Description of problem: When create pod, the supplementalGroups and fsGroup info were in the pod ,but use docker inspect can't find the groups info in the container Version-Release number of selected component (if applicable): AMI:devenv-rhel7_2619 openshift v1.0.7-109-g3cf7f3c kubernetes v1.2.0-alpha.1-1107-g4c8e6f4 etcd 2.1.2 How reproducible: always Steps to Reproduce: 1. Create a new project, check the project info: oc new-project zhouyt Now using project "zhouyt" on server "https://localhost:8443". [root@ip-172-18-4-110 amd64]# oc get project zhouyt -o json { "kind": "Project", "apiVersion": "v1", "metadata": { "name": "zhouyt", "selfLink": "/oapi/v1/projects/zhouyt", "uid": "792e069d-8141-11e5-b272-0e4c22043fc9", "resourceVersion": "313", "creationTimestamp": "2015-11-02T09:09:51Z", "annotations": { "openshift.io/description": "", "openshift.io/display-name": "", "openshift.io/sa.scc.mcs": "s0:c6,c5", "openshift.io/sa.scc.supplemental-groups": "1000040000/10000", "openshift.io/sa.scc.uid-range": "1000040000/10000" } }, "spec": { "finalizers": [ "openshift.io/origin", "kubernetes" ] }, "status": { "phase": "Active" } } 2. Create pod ; 3. Check the pod info: 4. Check the container info: Actual results: 3. Can see the groups info by the pod: [root@ip-172-18-0-114 amd64]# oc get pod hello-pod -o json [root@ip-172-18-0-114 amd64]# oc get pod hello-pod -o yaml apiVersion: v1 kind: Pod metadata: annotations: openshift.io/scc: restricted creationTimestamp: 2015-11-02T09:10:48Z labels: name: hello-pod name: hello-pod namespace: zhouyt resourceVersion: "356" selfLink: /api/v1/namespaces/zhouyt/pods/hello-pod uid: 9b8c3c9b-8141-11e5-b272-0e4c22043fc9 spec: containers: - image: bmeng/hello-openshift imagePullPolicy: IfNotPresent name: hello-pod ports: - containerPort: 80 protocol: TCP resources: {} securityContext: privileged: false runAsUser: 1000040000 seLinuxOptions: level: s0:c6,c5 terminationMessagePath: /dev/termination-log volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-x5zwy readOnly: true dnsPolicy: ClusterFirst host: ip-172-18-0-114.ec2.internal imagePullSecrets: - name: default-dockercfg-jwo21 nodeName: ip-172-18-0-114.ec2.internal restartPolicy: Always securityContext: fsGroup: 1000040000 seLinuxOptions: level: s0:c6,c5 supplementalGroups: - 1000040000 serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 30 volumes: - name: default-token-x5zwy secret: secretName: default-token-x5zwy status: conditions: - lastProbeTime: null lastTransitionTime: 2015-11-02T09:10:56Z status: "True" type: Ready containerStatuses: - containerID: docker://e6eddacbaf5875fd4110b9729b10d3d65e44081e222ef69a4b26643f1f995900 image: bmeng/hello-openshift imageID: docker://43d68a0853e276fdca42dc5adee03b64c955999c0d82a20571ce6c1b49b11680 lastState: {} name: hello-pod ready: true restartCount: 0 state: running: startedAt: 2015-11-02T09:10:56Z hostIP: 172.18.0.114 phase: Running podIP: 172.17.0.3 startTime: 2015-11-02T09:10:48Z 4. Could not see the groups info in container: [root@ip-172-18-0-114 amd64]# docker inspect e6eddacbaf58|grep -A 3 -i group "CgroupParent": "" }, "Config": { "Hostname": "hello-pod", Expected results: The groups info should not be absent in container info Additional info: When use the ami: devenv-fedora_2595, the container result was correct. [root@ip-172-18-7-42 amd64]# oc get pod hello-pod -o yaml |grep -i -e group -e docker - name: default-dockercfg-je6cn fsGroup: 1000030000 supplementalGroups: - containerID: docker://157a1182c7b444785f2cec5ac432f02157582a6261cdfdb1a623e921d4e98cef imageID: docker://43d68a0853e276fdca42dc5adee03b64c955999c0d82a20571ce6c1b49b11680 [root@ip-172-18-7-42 amd64]# [root@ip-172-18-7-42 amd64]# [root@ip-172-18-7-42 amd64]# docker inspect 157a1182c7b4|grep -A 3 -i group "GroupAdd": [ "1000030999", "1000030000" ], -- "CgroupParent": "", "ConsoleSize": [ 0, 0
What docker version are you using? You need to have the latest 1.8.2.
Looks like the docker version is incorrect on the RHEL7 AMI: [root@ip-172-18-4-13 ~]# docker version Client version: 1.7.1 Client API version: 1.19 Package Version (client): docker-1.7.1-115.el7.x86_64 Go version (client): go1.4.2 Git commit (client): 446ad9b/1.7.1 OS/Arch (client): linux/amd64 Server version: 1.7.1 Server API version: 1.19 Package Version (server): docker-1.7.1-115.el7.x86_64 Go version (server): go1.4.2 Git commit (server): 446ad9b/1.7.1 OS/Arch (server): linux/amd64 Should be 1.8.2 I will work on getting the package on that AMI changed.
This has to be verified using the openshift-rhel7next AMI for now. That has the correct version of docker.
Confirmed on, the issue fixed . devenv-rhel7next_2621 openshift v1.0.7-109-g3cf7f3c kubernetes v1.2.0-alpha.1-1107-g4c8e6f4 etcd 2.1.2 [root@ip-172-18-1-155 amd64]# docker version Client: Version: 1.8.2 API version: 1.20 Package Version: docker-1.8.2-8.el7.x86_64 Go version: go1.4.2 Git commit: a01dc02/1.8.2 Built: OS/Arch: linux/amd64 Server: Version: 1.8.2 API version: 1.20 Package Version: Go version: go1.4.2 Git commit: a01dc02/1.8.2 Built: OS/Arch: linux/amd64