Bug 966766
Summary: | Certain cartridge files should default to being "locked" | ||
---|---|---|---|
Product: | OpenShift Online | Reporter: | Jhon Honce <jhonce> |
Component: | Image | Assignee: | Dan McPherson <dmcphers> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | libra bugs <libra-bugs> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 2.x | CC: | bmeng, dmcphers, xtian |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-01-30 00:47:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jhon Honce
2013-05-23 22:05:57 UTC
Tested it on devenv_3277: Create any type of application, manifest files and managed_files.yml are root owned, only root has the permission to write: [rubyapp-domx1.dev.rhcloud.com metadata]\> ls -lh total 12K -rw-r--r--. 1 root 51a43b995696d0070d000021 792 May 28 01:07 jenkins_shell_command -rw-r--r--. 1 root 51a43b995696d0070d000021 160 May 26 12:37 managed_files.yml -rw-r--r--. 1 root 51a43b995696d0070d000021 3.1K May 26 12:37 manifest.yml [rubyapp-domx1.dev.rhcloud.com metadata]\> echo "test" >>manifest.yml bash: manifest.yml: Permission denied [rubyapp-domx1.dev.rhcloud.com metadata]\> echo "test" >>managed_files.yml bash: managed_files.yml: Permission denied\ But OPENSHIFT_<SHORT_NAME>_DIR and * OPENSHIFT_<SHORT_NAME>_IDENT could still be writable by application developers: [rubyapp-domx1.dev.rhcloud.com env]\> ls -lh total 16K -rw-r--r--. 1 51a43b995696d0070d000021 51a43b995696d0070d000021 49 May 28 01:07 OPENSHIFT_RUBY_DIR -rw-r--r--. 1 51a43b995696d0070d000021 51a43b995696d0070d000021 21 May 28 01:07 OPENSHIFT_RUBY_IDENT -rw-r--r--. 1 root 51a43b995696d0070d000021 56 May 28 01:07 OPENSHIFT_RUBY_LOG_DIR -rw-r--r--. 1 51a43b995696d0070d000021 51a43b995696d0070d000021 4 May 28 01:07 OPENSHIFT_RUBY_VERSION [rubyapp-domx1.dev.rhcloud.com env]\> cat OPENSHIFT_RUBY_DIR /var/lib/openshift/51a43b995696d0070d000021/ruby/ [rubyapp-domx1.dev.rhcloud.com env]\> echo "/var/lib/openshift/51a43b995696d0070d000021" >> OPENSHIFT_RUBY_DIR [rubyapp-domx1.dev.rhcloud.com env]\> cat OPENSHIFT_RUBY_DIR /var/lib/openshift/51a43b995696d0070d000021/ruby//var/lib/openshift/51a43b995696d0070d000021 [rubyapp-domx1.dev.rhcloud.com env]\> cat OPENSHIFT_RUBY_IDENT redhat:ruby:1.8:0.0.1 [rubyapp-domx1.dev.rhcloud.com env]\> echo redhat > OPENSHIFT_RUBY_IDENT [rubyapp-domx1.dev.rhcloud.com env]\> cat OPENSHIFT_RUBY_IDENT redhat [rubyapp-domx1.dev.rhcloud.com env]\> echo test >> OPENSHIFT_RUBY_LOG_DIR bash: OPENSHIFT_RUBY_LOG_DIR: Permission denied After trying more, find that OPENSHIFT_<SHORT_NAME>_DIR and OPENSHIFT_<SHORT_NAME>_IDENT is fixed in some of the cartridges(perl-5.10, zend-5.6, nodejs-0.6, php-5.3) , but not fixed for the remaining cartridges. List the fixed the result and non-fixed result below: 1) The fixed cartridges result: perl-5.10 [perlapp1-domx1.dev.rhcloud.com env]\> ls -lh total 20K -rw-r--r--. 1 root c8174368c74111e2afc522000aa64188 57 May 27 22:53 OPENSHIFT_PERL_DIR -rw-r--r--. 1 root c8174368c74111e2afc522000aa64188 22 May 27 22:53 OPENSHIFT_PERL_IDENT -rw-r--r--. 1 root c8174368c74111e2afc522000aa64188 64 May 27 22:53 OPENSHIFT_PERL_LOG_DIR -rw-r--r--. 1 root c8174368c74111e2afc522000aa64188 5 May 26 12:36 OPENSHIFT_PERL_VERSION -rw-r--r--. 1 root c8174368c74111e2afc522000aa64188 155 May 27 22:53 PERL5LIB zend-5.6 [zendapp-domx1.dev.rhcloud.com 400163360719229891379200]\> ls -lh zend/env/ total 28K -rw-r--r--. 