Bug 1679273 - CephFS is creating exportable directories with 755 permission and causes containers not able to write on them using Manila
Summary: CephFS is creating exportable directories with 755 permission and causes cont...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-manila
Version: 14.0 (Rocky)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z1
: 14.0 (Rocky)
Assignee: Tom Barron
QA Contact: Jason Grosso
mmurray
URL:
Whiteboard:
Depends On: 1643167 1644421
Blocks: 1571739
TreeView+ depends on / blocked
 
Reported: 2019-02-20 19:01 UTC by Tom Barron
Modified: 2019-03-18 13:04 UTC (History)
14 users (show)

Fixed In Version: openstack-manila-7.1.0-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1643167
Environment:
Last Closed: 2019-03-18 13:04:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github https://github.com/ceph ceph pull 24839 0 None None None 2019-02-20 19:03:08 UTC
OpenStack gerrit 614332 0 None None None 2019-02-20 19:05:16 UTC
OpenStack gerrit 633904 0 None None None 2019-02-20 19:05:59 UTC
Red Hat Bugzilla 1644421 0 medium CLOSED CephFS is creating exportable directories with 755 permission and causes containers not able to write on them using Mani... 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2019:0591 0 None None None 2019-03-18 13:04:18 UTC

Description Tom Barron 2019-02-20 19:01:55 UTC 
+++ This bug was initially created as a clone of Bug #1643167 +++

Description of problem:

Using manila-provisioner in OpenShift creates a manila share on OpenStack. When is mounted on the POD:

172.20.2.21:/volumes/_nogroup/0840a9cc-8936-4b25-8a45-3ff92d7a5f55   2097152       0   2097152   0% /test-manila

The permissions are the following

sh-4.2$ ls -ld /test-manila/
drwxr-xr-x. 1 nobody nobody 0 Oct 25 15:34 /test-manila/

The user executing the pod is the following:
sh-4.2$ id
uid=1000180000 gid=0(root) groups=0(root),1000180000


Version-Release number of selected component (if applicable):
rhceph-3-rhel7:3-11


How reproducible:


Steps to Reproduce:
1. Create a PVC on Openshift
2. Wait till PV is created
3. Add volume for the pod in the deployment config 

Actual results:
Pod is not able to write in the NFS share due to 755

Expected results:
Able to write in the share, a 775 or 2775


Additional info:
Another option it would be create the directory with nfsnobody and run the containers following OCP instructions for NFS: 
https://docs.openshift.com/container-platform/3.11/install_config/persistent_storage/persistent_storage_nfs.html#nfs-user-ids

--- Additional comment from John Fulton on 2018-10-25 18:10:34 UTC ---

Tom, Do you think this falls under Manila or CephFS?

--- Additional comment from Tom Barron on 2018-10-26 02:40:11 UTC ---

(In reply to John Fulton from comment #1)
> Tom, Do you think this falls under Manila or CephFS?

John, I agree with the re-assignment.  Probably we need (1) a configuration option in manila to choose the mode and (2) a new BZ (in which case I'll create it) on ceph-volume library itself to actually implement the mode setting.  Currently the ceph-volume library hard-codes 0755 so we do need a change there too.  I can see in an abstract sense why the bug reporter would think Ceph-DFG would own this one but from a practical standpoint we will drive this from Manila since Manila is the only current OpenStack user of the ceph-volume library.

--- Additional comment from PnT Account Manager on 2018-11-28 22:29:45 UTC ---

Employee 'dschoenb' has left the company.
Comment 9 errata-xmlrpc 2019-03-18 13:04:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0591
Note You need to log in before you can comment on or make changes to this bug.