Bug 966766 - Certain cartridge files should default to being "locked"
Certain cartridge files should default to being "locked"
Status: CLOSED CURRENTRELEASE
Product: OpenShift Online
Classification: Red Hat
Component: Image (Show other bugs)
2.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Dan McPherson
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-23 18:05 EDT by Jhon Honce
Modified: 2015-05-14 20:33 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-29 19:47:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jhon Honce 2013-05-23 18:05:57 EDT
Description of problem:

These files should always be "locked":
* OPENSHIFT_<SHORT_NAME>_DIR
* OPENSHIFT_<SHORT_NAME>_IDENT
* metadata/manifest.yml
* metadata/managed_files.yml

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
Given files are not writeable by the application developer

Additional info:
Comment 1 Jhon Honce 2013-05-23 18:06:51 EDT
Fixed in https://github.com/openshift/origin-server/pull/2623
Comment 2 Xiaoli Tian 2013-05-28 01:29:46 EDT
Tested it on devenv_3277:

Create any type of application, manifest files and managed_files.yml are root owned, only root has the permission to write:

[rubyapp-domx1.dev.rhcloud.com metadata]\> ls -lh
total 12K
-rw-r--r--. 1 root 51a43b995696d0070d000021  792 May 28 01:07 jenkins_shell_command
-rw-r--r--. 1 root 51a43b995696d0070d000021  160 May 26 12:37 managed_files.yml
-rw-r--r--. 1 root 51a43b995696d0070d000021 3.1K May 26 12:37 manifest.yml
[rubyapp-domx1.dev.rhcloud.com metadata]\> echo "test" >>manifest.yml 
bash: manifest.yml: Permission denied
[rubyapp-domx1.dev.rhcloud.com metadata]\> echo "test" >>managed_files.yml 
bash: managed_files.yml: Permission denied\


But OPENSHIFT_<SHORT_NAME>_DIR  and * OPENSHIFT_<SHORT_NAME>_IDENT could still be writable by application developers:
[rubyapp-domx1.dev.rhcloud.com env]\> ls -lh
total 16K
-rw-r--r--. 1 51a43b995696d0070d000021 51a43b995696d0070d000021 49 May 28 01:07 OPENSHIFT_RUBY_DIR
-rw-r--r--. 1 51a43b995696d0070d000021 51a43b995696d0070d000021 21 May 28 01:07 OPENSHIFT_RUBY_IDENT
-rw-r--r--. 1 root                     51a43b995696d0070d000021 56 May 28 01:07 OPENSHIFT_RUBY_LOG_DIR
-rw-r--r--. 1 51a43b995696d0070d000021 51a43b995696d0070d000021  4 May 28 01:07 OPENSHIFT_RUBY_VERSION

[rubyapp-domx1.dev.rhcloud.com env]\> cat OPENSHIFT_RUBY_DIR 
/var/lib/openshift/51a43b995696d0070d000021/ruby/

[rubyapp-domx1.dev.rhcloud.com env]\> echo "/var/lib/openshift/51a43b995696d0070d000021" >> OPENSHIFT_RUBY_DIR

[rubyapp-domx1.dev.rhcloud.com env]\> cat  OPENSHIFT_RUBY_DIR
/var/lib/openshift/51a43b995696d0070d000021/ruby//var/lib/openshift/51a43b995696d0070d000021

[rubyapp-domx1.dev.rhcloud.com env]\> cat OPENSHIFT_RUBY_IDENT 
redhat:ruby:1.8:0.0.1
[rubyapp-domx1.dev.rhcloud.com env]\> echo redhat > OPENSHIFT_RUBY_IDENT 
[rubyapp-domx1.dev.rhcloud.com env]\> cat OPENSHIFT_RUBY_IDENT 
redhat

[rubyapp-domx1.dev.rhcloud.com env]\> echo test >> OPENSHIFT_RUBY_LOG_DIR 
bash: OPENSHIFT_RUBY_LOG_DIR: Permission denied
Comment 3 Xiaoli Tian 2013-05-28 02:25:18 EDT
After trying more, find that OPENSHIFT_<SHORT_NAME>_DIR and OPENSHIFT_<SHORT_NAME>_IDENT is fixed in some of the cartridges(perl-5.10, zend-5.6, nodejs-0.6, php-5.3) ,  but not fixed for the remaining cartridges.

