Bug 1278292 - [storage_public_178]No validation info when create pod with invalid Supplemental Groups and FSGroup
[storage_public_178]No validation info when create pod with invalid Supplemen...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Pod (Show other bugs)
3.x
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: Paul Morie
Jianwei Hou
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-05 02:59 EST by DeShuai Ma
Modified: 2016-05-12 13:14 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 13:14:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description DeShuai Ma 2015-11-05 02:59:18 EST
Description of problem:
Fork this bug from upstream: https://github.com/kubernetes/kubernetes/issues/16352
When create pod with invalid Supplemental Groups and FSGroup, should tip invalid value and create pod failed.

Version-Release number of selected component (if applicable):
openshift v1.0.7-287-g60781e3-dirty
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4
etcd 2.1.2

How reproducible:
Always

Steps to Reproduce:
1.Create pod with invalid Supplemental Groups and fsGroup
[root@ip-172-18-1-44 kubernetes]# cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: nfs-server
  labels:
    role: nfs-server
spec:
  containers:
    - name: nfs-server
      image: jsafrane/nfs-data
      ports:
        - name: nfs
          containerPort: 2049
      securityContext:
        privileged: false
  securityContext:
    supplementalGroups:
      - -123
    fsGroup: 2147483648
[root@ip-172-18-1-44 kubernetes]# oc create -f pod.yaml 
pod "nfs-server" created

2.Check the pod
[root@ip-172-18-1-44 kubernetes]# oc get pod
NAME         READY     STATUS               RESTARTS   AGE
nfs-server   0/1       ContainerCannotRun   0          5s
[root@ip-172-18-1-44 kubernetes]# oc describe pod/nfs-server
Name:                nfs-server
Namespace:            default
Image(s):            jsafrane/nfs-data
Node:                127.0.0.1/127.0.0.1
Start Time:            Tue, 27 Oct 2015 08:38:15 +0000
Labels:                role=nfs-server
Status:                Running
Reason:                
Message:            
IP:                172.17.0.95
Replication Controllers:    <none>
Containers:
  nfs-server:
    Container ID:    docker://bcf6257270654a05aa6598330451919a63bb325ce95a531bb0ddadc0f9633ee2
    Image:        jsafrane/nfs-data
    Image ID:        docker://c33ae16781aa35f163327995f83790c60f78d0cca9e1d73d766ac5300ea30a32
    QoS Tier:
      memory:        BestEffort
      cpu:        BestEffort
    State:        Terminated
      Reason:        ContainerCannotRun
      Message:        [8] System error: Uids and gids must be in range 0-2147483647
      Exit Code:    -1
      Started:        Tue, 27 Oct 2015 08:38:15 +0000
      Finished:        Tue, 27 Oct 2015 08:38:15 +0000
    Ready:        False
    Restart Count:    0
    Environment Variables:
Conditions:
  Type        Status
  Ready     False 
Volumes:
  default-token-df70w:
    Type:    Secret (a secret that should populate this volume)
    SecretName:    default-token-df70w
Events:
  FirstSeen    LastSeen    Count    From            SubobjectPath                Reason        Message
  ─────────    ────────    ─────    ────            ─────────────                ──────        ───────
  23s        23s        1    {scheduler }                            Scheduled    Successfully assigned nfs-server to 127.0.0.1
  23s        23s        1    {kubelet 127.0.0.1}    implicitly required container POD    Pulled        Container image "beta.gcr.io/google_containers/pause:2.0" already present on machine
  23s        23s        1    {kubelet 127.0.0.1}    implicitly required container POD    Created        Created with docker id 93e8ffb337c9
  23s        23s        1    {kubelet 127.0.0.1}    implicitly required container POD    Started        Started with docker id 93e8ffb337c9
  23s        23s        1    {kubelet 127.0.0.1}    spec.containers{nfs-server}        Created        Created with docker id bcf625727065
  23s        23s        1    {kubelet 127.0.0.1}    spec.containers{nfs-server}        Failed        Failed to start with docker id bcf625727065 with error: API error (500): Cannot start container bcf6257270654a05aa6598330451919a63bb325ce95a531bb0ddadc0f9633ee2: [8] System error: Uids and gids must be in range 0-2147483647

  23s    13s    2    {kubelet 127.0.0.1}    spec.containers{nfs-server}    Pulled    Container image "jsafrane/nfs-data" already present on machine


Actual results:
1.Create pod no tip invalid value.
2.The pod has some error "Uids and gids must be in range 0-2147483647"

Expected results:
1.When create pod should tip invalid value.

Additional info:
Comment 1 Paul Weil 2015-11-05 08:53:37 EST
This is an upstream issue being addressed in https://github.com/kubernetes/kubernetes/pull/16354.
Comment 2 Paul Morie 2016-01-05 10:14:26 EST
This does need to be fixed; I reached out to the author of the upstream PR.  Will make my own PR for this if I don't get a response soon.
Comment 3 Andy Goldstein 2016-01-06 21:46:22 EST
Not a 3.1.1 blocker
Comment 4 DeShuai Ma 2016-02-24 01:52:04 EST
This bug should be fixed, Andy could you set this bug on_qa ?
Comment 5 DeShuai Ma 2016-02-26 02:43:14 EST
Verify on openshift v3.1.1.906
[root@dhcp-128-7 origin]# oc create -f pod.yaml 
The Pod "nfs-server" is invalid.

* spec.securityContext.fsGroup: Invalid value: 2147483648: must be between 0 and 2147483647, inclusive
* spec.securityContext.supplementalGroups[0]: Invalid value: -123: must be between 0 and 2147483647, inclusive

Note You need to log in before you can comment on or make changes to this bug.