Description of problem:
Restic does not appear to respect the supplementalgroups of a namespace (https://docs.openshift.com/container-platform/3.11/install_config/persistent_storage/pod_security_context.html#supplemental-groups)
After changing permissions on NFS side, can run stage with copy successfully, but should not be required as supplementalgroup is set on the nfs and the stage pod is respecting it.
Fails with the following error:
backup=openshift-migration/<backup_id> controller=pod-volume-backup error="fork/exec /usr/bin/restic: permission denied" error.file="/go/src/github.com/vmware-tanzu/velero/pkg/controller/pod_volume_backup_controller.go:280" error.function="github.com/vmware-tanzu/velero/pkg/controller.(*podVolumeBackupController).processBackup" logSource="pkg/controller/pod_volume_backup_controller.go:280" name=<backup_id> namespace=openshift-migration
*** Bug 1874215 has been marked as a duplicate of this bug. ***
I have submitted a PR which simply allows a user to provide a comma separated list under the migrationcontroller resource:
And these gids will be added to each restic pod's supplementalGroups field under securityContext.
Andreas, would you please take a look at the attached PR and confirm this would solve the customer's use case? Please notice the context of the shell within the pod. I have tested this in my env but I'm unsure if it exactly mirrors the customer's use case with NFS. I believe it should.
Verified in MTC 1.3
- name: MIG_CONTROLLER_REPO
- name: MIG_CONTROLLER_TAG
- name: MIG_UI_REPO
- name: MIG_UI_TAG
- name: MIGRATION_REGISTRY_REPO
- name: MIGRATION_REGISTRY_TAG
- name: VELERO_REPO
- name: VELERO_TAG
I would like to stress that even if the migration works after the warning, we need to be aware that the user and group are lost in the migrated files. My application had no problem with this, but there could be applications that can have problems because of this.
# ls -larth pv1
drwxrwxrwx. 52 root root 4.0K Sep 17 13:43 ..
drwxrwxrwx. 2 333 1000680001 41 Sep 17 14:17 .
-rw-rw-r--. 1 333 1000680001 1.7K Sep 17 14:20 error.log
-rw-rw-r--. 1 333 1000680001 831 Sep 17 15:31 access.log
# ls -larth pv33
-rw-rw-r--. 1 nfsnobody nfsnobody 1.7K Sep 17 14:20 error.log
-rw-rw-r--. 1 nfsnobody nfsnobody 831 Sep 17 15:31 access.log
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Migration Toolkit for Containers (MTC) Tool image release advisory 1.3.0), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.