Hide Forgot
Description of problem: Ops team is creating PV's according to the Openshift 3.1 documentation found here: https://docs.openshift.com/enterprise/3.1/install_config/persistent_storage/persistent_storage_aws.html We are basically doing these steps: 1. create volume (same region, az as our OS cluster) 2. create the defintion yaml file on a master 3. add the pv via oc create When Openshift goes to use the volume, it appears to format the volume, BUT the permssions are not correct and the pod is unable to write to the the volume. I have spoke with Sami and we believe there is a right way to fix it and a work around. 1. FIX. We have tested, and confirmed working, adding fsGroup to the deployment config will correctly create the permissions on the volume. I was told that Openshift does not add the "fsGroup" setting by default in 3.1, but should in 3.2. This is hearsay at this point. 2. the workaround. We need to format and change permissions of the volume when it is created. This is much more work. Version-Release number of selected component (if applicable): 3.1.1.6-4 How reproducible: Very. Steps to Reproduce: 1. Create volume (as mentioned above, no formatting) 2. Create an app with a persistent volume 3. When openshift tries to use it, the pod will error. Expected results: The pod should mount the volume, format it, and correct the permissions. Additional info: In speaking with engineering, they stated: <engineering> so, in 3.1 (if my memory serves correctly) the field was there which is why you were able to set it on the DC but the support for auto-populating it was not. XXX put in a PR for 3.2 to set the SCC strategies so that they would start forcing values in that field <engineering> prior to that you had to either manually set it or you had to set permissions on the directory manually so they were readable <engineering> but in 3.1 it was found that auto-setting it was breaking almost any template that used volumes so it was set to RunAsAny to turn it off This *might* be expected behavior of 3.1, but if it is, it's not documented properly. Using the current docs does not provide a working PV setup.
Matt, what SCC is your pod being matched against? FSGroup should be set by default in the restricted and hostns SCCs now, but you will need to specify it for other SCCs.
I talked to Matt yesterday on IRC and we established that his pod is being matched against the 'restricted' SCC. He had to run, but we need to understand what the state of the SCC is as a next step.
In 3.1, the default "fsGroup" setting in the restricted Security Context needs to be changed to "MustRunAs" in order to allow Openshift to format and set the right permissions. This can be done with the following command and will be incorporated into our config changes: oc patch scc/restricted -p '{"fsGroup": {"type": "MustRunAs"}}'
Closing since this is the expected behavior of 3.1