Bug 1537872 - Azure need set virt_use_samba
Summary: Azure need set virt_use_samba
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.9.0
Assignee: Kenny Woodson
QA Contact: Wenqi He
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-24 03:10 UTC by Wenqi He
Modified: 2018-06-27 18:01 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
To enable support for storage devices on Azure the seboolean virt_use_samba is required.
Clone Of:
Environment:
Last Closed: 2018-06-27 18:01:30 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1536362 None CLOSED Fail to mount azure file 2019-09-24 10:54:31 UTC
Red Hat Product Errata RHSA-2018:2013 None None None 2018-06-27 18:01:53 UTC

Internal Links: 1536362

Description Wenqi He 2018-01-24 03:10:29 UTC
Description of problem:
To test and use azure file storage, need to install samba-client, samba-common, and cifs-utils on all nodes by defualt and enable the SELinux booleans
$ /usr/sbin/setsebool -P virt_use_samba on


Version-Release number of the following components:
rpm -q openshift-ansible
openshift-ansible-3.9.0-0.22.0.git.0.0e9d896.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install OCP on Azure
2.
3.

Actual results:
No packages of samba-client, samba-common, and cifs-utils installed by default

Expected results:
Install these package by default and enable the SELinux booleans
$ /usr/sbin/setsebool -P virt_use_samba on

Official doc is here: https://docs.openshift.com/container-platform/latest/install_config/persistent_storage/persistent_storage_azure_file.html


Additional info:

Comment 1 Scott Dodson 2018-01-24 18:37:36 UTC
Possible dupe or at least related to https://bugzilla.redhat.com/show_bug.cgi?id=1536362

Huamin, can you help us figure out the right fix for this and your bug? Are they dupes? do we need to add all these additional packages as dependencies?

Comment 2 hchen 2018-01-29 18:55:51 UTC
Hi Scott, 
Yes, we need cifs-utils but we don't need samba-common or samba-client to turn on samba selinux. 

The openshift doc [1] appears to come from Azure file Linux requirement [2]. It is a general requirement for Linux hosts that use either samba or mount.cifs to mount cifs share. But on openshift/kubernetes, we don't use samba command at all. We don't need these packages.

1. https://github.com/openshift/openshift-docs/blame/master/install_config/persistent_storage/persistent_storage_azure_file.adoc
2. https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-linux

Comment 3 Wenqi He 2018-02-06 09:49:21 UTC
I tried with below version:
openshift v3.9.0-0.36.0
kubernetes v1.9.1+a0ce1bc657

I think we need at least to enable the SELinux booleans of virt_use_samba, otherwise, azure file cannot be used. Please see bug #1536362#c9

Comment 4 Kenny Woodson 2018-02-22 14:41:59 UTC
Suggested fix: https://github.com/openshift/openshift-ansible/pull/7246

Comment 5 Wenqi He 2018-02-28 07:32:19 UTC
Tested with below version:
openshift-ansible-3.9.1-1.git.0.9862628.el7.noarch.rpm

$oc version
openshift v3.9.1
kubernetes v1.9.1+a0ce1bc657

Now the virt_use_samba is on by default:
# getsebool -a | grep virt_use_samba
virt_use_samba --> on

Comment 6 Shanna Chan 2018-04-25 23:59:49 UTC
I have problem testing with 3.9.14 on Azure using Azure file
1. $getsebool -a |grep virt_use_samb
   virt_use_samba --> on
2. pv
apiVersion: "v1"
kind: "PersistentVolume"
metadata:
  name: "pv0001" 
spec:
  capacity:
    storage: "1Gi" 
  accessModes:
    - "ReadWriteMany"
  azureFile: 
    secretName: azure-secret 
    shareName: ocptestfile
    readOnly: false 
  mountOptions:
    - uid=1000150000
    - dir_mode=0777
    - file_mode=0777 
3. what container is running, I am still getting permission denied.
h-4.2$ ls -lZ
-rw-rw-r--. default    root       system_u:object_r:container_file_t:s0:c9,c12 README.md
drwxrwxr-x. default    root       system_u:object_r:container_file_t:s0:c9,c12 css
drwxrwxr-x. default    root       system_u:object_r:container_file_t:s0:c9,c12 includes
-rw-rw-r--. default    root       system_u:object_r:container_file_t:s0:c9,c12 index.php
-rw-rw-r--. default    root       system_u:object_r:container_file_t:s0:c9,c12 info.php
-rw-rw-r--. default    root       system_u:object_r:container_file_t:s0:c9,c12 listfiles.php
-rw-rw-r--. default    root       system_u:object_r:container_file_t:s0:c9,c12 upload.php
drwxrwxrwx. 1000150000 1000150000 system_u:object_r:cifs_t:s0      uploaded
sh-4.2$ cd upload
upload.php  uploaded/
sh-4.2$ cd upload
upload.php  uploaded/
sh-4.2$ cd uploaded
sh-4.2$ ls
ls: cannot open directory .: Permission denied
sh-4.2$

Comment 7 Wenqi He 2018-04-26 02:37:48 UTC
(In reply to Shanna Chan from comment #6)
> I have problem testing with 3.9.14 on Azure using Azure file

What's your id in you project?
$ id 

The project has a user id range, you need to adjust it and set it accordingly.
I suggest you just remove the "- uid=1000150000" in the pv mountOptions, and then try again.

Comment 9 errata-xmlrpc 2018-06-27 18:01:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2013


Note You need to log in before you can comment on or make changes to this bug.