List the fixed the result and non-fixed result below:

1) The fixed cartridges result:
perl-5.10
[perlapp1-domx1.dev.rhcloud.com env]\> ls -lh
total 20K
-rw-r--r--. 1 root c8174368c74111e2afc522000aa64188  57 May 27 22:53 OPENSHIFT_PERL_DIR
-rw-r--r--. 1 root c8174368c74111e2afc522000aa64188  22 May 27 22:53 OPENSHIFT_PERL_IDENT
-rw-r--r--. 1 root c8174368c74111e2afc522000aa64188  64 May 27 22:53 OPENSHIFT_PERL_LOG_DIR
-rw-r--r--. 1 root c8174368c74111e2afc522000aa64188   5 May 26 12:36 OPENSHIFT_PERL_VERSION
-rw-r--r--. 1 root c8174368c74111e2afc522000aa64188 155 May 27 22:53 PERL5LIB

zend-5.6
[zendapp-domx1.dev.rhcloud.com 400163360719229891379200]\> ls -lh zend/env/
total 28K
-rw-r--r--. 1 root 400163360719229891379200 49 May 28 02:06 OPENSHIFT_ZEND_DIR
-rw-r--r--. 1 root 400163360719229891379200 21 May 28 02:06 OPENSHIFT_ZEND_IDENT
-rw-r--r--. 1 root 400163360719229891379200 56 May 28 02:06 OPENSHIFT_ZEND_LOG_DIR
-rw-r--r--. 1 root 400163360719229891379200  4 May 28 02:06 OPENSHIFT_ZEND_UID



nodejs-0.6

[nodejs-domx1.dev.rhcloud.com 51a449925696d0070d000024]\> ls -lh nodejs/env/
total 16K
-rw-r--r--. 1 root 51a449925696d0070d000024 51 May 28 02:07 OPENSHIFT_NODEJS_DIR
-rw-r--r--. 1 root 51a449925696d0070d000024 23 May 28 02:07 OPENSHIFT_NODEJS_IDENT
-rw-r--r--. 1 root 51a449925696d0070d000024 58 May 28 02:07 OPENSHIFT_NODEJS_LOG_DIR

php-5.3

[phpapp-domx1.dev.rhcloud.com env]\> ls -lh
total 20K
-rw-r--r--. 1 root 155534315137086200479744 48 May 28 01:33 OPENSHIFT_PHP_DIR
-rw-r--r--. 1 root 155534315137086200479744 20 May 28 01:33 OPENSHIFT_PHP_IDENT
-rw-r--r--. 1 root 155534315137086200479744 55 May 28 01:33 OPENSHIFT_PHP_LOG_DIR



2) The  non-fixed result

2a) For ruby-1.9 and ruby-1.8, both  OPENSHIFT_<SHORT_NAME>_DIR and OPENSHIFT_<SHORT_NAME>_IDENT could still be written by application developer:
[ruby19app-domx1.dev.rhcloud.com env]\> ls -lh 
-rw-r--r--. 1 191225326926730578886656 191225326926730578886656  49 May 28 01:32 OPENSHIFT_RUBY_DIR
-rw-r--r--. 1 191225326926730578886656 191225326926730578886656  21 May 28 01:32 OPENSHIFT_RUBY_IDENT
-rw-r--r--. 1 root                     191225326926730578886656  56 May 28 01:32 OPENSHIFT_RUBY_LOG_DIR

