Description of problem: When calling oo-su -d $UUID -c /bin/true I am seeing an ArgumentError. Exception `ArgumentError' at /opt/rh/ruby193/root/usr/share/gems/gems/openshift-origin-node-1.14.7/lib/openshift-origin-node/utils/selinux.rb:81 - can't find user for 1250 command: /sbin/runuser -m -s /bin/sh 520c70dadbd93c9d510000f2 -c "exec /usr/bin/runcon 'unconfined_u:system_r:openshift_t:s0:c1,c228' /bin/true" The exit status is 0 meaning that it was correctly executed. Version-Release number of selected component (if applicable): openshift-origin-node-util-1.14.3-1.el6oso.noarch openshift-origin-msg-node-mcollective-1.14.4-1.el6oso.noarch rubygem-openshift-origin-node-1.14.7-1.el6oso.noarch How reproducible: Every time. Steps to Reproduce: 1. oo-su -d $UUID -c /bin/true 2. Look at the ArgumentError 3. Actual results: ArgumentError is returned. Expected results: This should not throw any exceptions. Additional info: Line 81 inside of selinux.rb does the following: uid = Etc.getpwnam(name.to_s).uid Executing this in IRB does the following: >> Etc.getpwnam("520c70dadbd93c9d510000f2").uid => 1250 This appears to work. Notice the message in the ArgumentError. 'can't find user for 1250' A quick print statement before line 81 returns the UID for the user and _not_ the name which it is expecting: NAME: => 1250 This could mean two things. The function call was expecting the username and received the UID for the user _OR_ the call for getpwnam needs to be replaced with Etc.getpwuid(uid). The only issue with getpwuid is that we are fetching the uid when we already have it.
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/ca244c2676a9bbcce8dd136da38579503ba49c53 Bug 1013653 - Remove '.to_i' in oo-su command to avoid wrong user id
still able to reproduce with devenv_3851 [root@ip-10-185-15-146 ~]# oo-su -d 524c6e7be772ff45f1000004 -c /bin/true Exception `ArgumentError' at /opt/rh/ruby193/root/usr/share/gems/gems/openshift-origin-node-1.15.6/lib/openshift-origin-node/utils/selinux.rb:81 - can't find user for 1000 command: /sbin/runuser -m -s /bin/sh 524c6e7be772ff45f1000004 -c "exec /usr/bin/runcon 'unconfined_u:system_r:openshift_t:s0:c0,c1000' /bin/true"
Ahh you are right, I misread the bug... The solution is to remove duplicated 'getpwnam' from oo-su command, but instead pass the 'uuid' that we already have. In this case no error is printed out and the command should work as expected. Pull request (merging now): https://github.com/openshift/origin-server/pull/3766
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/d96c47912c3dd793f88d993f8a8aeeb5d8edb5dc Bug 1013653 - Fix oo-su command so it is not duplicating the getpwnam call
verified with devenv_3864 [root@ip-10-166-59-222 ~]# oo-su -d 524f120381224b5006000007 -c /bin/true command: /sbin/runuser -m -s /bin/sh 524f120381224b5006000007 -c "exec /usr/bin/runcon 'unconfined_u:system_r:openshift_t:s0:c0,c1000' /bin/true"