPENSHIFT_RUBY_IDENT
-rw-r--r--. 1 4e54eff8c84011e2a5ed22000a9a9120 4e54eff8c84011e2a5ed22000a9a9120 22 May 29 05:15 ./4e54eff8c84011e2a5ed22000a9a9120/jbossas/env/OPENSHIFT_JBOSSAS_IDENT
-rw-r--r--. 1 51a5c5bd5ec49a08dd00000f         51a5c5bd5ec49a08dd00000f         28 May 29 05:27 ./51a5c5bd5ec49a08dd00000f/python/env/OPENSHIFT_PYTHON_IDENT
-rw-r--r--. 1 51a5c5e95ec49a08dd000010         51a5c5e95ec49a08dd000010         23 May 29 05:10 ./51a5c5e95ec49a08dd000010/python/env/OPENSHIFT_PYTHON_IDENT
-rw-r--r--. 1 51a5c79c5ec49a08dd000013         51a5c79c5ec49a08dd000013         25 May 29 05:17 ./51a5c79c5ec49a08dd000013/jbossews/env/OPENSHIFT_JBOSSEWS_IDENT
-rw-r--r--. 1 6f3ed8f0c84011e2a5ed22000a9a9120 6f3ed8f0c84011e2a5ed22000a9a9120 25 May 29 05:16 ./6f3ed8f0c84011e2a5ed22000a9a9120/jbosseap/env/OPENSHIFT_JBOSSEAP_IDENT
-rw-r--r--. 1 721696331181160560328704         721696331181160560328704         25 May 29 05:18 ./721696331181160560328704/jbossews/env/OPENSHIFT_JBOSSEWS_IDENT
-rw-r--r--. 1 819209171581352628191232         819209171581352628191232         23 May 29 05:11 ./819209171581352628191232/python/env/OPENSHIFT_PYTHON_IDENT
-rw-r--r--. 1 d6d00cb0c83f11e2a5ed22000a9a9120 d6d00cb0c83f11e2a5ed22000a9a9120 21 May 29 05:12 ./d6d00cb0c83f11e2a5ed22000a9a9120/ruby/env/OPENSHIFT_RUBY_IDENT

Comment 6 Jhon Honce 2013-05-29 18:56:06 UTC

I understand the issue, files cannot be modified but they can be deleted and replace.  I have an email out to the selinux team to see if they have ideas. This is a design omission.

Comment 7 Jhon Honce 2013-06-25 00:29:58 UTC

The *IDENT files should now have the correct permissions.

Comment 8 Meng Bo 2013-06-26 02:48:58 UTC

Checked on devenv_3414, the result same as comment#5.

The OPENSHIFT_*_IDENT still can be edited by application owner. For some of cartridges.

Comment 9 Dan McPherson 2014-01-20 23:53:28 UTC

https://github.com/openshift/origin-server/pull/4535

Comment 10 openshift-github-bot 2014-01-21 01:30:06 UTC

Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/2d59318bd00e6e2893ad4e07619513dc00144def
Bug 966766

Comment 11 Meng Bo 2014-01-21 10:12:25 UTC

Issue fixed on devenv_4248,

Create all types of apps, check the file owner:

[root@ip-10-238-239-6 openshift]# find -name OPENSHIFT_*_DIR |xargs ls -l |grep -v root
[root@ip-10-238-239-6 openshift]# find -name OPENSHIFT_*_IDENT |xargs ls -l |grep -v root
[root@ip-10-238-239-6 openshift]# find -name manifest.yml |xargs ls -l |grep -v root
[root@ip-10-238-239-6 openshift]# find -name managed_files.yml |xargs ls -l |grep -v root


For migration part:

After modify the owner of the files, it can be fixed.
Before migrate:
[root@ip-10-238-239-6 env]# chown 52de42e25bb9a61c3c00004c:52de42e25bb9a61c3c00004c OPENSHIFT_DIY_DIR
[root@ip-10-238-239-6 env]# chown 52de42e25bb9a61c3c00004c:52de42e25bb9a61c3c00004c OPENSHIFT_DIY_IDENT
[root@ip-10-238-239-6 metadata]# chown 52de42e25bb9a61c3c00004c:52de42e25bb9a61c3c00004c *

After migrate:
[root@ip-10-238-239-6 env]# ls -l
total 12
-rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 48 Jan 21 04:50 OPENSHIFT_DIY_DIR
-rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 20 Jan 21 05:09 OPENSHIFT_DIY_IDENT
-rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 55 Jan 21 05:09 OPENSHIFT_DIY_LOG_DIR
[root@ip-10-238-239-6 diy]# ls -l metadata/
total 8
-rw-r--r--. 1 root 52de42e25bb9a61c3c00004c  223 Jan 20 23:01 managed_files.yml
-rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 1194 Jan 20 23:01 manifest.yml


move bug to verified.