Bug List: (5 of 37)
Bug 1230586 - Pod can not read it's NFS volume files when the node has selinux enforced
Summary: Pod can not read it's NFS volume files when the node has selinux enforced
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OKD
Classification: Red Hat
Component: Storage
Version: 3.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.x
Assignee: Jhon Honce
QA Contact: Liang Xia
URL:
Whiteboard:
Depends On:
Blocks: 1231100
TreeView+ depends on / blocked
 
Reported: 2015-06-11 08:23 UTC by Jianwei Hou
Modified: 2015-07-07 23:48 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1231100 (view as bug list)
Environment:
Last Closed: 2015-07-07 23:48:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jianwei Hou 2015-06-11 08:23:47 UTC 
Description of problem:
Given the environment has selinux enforced, create a pod with nfs volume, run 'ls' against the mount path of the nfs volume from the pod, caught error 'permission denied'.

Version-Release number of selected component (if applicable):
openshift v0.6.0.0-55-g733cf86
kubernetes v0.17.1-804-g496be6

How reproducible:
Always

Steps to Reproduce:
1. Create PV, PVC and Pod
PV: 
```
{
  "apiVersion": "v1",
  "kind": "PersistentVolume",
  "metadata": {
    "name": "nfs"
  },
  "spec": {
    "capacity": {
        "storage": "5Gi"
    },
    "accessModes": [ "ReadWriteOnce" ],
    "nfs": {
        "path": "/nfsshare",
        "server": "10.66.79.155"
    }
  }
}
```

PVC:
```
{
    "apiVersion": "v1",
    "kind": "PersistentVolumeClaim",
    "metadata": {
        "name": "nfsc"
    },
    "spec": {
        "accessModes": [ "ReadWriteOnce" ],
        "resources": {
            "requests": {
                "storage": "5Gi"
            }
        }
    }
}
```

Pod:
```
{
    "apiVersion": "v1",
    "kind": "Pod",
    "metadata": {
        "name": "mypod",
        "labels": {
            "name": "frontendhttp"
        }
    },
    "spec": {
        "containers": [{
            "name": "myfrontend",
            "image": "nginx",
            "ports": [{
                "containerPort": 80,
                "name": "http-server"
            }],
            "volumeMounts": [{
                "mountPath": "/usr/share/nginx/html",
                "name": "pvol"
            }]
        }],
        "volumes": [{
            "name": "pvol",
            "persistentVolumeClaim": {
                "claimName": "nfsc"
            }
        }]
    }
}
```
2. oc get pods, make sure the pod is running
3. List files of mountPath '/usr/share/nginx/html' from the pod
oc exec -p mypod ls /usr/share/nginx/html
4. Set selinux to permissive
setenforce 0
5. Repeat step 3

Actual results:
After step 3:
# oc exec -p mypod ls /usr/share/nginx/html
ls: cannot open directory /usr/share/nginx/html: Permission denied
error: Error executing remote command: Error executing command in container: Error executing in Docker Container: 2

After step 5: Could be able to list the files of the nfs volume
# oc exec -p mypod ls /usr/share/nginx/html
test1
test2
test_retain

Expected results:
Should successfully list the files

Additional info:
Comment 1 Johnny Liu 2015-06-11 08:39:56 UTC 
Seem like this is docker selinux issue in RHEL7.1, all the docker mount operation (docker run --volume=[]) would be denied by selinux when system is in enforcing mode, not care about if it is NFS mount.


docker-1.6.2-8.el7.x86_64
docker-selinux-1.6.2-8.el7.x86_64
selinux-policy-3.13.1-23.el7_1.7.noarch
selinux-policy-targeted-3.13.1-23.el7_1.7.noarch
Comment 2 Jhon Honce 2015-06-11 18:24:13 UTC 
Running 

setsebool virt_use_nfs 1

should resolve the issue.
Comment 3 Jianwei Hou 2015-06-12 07:11:29 UTC 
Verified with:
openshift v0.6.0.1-38-g0e02a6b
kubernetes v0.17.1-804-g496be63

# getsebool virt_use_nfs
virt_use_nfs --> on

NFS works now.
Note You need to log in before you can comment on or make changes to this bug.
Bug List: (5 of 37)