2b) For python-2.6/2.7/3.3, jbossews-1.0/2.0/, jbosseap-6.0, jbossas-7
OPENSHIFT_<SHORT_NAME>_DIR is not writable, but OPENSHIFT_<SHORT_NAME>_IDENT could still be writable:

python-2.6/2.7/3.3
[python26app-domx1.dev.rhcloud.com 51a441c55696d00867000020]\> ls -lh python/env/
total 24K
-rw-r--r--. 1 root                     51a441c55696d00867000020 51 May 28 01:34 OPENSHIFT_PYTHON_DIR
-rw-r--r--. 1 51a441c55696d00867000020 51a441c55696d00867000020 23 May 28 01:34 OPENSHIFT_PYTHON_IDENT
-rw-r--r--. 1 root                     51a441c55696d00867000020 58 May 28 01:34 OPENSHIFT_PYTHON_LOG_DIR

jbossas-7
-rw-r--r--. 1 root                             dee555dcc75811e28bc422000aa64188 60 May 28 01:38 OPENSHIFT_JBOSSAS_DIR
-rw-r--r--. 1 dee555dcc75811e28bc422000aa64188 dee555dcc75811e28bc422000aa64188 22 May 28 01:38 OPENSHIFT_JBOSSAS_IDENT


jbosseap/jbossews-2.0/1.0/
[jbosseapapp-domx1.dev.rhcloud.com 51a4480b5696d0070d000022]\> ls -lh jbosseap/env/|grep DIR
-rw-r--r--. 1 root                     51a4480b5696d0070d000022 53 May 28 02:00 OPENSHIFT_JBOSSEAP_DIR
-rw-r--r--. 1 root                     51a4480b5696d0070d000022 59 May 28 02:00 OPENSHIFT_JBOSSEAP_LOG_DIR
[jbosseapapp-domx1.dev.rhcloud.com 51a4480b5696d0070d000022]\> ls -lh jbosseap/env/|grep IDENT
-rw-r--r--. 1 51a4480b5696d0070d000022 51a4480b5696d0070d000022 25 May 28 02:00 OPENSHIFT_JBOSSEAP_IDENT
Comment 4 Jhon Honce 2013-05-28 17:18:28 EDT
Missed some manifest configurations 

Fixed in https://github.com/openshift/li/pull/1475
Fixed in https://github.com/openshift/origin-server/pull/2647
Comment 5 Meng Bo 2013-05-29 06:04:09 EDT
Checked on devenv_3282,

The managed_files.yml manifest.yml and OPENSHIFT_<SHORT_NAME>_DIR are have the right permission now, and cannot be modified by application developer.

But for OPENSHIFT_<SHORT_NAME>_IDENT, it is still owned by gear_user for some cartridges and can be modified by application developer.

