This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1277093 - [platformmanagement_public_495]Can't found the groups info in the container result
[platformmanagement_public_495]Can't found the groups info in the container r...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Auth (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: zhou ying
weiwei jiang
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-02 05:42 EST by zhou ying
Modified: 2016-10-30 18:54 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-23 16:16:39 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description zhou ying 2015-11-02 05:42:10 EST
Description of problem:
When create pod, the supplementalGroups and fsGroup info were in the pod ,but use docker inspect can't find the groups info in the container

Version-Release number of selected component (if applicable):
AMI:devenv-rhel7_2619
openshift v1.0.7-109-g3cf7f3c
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4
etcd 2.1.2

How reproducible:
always

Steps to Reproduce:
1. Create a new project, check the project info:
oc new-project zhouyt
Now using project "zhouyt" on server "https://localhost:8443".
[root@ip-172-18-4-110 amd64]# oc get project zhouyt -o json
{
    "kind": "Project",
    "apiVersion": "v1",
    "metadata": {
        "name": "zhouyt",
        "selfLink": "/oapi/v1/projects/zhouyt",
        "uid": "792e069d-8141-11e5-b272-0e4c22043fc9",
        "resourceVersion": "313",
        "creationTimestamp": "2015-11-02T09:09:51Z",
        "annotations": {
            "openshift.io/description": "",
            "openshift.io/display-name": "",
            "openshift.io/sa.scc.mcs": "s0:c6,c5",
            "openshift.io/sa.scc.supplemental-groups": "1000040000/10000",
            "openshift.io/sa.scc.uid-range": "1000040000/10000"
        }
    },
    "spec": {
        "finalizers": [
            "openshift.io/origin",
            "kubernetes"
        ]
    },
    "status": {
        "phase": "Active"
    }
}
2. Create pod ;
3. Check the pod info:
4. Check the container info:

Actual results:
3. Can see the groups info by the pod:
[root@ip-172-18-0-114 amd64]# oc get pod hello-pod -o json
[root@ip-172-18-0-114 amd64]# oc get pod hello-pod -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    openshift.io/scc: restricted
  creationTimestamp: 2015-11-02T09:10:48Z
  labels:
    name: hello-pod
  name: hello-pod
  namespace: zhouyt
  resourceVersion: "356"
  selfLink: /api/v1/namespaces/zhouyt/pods/hello-pod
  uid: 9b8c3c9b-8141-11e5-b272-0e4c22043fc9
spec:
  containers:
  - image: bmeng/hello-openshift
    imagePullPolicy: IfNotPresent
    name: hello-pod
    ports:
    - containerPort: 80
      protocol: TCP
    resources: {}
    securityContext:
      privileged: false
      runAsUser: 1000040000
      seLinuxOptions:
        level: s0:c6,c5
    terminationMessagePath: /dev/termination-log
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-x5zwy
      readOnly: true
  dnsPolicy: ClusterFirst
  host: ip-172-18-0-114.ec2.internal
  imagePullSecrets:
  - name: default-dockercfg-jwo21
  nodeName: ip-172-18-0-114.ec2.internal
  restartPolicy: Always
  securityContext:
    fsGroup: 1000040000
    seLinuxOptions:
      level: s0:c6,c5
    supplementalGroups:
    - 1000040000
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 30
  volumes:
  - name: default-token-x5zwy
    secret:
      secretName: default-token-x5zwy
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: 2015-11-02T09:10:56Z
    status: "True"
    type: Ready
  containerStatuses:
  - containerID: docker://e6eddacbaf5875fd4110b9729b10d3d65e44081e222ef69a4b26643f1f995900
    image: bmeng/hello-openshift
    imageID: docker://43d68a0853e276fdca42dc5adee03b64c955999c0d82a20571ce6c1b49b11680
    lastState: {}
    name: hello-pod
    ready: true
    restartCount: 0
    state:
      running:
        startedAt: 2015-11-02T09:10:56Z
  hostIP: 172.18.0.114
  phase: Running
  podIP: 172.17.0.3
  startTime: 2015-11-02T09:10:48Z
4. Could not see the groups info in container:
[root@ip-172-18-0-114 amd64]# docker inspect e6eddacbaf58|grep -A 3 -i group
        "CgroupParent": ""
    },
    "Config": {
        "Hostname": "hello-pod",

Expected results:
The groups info should not be absent in container info

Additional info:
When use the ami: devenv-fedora_2595, the container result was correct.
[root@ip-172-18-7-42 amd64]# oc get pod hello-pod -o yaml |grep -i -e group -e docker 
  - name: default-dockercfg-je6cn
    fsGroup: 1000030000
    supplementalGroups:
  - containerID: docker://157a1182c7b444785f2cec5ac432f02157582a6261cdfdb1a623e921d4e98cef
    imageID: docker://43d68a0853e276fdca42dc5adee03b64c955999c0d82a20571ce6c1b49b11680
[root@ip-172-18-7-42 amd64]# 
[root@ip-172-18-7-42 amd64]# 
[root@ip-172-18-7-42 amd64]# docker inspect 157a1182c7b4|grep -A 3 -i group
        "GroupAdd": [
            "1000030999",
            "1000030000"
        ],
--
        "CgroupParent": "",
        "ConsoleSize": [
            0,
            0
Comment 1 Paul Morie 2015-11-03 10:40:34 EST
What docker version are you using?  You need to have the latest 1.8.2.
Comment 2 Paul Morie 2015-11-03 11:50:20 EST
Looks like the docker version is incorrect on the RHEL7 AMI:

[root@ip-172-18-4-13 ~]# docker version
Client version: 1.7.1
Client API version: 1.19
Package Version (client): docker-1.7.1-115.el7.x86_64
Go version (client): go1.4.2
Git commit (client): 446ad9b/1.7.1
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Package Version (server): docker-1.7.1-115.el7.x86_64
Go version (server): go1.4.2
Git commit (server): 446ad9b/1.7.1
OS/Arch (server): linux/amd64

Should be 1.8.2

I will work on getting the package on that AMI changed.
Comment 3 Paul Morie 2015-11-03 14:48:20 EST
This has to be verified using the openshift-rhel7next AMI for now.  That has the correct version of docker.
Comment 4 zhou ying 2015-11-04 01:51:23 EST
Confirmed on, the issue fixed .
devenv-rhel7next_2621
openshift v1.0.7-109-g3cf7f3c
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4
etcd 2.1.2

[root@ip-172-18-1-155 amd64]# docker version
Client:
 Version:      1.8.2
 API version:  1.20
 Package Version: docker-1.8.2-8.el7.x86_64
 Go version:   go1.4.2
 Git commit:   a01dc02/1.8.2
 Built:        
 OS/Arch:      linux/amd64

Server:
 Version:      1.8.2
 API version:  1.20
 Package Version: 
 Go version:   go1.4.2
 Git commit:   a01dc02/1.8.2
 Built:        
 OS/Arch:      linux/amd64

Note You need to log in before you can comment on or make changes to this bug.