1 root 400163360719229891379200 49 May 28 02:06 OPENSHIFT_ZEND_DIR -rw-r--r--. 1 root 400163360719229891379200 21 May 28 02:06 OPENSHIFT_ZEND_IDENT -rw-r--r--. 1 root 400163360719229891379200 56 May 28 02:06 OPENSHIFT_ZEND_LOG_DIR -rw-r--r--. 1 root 400163360719229891379200 4 May 28 02:06 OPENSHIFT_ZEND_UID nodejs-0.6 [nodejs-domx1.dev.rhcloud.com 51a449925696d0070d000024]\> ls -lh nodejs/env/ total 16K -rw-r--r--. 1 root 51a449925696d0070d000024 51 May 28 02:07 OPENSHIFT_NODEJS_DIR -rw-r--r--. 1 root 51a449925696d0070d000024 23 May 28 02:07 OPENSHIFT_NODEJS_IDENT -rw-r--r--. 1 root 51a449925696d0070d000024 58 May 28 02:07 OPENSHIFT_NODEJS_LOG_DIR php-5.3 [phpapp-domx1.dev.rhcloud.com env]\> ls -lh total 20K -rw-r--r--. 1 root 155534315137086200479744 48 May 28 01:33 OPENSHIFT_PHP_DIR -rw-r--r--. 1 root 155534315137086200479744 20 May 28 01:33 OPENSHIFT_PHP_IDENT -rw-r--r--. 1 root 155534315137086200479744 55 May 28 01:33 OPENSHIFT_PHP_LOG_DIR 2) The non-fixed result 2a) For ruby-1.9 and ruby-1.8, both OPENSHIFT_<SHORT_NAME>_DIR and OPENSHIFT_<SHORT_NAME>_IDENT could still be written by application developer: [ruby19app-domx1.dev.rhcloud.com env]\> ls -lh -rw-r--r--. 1 191225326926730578886656 191225326926730578886656 49 May 28 01:32 OPENSHIFT_RUBY_DIR -rw-r--r--. 1 191225326926730578886656 191225326926730578886656 21 May 28 01:32 OPENSHIFT_RUBY_IDENT -rw-r--r--. 1 root 191225326926730578886656 56 May 28 01:32 OPENSHIFT_RUBY_LOG_DIR 2b) For python-2.6/2.7/3.3, jbossews-1.0/2.0/, jbosseap-6.0, jbossas-7 OPENSHIFT_<SHORT_NAME>_DIR is not writable, but OPENSHIFT_<SHORT_NAME>_IDENT could still be writable: python-2.6/2.7/3.3 [python26app-domx1.dev.rhcloud.com 51a441c55696d00867000020]\> ls -lh python/env/ total 24K -rw-r--r--. 1 root 51a441c55696d00867000020 51 May 28 01:34 OPENSHIFT_PYTHON_DIR -rw-r--r--. 1 51a441c55696d00867000020 51a441c55696d00867000020 23 May 28 01:34 OPENSHIFT_PYTHON_IDENT -rw-r--r--. 1 root 51a441c55696d00867000020 58 May 28 01:34 OPENSHIFT_PYTHON_LOG_DIR jbossas-7 -rw-r--r--. 1 root dee555dcc75811e28bc422000aa64188 60 May 28 01:38 OPENSHIFT_JBOSSAS_DIR -rw-r--r--. 1 dee555dcc75811e28bc422000aa64188 dee555dcc75811e28bc422000aa64188 22 May 28 01:38 OPENSHIFT_JBOSSAS_IDENT jbosseap/jbossews-2.0/1.0/ [jbosseapapp-domx1.dev.rhcloud.com 51a4480b5696d0070d000022]\> ls -lh jbosseap/env/|grep DIR -rw-r--r--. 1 root 51a4480b5696d0070d000022 53 May 28 02:00 OPENSHIFT_JBOSSEAP_DIR -rw-r--r--. 1 root 51a4480b5696d0070d000022 59 May 28 02:00 OPENSHIFT_JBOSSEAP_LOG_DIR [jbosseapapp-domx1.dev.rhcloud.com 51a4480b5696d0070d000022]\> ls -lh jbosseap/env/|grep IDENT -rw-r--r--. 1 51a4480b5696d0070d000022 51a4480b5696d0070d000022 25 May 28 02:00 OPENSHIFT_JBOSSEAP_IDENT Missed some manifest configurations Fixed in https://github.com/openshift/li/pull/1475 Fixed in https://github.com/openshift/origin-server/pull/2647 Checked on devenv_3282, The managed_files.yml manifest.yml and OPENSHIFT_<SHORT_NAME>_DIR are have the right permission now, and cannot be modified by application developer. But for OPENSHIFT_<SHORT_NAME>_IDENT, it is still owned by gear_user for some cartridges and can be modified by application developer. The following cart still has the problem: All ruby, all python and all jboss cartridges. [root@ip-10-154-145-32 openshift]# find .