Bug 1264699 - kubernetes do not respect tpmfiles.d policy
Summary: kubernetes do not respect tpmfiles.d policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kubernetes
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Chaloupka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-20 21:02 UTC by M. Scherer
Modified: 2016-07-14 00:24 UTC (History)
7 users (show)

Fixed In Version: kubernetes-1.2.0-0.24.git4a3f9c5.fc24 kubernetes-1.2.0-0.24.git4a3f9c5.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-10 05:57:26 UTC
Type: Bug


Attachments (Terms of Use)
Add /run ownership in the specfile (1.12 KB, patch)
2015-09-20 21:03 UTC, M. Scherer
no flags Details | Diff

Description M. Scherer 2015-09-20 21:02:28 UTC
Description of problem:
/run/kubernetes is listed as unowned. 

]
That's against policy:
https://fedoraproject.org/wiki/Packaging:Tmpfiles.d

Version-Release number of selected component (if applicable):
kubernetes-1.1.0-0.5.gite44c8e6.fc22.x86_64


How reproducible:
each time

Steps to Reproduce:
1. install kubernetes
2. verify with rpm -qf 


Actual results:
# rpm -qf /run/kubernetes/
file /run/kubernetes is not owned by any package


Expected results:
file is owned, and with the right permission.

Additional info:

This also mean that something create /run/kubernetes/ owned as root:root, which prevent kubernetes-apiserver from starting:

Sep 20 14:01:15 gluster2 kube-apiserver[17759]: E0920 14:01:15.230961   17759 server.go:485] Unable to listen for secure (open /var/run/kubernetes/apiserver.crt: no such file or directory); will try again.


And likely linked to http://ask.projectatomic.io/en/question/199/missing-apiservercrt-unable-to-listen-for-secure/

Here is a trivial patch to add that.

Comment 1 M. Scherer 2015-09-20 21:03:40 UTC
Created attachment 1075354 [details]
Add /run ownership in the specfile

Comment 2 Jan Chaloupka 2015-09-23 08:13:25 UTC
Thanks for that.

Comment 3 Jan Chaloupka 2016-06-28 13:08:27 UTC
Installing the latest kubernetes built in rawhide I can see only files generated by kubelet:

ls /run/kubernetes/
kubelet.crt  kubelet.key

Comment 4 Jan Chaloupka 2016-06-28 13:28:41 UTC
kube-apiserver needs the directory as well (--cert-dir="/var/run/kubernetes") [1].

As kube-apiserver service is run under kube user and kubelet can be installed on the same host, the owner of the directory must be kube. Contrib is already covering that [2]. So, only the ownership of the directory is really missing.

[1] http://kubernetes.io/docs/admin/kube-apiserver/
[2] https://github.com/kubernetes/contrib/blob/master/init/systemd/tmpfiles.d/kubernetes.conf

Comment 5 Fedora Update System 2016-06-28 15:29:53 UTC
kubernetes-1.2.0-0.23.git4a3f9c5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-34357c1671

Comment 6 Fedora Update System 2016-06-28 15:30:41 UTC
kubernetes-1.2.0-0.23.git4a3f9c5.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-38a8c6915d

Comment 7 Fedora Update System 2016-06-29 10:45:23 UTC
kubernetes-1.2.0-0.24.git4a3f9c5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f612484f9e

Comment 8 Fedora Update System 2016-06-29 10:45:53 UTC
kubernetes-1.2.0-0.24.git4a3f9c5.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-223c8e5da7

Comment 9 Fedora Update System 2016-06-30 22:27:09 UTC
kubernetes-1.2.0-0.24.git4a3f9c5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-223c8e5da7

Comment 10 Fedora Update System 2016-06-30 22:54:42 UTC
kubernetes-1.2.0-0.24.git4a3f9c5.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f612484f9e

Comment 11 Fedora Update System 2016-07-10 05:57:16 UTC
kubernetes-1.2.0-0.24.git4a3f9c5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-07-14 00:24:47 UTC
kubernetes-1.2.0-0.24.git4a3f9c5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.