Bug 855763 - /sandbox is not root owned for an old existing application
/sandbox is not root owned for an old existing application
Product: OpenShift Origin
Classification: Red Hat
Component: Containers (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Rob Millner
libra bugs
Depends On:
  Show dependency treegraph
Reported: 2012-09-10 04:24 EDT by Jianwei Hou
Modified: 2015-05-14 18:59 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-09-17 17:29:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jianwei Hou 2012-09-10 04:24:41 EDT
Description of problem:
For an old existing application, after server upgrade and migrate, /sandbox is still not root owned.

Version-Release number of selected component (if applicable):
on INT, devenv

How reproducible:

Steps to Reproduce:
1. Launch an old instance and create applications that cover all cartridges
2. Do server upgrade and migrate
3. ssh into old applications, ls -Zd /sandbox/
4. Create new applications and then repeat step 3
Actual results:
For old existing apps(all cartridges, including zend-5.6), /sandbox is not root owned.
[zend1-jhouup.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxrwxrwt. b642327973a74b23ab395daf80450cb6 root system_u:object_r:libra_tmp_t:s0:c0,c531 /sandbox/

For newly created zend-5.6 app, /sandbox is root owned
[zend3-jhouup.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxr-xr-x. root root system_u:object_r:libra_tmp_t:s0:c0,c537 /sandbox/

For newly created other cartriges, /sandbox is root owned, but user has access to it
[phpapp-jhouup.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxrwxrwt. root root system_u:object_r:libra_tmp_t:s0:c0,c535 /sandbox/

Expected results:
/sandbox should be root owned, and the permissions should be like:
drwxr-xr-t. root root unconfined_u:object_r:libra_tmp_t:s0:c0,c1001 /sandbox/

Additional info:
Launched new devenv build, and this problem is not reproduced. It is reproduced when upgrading from an older instance.
This problem exists for all cartridges. Need upgrade and migration to resolve.
Comment 1 Rob Millner 2012-09-11 14:36:45 EDT
Release ticket updated with migration steps in comment #5.
Comment 2 Jianwei Hou 2012-09-13 01:26:57 EDT
Verified this with work around script

After upgrade, run:
grep ':libra guest:' /etc/passwd | \
    cut -f 1 -d : | \
    while read dn; do \
        t="/var/lib/stickshift/${dn}/.sandbox/${dn}"; \
        mkdir -p "$t"; \
        chown root:root "$t"; \
        chmod 1755 "$t"; \
to fix /sandbox ownership and migrate
Then check applications of all cartridges, now /sandbox is root owned.

[ruby19-234u.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxr-xr-t. root root system_u:object_r:libra_tmp_t:s0:c0,c509 /sandbox/

Note You need to log in before you can comment on or make changes to this bug.