1233482 – Selinux prevents pod from accessing glusterfs files

Bug 1233482 - Selinux prevents pod from accessing glusterfs files

Summary: Selinux prevents pod from accessing glusterfs files

Keywords:
Status:	CLOSED DUPLICATE of bug 1231936
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Storage
Sub Component:
Version:	3.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Mark Turansky
QA Contact:	xjia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-19 03:27 UTC by Jianwei Hou
Modified:	2015-07-20 00:52 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-06-19 13:24:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jianwei Hou 2015-06-19 03:27:05 UTC

Description of problem:
Create a pod which mounts a glusterfs volume, the pod is created successfully, but permission to access the files of glusterfs is denied by selinx

Version-Release number of selected component (if applicable):
openshift v3.0.0.0-25-g235b0e7
kubernetes v0.17.1-804-g496be63

How reproducible:
Always

Steps to Reproduce:
1. Create endpoints, pv, pvc and pod using the example: https://github.com/jhou1/openshiftv3tests/tree/master/persistent-volumes/gluster
2. After pod is running, verify the files on glusterfs can be accessed:
oc exec -p gluster ls /mnt/gluster


Actual results:
After step 2:
ls: cannot open directory /mnt/gluster: Permission denied
error: Error executing remote command: Error executing command in container: Error executing in Docker Container: 2

# oc exec -p gluster -it -- bash    
bash-4.3$ ls -Zl /mnt/
total 0
drwxr-xr-x. 3 system_u:object_r:fusefs_t:s0    root root 52 Jun 17 05:28 gluster

bash-4.3$ ls /mnt/gluster/
ls: cannot open directory /mnt/gluster/: Permission denied

On the node, set selinux to permissive, then the files are accessible.
bash-4.3$ ls /mnt/gluster/
hello  index.html


Expected results:
Should be able to access glsuterfs files with selinux enforcing

Additional info:

Comment 2 Jianwei Hou 2015-06-19 04:16:05 UTC

Additional: Got same error using hostPath volume when selinux is enforcing

Comment 3 Mark Turansky 2015-06-19 13:01:06 UTC

Dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1231936

Comment 4 Mark Turansky 2015-06-19 13:09:35 UTC

I believe this bug is the same as the one linked in my previous comment.  Both require SELinux solutions to allow gluster to connect, even though the approach to get there was different between the two.

Comment 5 Mark Turansky 2015-06-19 13:24:18 UTC

Cut and pasted from an email from Jan Safranek who is working with gluster:

To follow up on current development, docker-1.6.2-14.el7 adds a new
boolean to SELinux policy. This should allow docker container to access
gluster volume (optionally with -P for persistent change):

setsebool virt_sandbox_use_fusefs 1

dwalsh told me docker-1.6.2-14.el7 is heading to RHEL 7.1.3, i.e. to be
released in couple of days (2015-Jun-23?) in RHEL7 extras channel.

So what we need is just to document the boolean and encourage customers
to check docker package version (and wait for 1.6.2-14).

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1231936
Docker build: https://brewweb.devel.redhat.com/buildinfo?buildID=441835
Errata: https://errata.devel.redhat.com/advisory/20663

*** This bug has been marked as a duplicate of bug 1231936 ***

Note You need to log in before you can comment on or make changes to this bug.