Bug 1293805 - Default SCC forbid recycler pod to be create, cause Persistent Volume failed to recycle
Default SCC forbid recycler pod to be create, cause Persistent Volume failed ...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage (Show other bugs)
3.1.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Mark Turansky
Liang Xia
:
Depends On:
Blocks: 1267746
  Show dependency treegraph
 
Reported: 2015-12-23 02:03 EST by Liang Xia
Modified: 2017-03-08 13 EST (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 12:26:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1064 normal SHIPPED_LIVE Important: Red Hat OpenShift Enterprise 3.2 security, bug fix, and enhancement update 2016-05-12 16:19:17 EDT

  None (edit)
Description Liang Xia 2015-12-23 02:03:56 EST
Description of problem:
Default SCC forbidden recycler pod to be create,
thus Persistent Volume can not be recycle.

Version-Release number of selected component (if applicable):
openshift v3.1.1.0
kubernetes v1.1.0-origin-1107-g4c8e6f4
etcd 2.1.2

How reproducible:
Always

Steps to Reproduce:
1.Create PV (persistent volume) with reclaim policy "Recycle"
2.Create PVC (persistent volume claim)
3.Create pod use above pvc.
4.Delete pod and pvc.
5.Check PV status.

Actual results:
# oc describe pv nfs
Name:        nfs
Labels:        <none>
Status:        Failed
Claim:        lxiap/nfsc
Reclaim Policy:    Recycle
Access Modes:    RWO
Capacity:    5Gi
Message:    Recycling error: Unexpected error creating recycler pod:  Pod "pv-recycler-nfs-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.containers[0].securityContext.securityContext.runAsUser: invalid value '0', Details: UID on container pv-recycler does not match required range.  Found 0, required min: 1000000000 max: 1000009999]
Source:
    Type:    NFS (an NFS mount that lasts the lifetime of a pod)
    Server:    10.240.0.5
    Path:    /data
    ReadOnly:    false


Expected results:
Default SCC should allow recycler pod creating/running.
PV should be Available after recycler pod finished its job.

Additional info:
# oc get scc
NAME               PRIV      CAPS      HOSTDIR   SELINUX     RUNASUSER          FSGROUP    SUPGROUP   PRIORITY
anyuid             false     []        false     MustRunAs   RunAsAny           RunAsAny   RunAsAny   10
hostaccess         false     []        true      MustRunAs   MustRunAsRange     RunAsAny   RunAsAny   <none>
hostmount-anyuid   false     []        true      MustRunAs   RunAsAny           RunAsAny   RunAsAny   <none>
nonroot            false     []        false     MustRunAs   MustRunAsNonRoot   RunAsAny   RunAsAny   <none>
privileged         true      []        true      RunAsAny    RunAsAny           RunAsAny   RunAsAny   <none>
restricted         false     []        false     MustRunAs   MustRunAsRange     RunAsAny   RunAsAny   <none>
Comment 1 David Eads 2016-01-27 09:47:06 EST
@markturansky Looks like you forgot to add some SCC powers for the recycler SA.  You'll want to document what you think you need when you add it here: https://github.com/openshift/origin/blob/master/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go#L236-L250
Comment 2 Mark Turansky 2016-01-28 12:11:53 EST
Fixed in https://github.com/openshift/origin/pull/6884
Comment 3 Kenjiro Nakayama 2016-02-08 20:03:42 EST
How is the progress of this ticket? 

  https://github.com/openshift/origin/pull/6884 is still not merged.

One of the enterprise customers hit this issue, and we need the fix as soon as possible.
Comment 6 Ryan Howe 2016-02-09 15:01:29 EST
Current workaround for v3.1.1.6 


1. SA "pv-recycler-controller" should already be created and located in openshift-infra namespace [1]: 

  $ oc get sa -n openshift-infra 

2. If this service account is not added we will need to add it manually [2]. 

3. Add the the service account to the SCC hostmount-anyuid

  $ oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:openshift-infra:pv-recycler-controller 


*NOTE: Persistent Volumes in already in a failed state will not recover and will need to be deleted and added back to the environment. The contents will also need to be manually scrubbed. 

[1]
~~~
┌─[root@master1]─[~]
└──> oc get sa -n openshift-infra 
NAME                        SECRETS   AGE
build-controller            2         24d
builder                     3         24d
default                     4         24d
deployer                    2         24d
deployment-controller       2         24d
hpa-controller              2         24d
job-controller              3         24d
pv-binder-controller        3         13d
pv-controller               2         24d
pv-provisioner-controller   2         13d
pv-recycler-controller      2         13d
replication-controller      2         24d
~~~

[2]
~~~
┌─[root@master1]─[~]
└──> oc create -n openshift-infra -f - <<API
apiVersion: v1
kind: ServiceAccount
metadata:
  name: pv-recycler-controller
API
~~~
Comment 8 Mark Turansky 2016-02-17 09:16:04 EST
The fix has merged: https://github.com/openshift/origin/pull/6884
Comment 9 Liang Xia 2016-02-22 00:46:31 EST
Verified on version,
$ openshift version
openshift v3.1.1.904
kubernetes v1.2.0-alpha.7-703-gbc4550d
etcd 2.2.5

Persistent Volumes can be recycled now.
Comment 14 errata-xmlrpc 2016-05-12 12:26:11 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2016:1064

Note You need to log in before you can comment on or make changes to this bug.