Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1984781

Summary: nginx pod CrashLoopBackOff for Helm-based Operators
Product: OpenShift Container Platform Reporter: Cuiping HUO <chuo>
Component: DocumentationAssignee: Alex Dellapenta <adellape>
Status: CLOSED CURRENTRELEASE QA Contact: Cuiping HUO <chuo>
Severity: high Docs Contact:
Priority: high    
Version: 4.8CC: adellape, aos-bugs, jesusr, jfan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-12 20:24:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cuiping HUO 2021-07-22 08:35:00 UTC 
Description of problem:
After creating a Helm-based Operator following https://sdk.operatorframework.io/docs/building-operators/helm/quickstart/, the nginx pod is always CrashLoopBackOff with Permission denied issue.

Version-Release number of selected component (if applicable):
$ operator-sdk version
operator-sdk version: "v1.8.0-ocp", commit: "016423f32c9757a10dc7a9e953818bc20ae3eba4", kubernetes version: "v1.20.2", go version: "go1.16.5", GOOS: "linux", GOARCH: "amd64"

cluster version: 4.8.0-0.nightly-2021-07-21-150743

How reproducible:
Always

Steps to Reproduce:
Follow https://sdk.operatorframework.io/docs/building-operators/helm/quickstart/ documentation
1.mkdir nginx-operator
cd nginx-operator
operator-sdk init --domain example.com --plugins helm
2.operator-sdk create api --group demo --version v1alpha1 --kind Nginx
3.make docker-build docker-push IMG=quay.io/cuipinghuo/nginx-operator-bundle:v0.0.2
4.make deploy IMG="quay.io/cuipinghuo/nginx-operator-bundle:v0.0.2"
5.oc apply -f config/samples/demo_v1alpha1_nginx.yaml
6. check nginx pod status

Actual results:
The nginx pod is CrashLoopBackOff

Expected results:
The nginx pod should be running

Additional info:
# oc get all -l "app.kubernetes.io/instance=nginx-sample"
NAME                                READY   STATUS             RESTARTS   AGE
pod/nginx-sample-7b99f754b9-qbmxv   0/1     CrashLoopBackOff   6          9m3s

NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
service/nginx-sample   ClusterIP   172.30.229.135   <none>        80/TCP    11m

NAME                           READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nginx-sample   0/1     1            0           11m

NAME                                      DESIRED   CURRENT   READY   AGE
replicaset.apps/nginx-sample-7b99f754b9   1         1         0       9m3s


# oc logs -f nginx-sample-7b99f754b9-qbmxv 
2021/07/22 08:25:18 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2021/07/22 08:25:18 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
Comment 1 Venkat Ramaraju 2021-07-26 21:07:08 UTC 
Hi,

Which helm image are you pulling in your Dockerfile? Since the 4.8 image hasn't officially released yet, I used quay.io/openshift/origin-helm-operator:4.8 in the Dockerfile.
With that, I'm not able to reproduce your error. 

$ oc get all -l "app.kubernetes.io/instance=nginx-sample"
NAME                                READY   STATUS    RESTARTS   AGE
pod/nginx-sample-7d765fb9cf-v5qk7   1/1     Running   0          85s

NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/nginx-sample   ClusterIP   172.30.202.72   <none>        80/TCP    86s

NAME                           READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nginx-sample   1/1     1            1           86s

NAME                                      DESIRED   CURRENT   READY   AGE
replicaset.apps/nginx-sample-7d765fb9cf   1         1         1       86s


However, reading the logs you provided, the error seems to be related to permissions. Have you made any permission changes to the Dockerfile or the /etc/nginx/nginx.conf file?
Comment 2 Cuiping HUO 2021-07-27 06:24:08 UTC 
Hello Venkat,
We use registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-helm-operator:v4.8 for testing before GA.
I also use quay.io/openshift/origin-helm-operator:4.8 to retest this scenario. 
And this permission error still exsits.
I didn't not change other parts of the Dockerfile (except image) nor the /etc/nginx/nginx.conf file.

# cat Dockerfile
# Build the manager binary
#FROM registry.redhat.io/openshift4/ose-helm-operator:v4.8
FROM quay.io/openshift/origin-helm-operator:4.8
ENV HOME=/opt/helm
COPY watches.yaml ${HOME}/watches.yaml
COPY helm-charts  ${HOME}/helm-charts
WORKDIR ${HOME}
Comment 3 Cuiping HUO 2021-07-29 06:47:39 UTC 
https://access.redhat.com/solutions/3419001 has the similar issue and based on the solution mentioned in the link. 
add scc to nginx-sample's service account solve this problem.


# oc adm policy add-scc-to-user anyuid system:serviceaccount:nginx-operator-system:default
securitycontextconstraints.security.openshift.io/anyuid added to: ["system:serviceaccount:nginx-operator-system:default"]

# oc apply -f config/samples/demo_v1alpha1_nginx.yaml
nginx.demo.example.com/nginx-sample created

# oc get po
NAME                                                 READY   STATUS    RESTARTS   AGE
nginx-operator-controller-manager-67ccc6fd45-ttkn7   2/2     Running   0          106s
nginx-sample-7d765fb9cf-779m9                        1/1     Running   0          65s


# oc describe po nginx-sample-7d765fb9cf-779m9
Name:         nginx-sample-7d765fb9cf-779m9
Namespace:    nginx-operator-system
Priority:     0

Events:
  Type    Reason          Age    From                                                                Message
  ----    ------          ----   ----                                                                -------
  Normal  Scheduled       8m59s  default-scheduler                                                   Successfully assigned nginx-operator-system/nginx-sample-7d765fb9cf-779m9 to yangyang47-4-9x57k-worker-b-w9ksx.c.openshift-qe.internal
  Normal  AddedInterface  8m57s  multus                                                              Add eth0 [10.129.2.58/23] from openshift-sdn
  Normal  Pulled          8m57s  kubelet, yangyang47-4-9x57k-worker-b-w9ksx.c.openshift-qe.internal  Container image "nginx:1.16.0" already present on machine
  Normal  Created         8m57s  kubelet, yangyang47-4-9x57k-worker-b-w9ksx.c.openshift-qe.internal  Created container nginx
  Normal  Started         8m57s  kubelet, yangyang47-4-9x57k-worker-b-w9ksx.c.openshift-qe.internal  Started container nginx
Comment 4 Venkat Ramaraju 2021-07-29 15:01:09 UTC 
Can this be closed now?
Comment 8 Alex Dellapenta 2021-08-06 21:25:07 UTC 
I've discussed with Jesus and am taking this BZ and changing it to the Documentation component. Moving to ON_QA for the following docs PR:

https://github.com/openshift/openshift-docs/pull/35034
Comment 11 Alex Dellapenta 2022-01-12 20:24:21 UTC 
Published:

https://docs.openshift.com/container-platform/4.8/operators/operator_sdk/helm/osdk-helm-quickstart.html#osdk-quickstart_osdk-helm-quickstart

https://docs.openshift.com/container-platform/4.8/operators/operator_sdk/helm/osdk-helm-tutorial.html#osdk-create-cr_osdk-helm-tutorial