Red Hat Bugzilla – Bug 1393568
Using nfs as a direct volume for the docker-registry yields error about nfs is not allowed
Last modified: 2017-03-08 13:43 EST
Description of problem: Using the second command in our documentation [0] about adding storage to the docker-registry directly attaches an nfs share to the DC/pod. This kicks off a new deployment of the registry pod which then fails with the following error message: Error creating: pods "docker-registry-#-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.volumes[0]: Invalid value: "nfs": nfs volumes are not allowed to be used] [0] https://docs.openshift.com/container-platform/3.3/install_config/registry/deploy_registry_existing_clusters.html#registry-production-use Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Deploy a docker-registry 2. Run the command [1] to attach the nfs share 3. Let the deployer pod run [1] oc volume deploymentconfigs/docker-registry \ --add --overwrite --name=registry-storage --mount-path=/registry \ --source='{"nfs": { "server": "<fqdn>", "path": "/path/to/export"}}' Actual results: pod fails to deploy, claiming nfs are not allowed to be used Expected results: Attach the nfs share to the pod Additional info: Creating a PV/PVC out of the same NFS share appears to work fine.
Citing the bug description: Additional info: Creating a PV/PVC out of the same NFS share appears to work fine. So there is a workaround: 1. create an NFS PV and PVC. 2. attach the PVC to the registry. Therefore, I'm lowering priority.
IMHO, this bug shouldn't be a blocker for OSE 3.4 release because: - It's reported by a customer for OSE 3.3. - It's not a regression bug. - From the error message it seems like a configuration issue. - As mentioned by Eric Jones a workaround exists.
The error message says: "[spec.containers[0].securityContext.volumes[0]: Invalid value: "nfs": nfs volumes are not allowed to be used]" That's why I would like to know if the NFS is enabled in the master configuration file. Probably, the master configuration file might have changed after the OSE 3.2 -> 3.3 upgrade. IMHO, it can be similar configuration problem as described in this issue: https://github.com/openshift/origin/issues/11473 That's why I would like to know what SCCs are configured. And whether there was an SCC created to be used by the docker-registry.
This is a docs bug, as the registry by default is assigned to SCC restricted which does not allow direct mounting of NFS volumes. https://docs.openshift.com/enterprise/3.2/release_notes/ose_3_2_release_notes.html#ose-32-security To fix this add the SA for the registry to a SCC that can mount the NFS Example: # oc adm policy add-scc-to-user hostmount-anyuid system:serviceaccount:default:registry
Created pull request: https://github.com/openshift/openshift-docs/pull/3233
The pull request was merged.
Verified that the doc using NFS as direct mount for docker registry is removed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0066