In the recent OCP 4.6 nightly build, We are unable to deploy one of our elasticsearch community image. It is working good on 4.6.0-0.nightly-2020-09-21-030155 But failing on 4.6.0-0.nightly-2020-10-03-051134 also on OCP 4.6.0-rc.4 In our case it is elasticesarch. I believe this issue will be applicable to some other images too. Issue (on the container log): chroot: cannot change root directory to /: Operation not permitted Steps to reproduce: oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/test/elasticsearch.yml -n default Is there any change in the recent OCP 4.6 nightly builds? Is there any workaround to fix this issue?
we recently dropped the linux capability SYS_CHROOT by default (whereas before we were giving all pods it). I am preparing a PR to add that capability (after I test my change is indeed the required one).
fixed in attached PR
(In reply to Peter Hunt from comment #2) > fixed in attached PR Thanks, Peter! The fix works as expected and thank you for the PR. Quick note for the easy reference, if some one looking into this issue. spec: containers: securityContext: capabilities: add: ["SYS_CHROOT"]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633