The following cart still has the problem:
All ruby, all python and all jboss cartridges.
[root@ip-10-154-145-32 openshift]# find .|grep IDENT|xargs ls -l|grep -v root
-rw-r--r--. 1 234228346353422664990720         234228346353422664990720         21 May 29 05:13 ./234228346353422664990720/ruby/env/OPENSHIFT_RUBY_IDENT
-rw-r--r--. 1 4e54eff8c84011e2a5ed22000a9a9120 4e54eff8c84011e2a5ed22000a9a9120 22 May 29 05:15 ./4e54eff8c84011e2a5ed22000a9a9120/jbossas/env/OPENSHIFT_JBOSSAS_IDENT
-rw-r--r--. 1 51a5c5bd5ec49a08dd00000f         51a5c5bd5ec49a08dd00000f         28 May 29 05:27 ./51a5c5bd5ec49a08dd00000f/python/env/OPENSHIFT_PYTHON_IDENT
-rw-r--r--. 1 51a5c5e95ec49a08dd000010         51a5c5e95ec49a08dd000010         23 May 29 05:10 ./51a5c5e95ec49a08dd000010/python/env/OPENSHIFT_PYTHON_IDENT
-rw-r--r--. 1 51a5c79c5ec49a08dd000013         51a5c79c5ec49a08dd000013         25 May 29 05:17 ./51a5c79c5ec49a08dd000013/jbossews/env/OPENSHIFT_JBOSSEWS_IDENT
-rw-r--r--. 1 6f3ed8f0c84011e2a5ed22000a9a9120 6f3ed8f0c84011e2a5ed22000a9a9120 25 May 29 05:16 ./6f3ed8f0c84011e2a5ed22000a9a9120/jbosseap/env/OPENSHIFT_JBOSSEAP_IDENT
-rw-r--r--. 1 721696331181160560328704         721696331181160560328704         25 May 29 05:18 ./721696331181160560328704/jbossews/env/OPENSHIFT_JBOSSEWS_IDENT
-rw-r--r--. 1 819209171581352628191232         819209171581352628191232         23 May 29 05:11 ./819209171581352628191232/python/env/OPENSHIFT_PYTHON_IDENT
-rw-r--r--. 1 d6d00cb0c83f11e2a5ed22000a9a9120 d6d00cb0c83f11e2a5ed22000a9a9120 21 May 29 05:12 ./d6d00cb0c83f11e2a5ed22000a9a9120/ruby/env/OPENSHIFT_RUBY_IDENT
Comment 6 Jhon Honce 2013-05-29 14:56:06 EDT
I understand the issue, files cannot be modified but they can be deleted and replace.  I have an email out to the selinux team to see if they have ideas. This is a design omission.
Comment 7 Jhon Honce 2013-06-24 20:29:58 EDT
The *IDENT files should now have the correct permissions.
Comment 8 Meng Bo 2013-06-25 22:48:58 EDT
Checked on devenv_3414, the result same as comment#5.

The OPENSHIFT_*_IDENT still can be edited by application owner. For some of cartridges.
Comment 9 Dan McPherson 2014-01-20 18:53:28 EST
https://github.com/openshift/origin-server/pull/4535
Comment 11 Meng Bo 2014-01-21 05:12:25 EST
Issue fixed on devenv_4248,

Create all types of apps, check the file owner:

[root@ip-10-238-239-6 openshift]# find -name OPENSHIFT_*_DIR |xargs ls -l |grep -v root
[root@ip-10-238-239-6 openshift]# find -name OPENSHIFT_*_IDENT |xargs ls -l |grep -v root
[root@ip-10-238-239-6 openshift]# find -name manifest.yml |xargs ls -l |grep -v root
[root@ip-10-238-239-6 openshift]# find -name managed_files.yml |xargs ls -l |grep -v root


For migration part:

After modify the owner of the files, it can be fixed.
Before migrate:
[root@ip-10-238-239-6 env]# chown 52de42e25bb9a61c3c00004c:52de42e25bb9a61c3c00004c OPENSHIFT_DIY_DIR
[root@ip-10-238-239-6 env]# chown 52de42e25bb9a61c3c00004c:52de42e25bb9a61c3c00004c OPENSHIFT_DIY_IDENT
[root@ip-10-238-239-6 metadata]# chown 52de42e25bb9a61c3c00004c:52de42e25bb9a61c3c00004c *

After migrate:
[root@ip-10-238-239-6 env]# ls -l
total 12
-rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 48 Jan 21 04:50 OPENSHIFT_DIY_DIR
-rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 20 Jan 21 05:09 OPENSHIFT_DIY_IDENT
-rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 55 Jan 21 05:09 OPENSHIFT_DIY_LOG_DIR
[root@ip-10-238-239-6 diy]# ls -l metadata/
total 8
-rw-r--r--. 1 root 52de42e25bb9a61c3c00004c  223 Jan 20 23:01 managed_files.yml
-rw-r--r--. 1 root 52de42e25bb9a61c3c00004c 1194 Jan 20 23:01 manifest.yml


move bug to verified.

Note You need to log in before you can comment on or make changes to this bug.