Bug 1271611 - Permission denied when write to the dir for aws ebs volume mounted with selinux is permissive
Permission denied when write to the dir for aws ebs volume mounted with selin...
Status: CLOSED NOTABUG
Product: OpenShift Origin
Classification: Red Hat
Component: Storage (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Sami Wagiaalla
Liang Xia
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-14 07:30 EDT by chaoyang
Modified: 2016-06-07 18:46 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-02 10:29:32 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description chaoyang 2015-10-14 07:30:49 EDT
Description of problem:
Permission denied when write to the dir for aws ebs volume mounted 

Version-Release number of selected component (if applicable):
oc v1.0.6-328-gdf1f19e
kubernetes v1.1.0-alpha.1-653-g86b4e77

How reproducible:
always

Steps to Reproduce:
1.create a pod
apiVersion: v1
kind: Pod
metadata:
  name: aws-web
spec:
  containers:
    - name: web
      image: jhou/hello-openshift
      ports:
        - name: web
          containerPort: 80
          protocol: tcp
      volumeMounts:
        - name: html-volume
          mountPath: "/usr/share/nginx/html"
  volumes:
    - name: html-volume
      awsElasticBlockStore:
        volumeID: aws://us-east-1d/vol-dabedb20
        fsType: ext4

[root@ip-172-18-12-131 ~]# oc get pods
NAME      READY     STATUS    RESTARTS   AGE
aws-web   1/1       Running   0          26m

2. set the selinux to permissive
setenforce 0

3.check the write permission

[root@ip-172-18-12-131 ~]# oc exec aws-web -ti -- bash
bash-4.2$ touch /usr/share/nginx/html/file1
touch: cannot touch '/usr/share/nginx/html/file1': Permission denied


Actual results:
could not write to the dir aws ebs volume mounted

Expected results:
should have write permission

Additional info:
"read“ permission iscorrect
Comment 1 Sami Wagiaalla 2015-10-29 09:31:56 EDT
Please provide the following:

oc exec aws-web id
and
ls -Zd <path to where the disk is mounted on the host>

It is likely that the user in the container does not match the owner of the device in which case this is not a bug.
Comment 2 chaoyang 2015-11-01 22:03:00 EST
Hi, see the results like below:

bash-4.2$ ls -Zd /usr/share/nginx/html/
drwxrwsr-x. root 1000020000 system_u:object_r:svirt_sandbox_file_t:s0:c0,c5 /usr/share/nginx/html/


[root@ip-172-18-9-96 ~]# oc exec aws-web id
uid=1000020000 gid=0(root)
Comment 3 Sami Wagiaalla 2015-11-02 10:29:32 EST
Okay so this is not a bug.
The volume is owned by root, but the user inside the container is 1000020000. Either change the volume owner to 1000020000 or add the group from the volume (which also happens to be 1000020000) as a SupplementalGroup

Note You need to log in before you can comment on or make changes to this bug.