Description of problem: Permission denied when write to the dir for gce pd volume mounted even selinux is permissive Version-Release number of selected component (if applicable): openshift v1.0.6-644-ga034e2f kubernetes v1.1.0-alpha.1-653-g86b4e77 How reproducible: always Steps to Reproduce: 1. Set the selinux to permissive setenforce 0 2. Create PV, PVC, pod. oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/persistent-volumes/gce/pv-retain-rwx.json oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/persistent-volumes/gce/claim-rwx.json oc get pv oc create -f pod.json { "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "gce1", "labels": { "name": "frontendhttp" } }, "spec": { "containers": [{ "name": "myfrontend", "image": "jhou/hello-openshift", "imagePullPolicy": "IfNotPresent", "securityContext": { "capabilities": {}, "privileged": true }, "ports": [{ "containerPort": 80, "name": "http-server" }], "volumeMounts": [{ "mountPath": "/mnt/gce", "name": "pvol" }] }], "volumes": [{ "name": "pvol", "persistentVolumeClaim": { "claimName": "gcec" } }] } } oc get pods NAME READY STATUS RESTARTS AGE gce1 1/1 Running 0 21m 3. Write to the persistent disk. oc exec gce1 -it -- bash bash-4.2$ touch /mnt/gce/file1 touch: cannot touch '/mnt/gce/file1': Permission denied bash-4.2$ ls -ld /mnt/gce/ drwxr-xr-x. 2 root root 4096 Oct 16 08:38 /mnt/gce/ Actual results: Failed to create the file, permission denied. Expected results: Be able to create the file. Additional info: ls -Zd /root/openshift/openshift.local.volumes/pods/df11fceb-73ee-11e5-a8af-42010af00004/volumes/kubernetes.io~gce-pd/gce drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 /root/openshift/openshift.local.volumes/pods/df11fceb-73ee-11e5-a8af-42010af00004/volumes/kubernetes.io~gce-pd/gce
I can reproduce the bug, but only with SELinux in Enforcing mode. In permissive mode, my pod can write to a GCE PD, using even your .json files (only with different pdName in pv-retain-rwx.json). The reason is that Kubernetes/OpenShift creates a new filesystem there with unlabeled_t and Docker containers are not allowed to write there. Can you please confirm it's caused by SELinux? Your "setenforce 0" in step 1. implies otherwise and I cannot reproduce the bug then.
> /root/openshift/openshift.local.volumes/pods/df11fceb-73ee-11e5-a8af- > 42010af00004/volumes/kubernetes.io~gce-pd/gce > drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 https://github.com/kubernetes/kubernetes/pull/15323 should solve the labeling problem, but your pod will have to specify an SELinux label in SecurityContext.SELinuxOptions.Level
upstream PR merged. This PR will bring the fix to origin: https://github.com/openshift/origin/pull/5169 Please test with the above branch or wait for it to get merged to verify.
Verified user can read/write in the pod when SELinux is enforcing. # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 # oc exec gce -it -- bash bash-4.2$ ls /mnt/gce/ file1 bash-4.2$ touch /mnt/gce/file2 bash-4.2$ ls /mnt/gce/ file1 file2 # openshift version openshift v1.0.7-109-g3cf7f3c kubernetes v1.2.0-alpha.1-1107-g4c8e6f4 etcd 2.1.2 Move bug to verified.