|grep IDENT|xargs ls -l|grep -v root -rw-r--r--. 1 234228346353422664990720 234228346353422664990720 21 May 29 05:13 ./234228346353422664990720/ruby/env/OPENSHIFT_RUBY_IDENT -rw-r--r--. 1 4e54eff8c84011e2a5ed22000a9a9120 4e54eff8c84011e2a5ed22000a9a9120 22 May 29 05:15 ./4e54eff8c84011e2a5ed22000a9a9120/jbossas/env/OPENSHIFT_JBOSSAS_IDENT -rw-r--r--. 1 51a5c5bd5ec49a08dd00000f 51a5c5bd5ec49a08dd00000f 28 May 29 05:27 ./51a5c5bd5ec49a08dd00000f/python/env/OPENSHIFT_PYTHON_IDENT -rw-r--r--. 1 51a5c5e95ec49a08dd000010 51a5c5e95ec49a08dd000010 23 May 29 05:10 ./51a5c5e95ec49a08dd000010/python/env/OPENSHIFT_PYTHON_IDENT -rw-r--r--. 1 51a5c79c5ec49a08dd000013 51a5c79c5ec49a08dd000013 25 May 29 05:17 ./51a5c79c5ec49a08dd000013/jbossews/env/OPENSHIFT_JBOSSEWS_IDENT -rw-r--r--. 1 6f3ed8f0c84011e2a5ed22000a9a9120 6f3ed8f0c84011e2a5ed22000a9a9120 25 May 29 05:16 ./6f3ed8f0c84011e2a5ed22000a9a9120/jbosseap/env/OPENSHIFT_JBOSSEAP_IDENT -rw-r--r--. 1 721696331181160560328704 721696331181160560328704 25 May 29 05:18 ./721696331181160560328704/jbossews/env/OPENSHIFT_JBOSSEWS_IDENT -rw-r--r--. 1 819209171581352628191232 819209171581352628191232 23 May 29 05:11 ./819209171581352628191232/python/env/OPENSHIFT_PYTHON_IDENT -rw-r--r--. 1 d6d00cb0c83f11e2a5ed22000a9a9120 d6d00cb0c83f11e2a5ed22000a9a9120 21 May 29 05:12 ./d6d00cb0c83f11e2a5ed22000a9a9120/ruby/env/OPENSHIFT_RUBY_IDENT I understand the issue, files cannot be modified but they can be deleted and replace. I have an email out to the selinux team to see if they have ideas. This is a design omission. The *IDENT files should now have the correct permissions. Checked on devenv_3414, the result same as comment#5. The OPENSHIFT_*_IDENT still can be edited by application owner. For some of cartridges. Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/2d59318bd00e6e2893ad4e07619513dc00144def Bug 966766 Issue fixed on devenv_4248, Create all types of apps, check the file owner: [root@ip-10-238-239-6 openshift]# find -name OPENSHIFT_*_DIR |xargs ls -l |grep -v root [root@ip-10-238-239-6 openshift]# find -name OPENSHIFT_*_IDENT |xargs ls -l |grep -v root [root@ip-10-238-239-6 openshift]# find -name manifest.yml |xargs ls -l |grep -v root [root@ip-10-238-239-6 openshift]# find -name managed_files.yml |xargs ls -l |grep -v root For migration part: After modify the owner of the files, it can be fixed. Before migrate: [root@ip-10-238-239-6 env]# chown 52de42e25bb9a61c3c00004c:52de42e25bb9a61c3c00004c OPENSHIFT_DIY_DIR [root@ip-10-238-239-6 env]# chown 52de42e25bb9a61c3c00004c:52de42e25bb9a61c3c00004c OPENSHIFT_DIY_IDENT [root@ip-10-238-239-6 metadata]# chown 52de42e25bb9a61c3c00004c:52de42e25bb9a61c3c00004c * After migrate: [root@ip-10-238-239-6 env]# ls -l total 12 -rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 48 Jan 21 04:50 OPENSHIFT_DIY_DIR -rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 20 Jan 21 05:09 OPENSHIFT_DIY_IDENT -rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 55 Jan 21 05:09 OPENSHIFT_DIY_LOG_DIR [root@ip-10-238-239-6 diy]# ls -l metadata/ total 8 -rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 223 Jan 20 23:01 managed_files.yml -rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 1194 Jan 20 23:01 manifest.yml move bug to verified. |