OCP / image registry M/M openshift v3.6.49 kubernetes v1.5.2+43a9be4 etcd 3.1.0 Description of problem: create registry to set fs-group options with command 'oadm registry --fs-group=xx', the registry pods deployment will pending in Running.. status for long time and become error at last, after investigating with dev, the root cause is: add "- system:serviceaccount:default:deployer" to scc/hostnetwork->users, then the problem disappears, so we need improvement on scc documents about this issue, thanks How reproducible: Always Steps to Reproduce: 1. create registry to special fs-group id by command line: 'oadm registry --fs-group=xx' 2. registry pods deployment will pending in Running.. status for long time and become error at last 3. add "- system:serviceaccount:default:deployer" to scc/hostnetwork->users 4. rerun command line: 'oadm registry --fs-group=xx', the problem disappears Actual results: there is not doc about this tips for customer to set fs-group options Expected results: there is doc about this tips for customer to set fs-group options
Oleg another one, probably just some doc updates to: https://docs.openshift.org/latest/install_config/registry/deploy_registry_existing_clusters.html though i'm a little confused as to why setting an fsgroup would require "scc/hostnetwork", so it's probably worth validating this behavior and talking to the storage/security folks.
The integrated registry runs in the default namespace and have restrictions from SCC. By default the registry gets the restricted SCC, and it restricts fsgroups based on the namespace annotation: $ oc get ns default -o go-template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}' 1000000000/10000 So, if you want to use --fs-group, you should select the ID from the range: 1000000000 <= id < 1000000000+10000. For example: oc adm registry --fs-group=1000000000 But you should be aware that on different clusters you may have different ranges in annotations. So a value that works on a cluster may not work on another cluster. ge liu, can you confirm that selecting proper value helps?
Oleg Bulatov, I remembered that I used 1000020000 or 1000030000, and it seems that there is not notification in doc about this limitation, right?
https://docs.openshift.com/enterprise/3.1/install_config/persistent_storage/pod_security_context.html#sccs-defaults-allowed-ranges
https://github.com/openshift/openshift-docs/pull/8804
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1801