Bug 971685 - Specifying group in GEAR_SUPL_GRPS under /etc/openshift.node.conf to add user in a group blocks being able to ssh to the app and fails to clone the app's git repo
Specifying group in GEAR_SUPL_GRPS under /etc/openshift.node.conf to add user...
Status: CLOSED NOTABUG
Product: OpenShift Origin
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Linux
unspecified Severity medium
: ---
: ---
Assigned To: Jhon Honce
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-07 02:54 EDT by Genevieve Sarmiento
Modified: 2015-05-14 19:12 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-07 09:41:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Genevieve Sarmiento 2013-06-07 02:54:11 EDT
Description of problem:
When the additional supplementary group for a user is is set via GEAR_SUPL_GRPS in /etc/openshift/node.conf, creating an application in the node results to failure in cloning the app's git repo and inability to ssh to the app. 

Commit: https://github.com/openshift/origin-server/pull/2005/files

How reproducible:
Always

Steps to Reproduce:
1. vi /etc/openshift/node.conf in the current node
2. Set variable GEAR_SUPL_GRPS to an existing group:
    GEAR_SUPL_GRPS="wheel"
3. Create an application in the node
    rhc create app <appName> <appType>
4. Attempt to ssh to the application

Actual results:
For Step 3. (under Steps to Reproduce), creating an application in the node results to the following:
[root@ip-10-38-13-78 ~]# rhc app create rubyAppTest ruby-1.9
Application Options
-------------------
  Namespace:  nimbus
  Cartridges: ruby-1.9
  Gear Size:  default
  Scaling:    no

Creating application 'rubyAppTest' ... done

Waiting for your DNS name to be available ... done

Downloading the application Git repository ...
Initialized empty Git repository in /root/rubyapptest/.git/
The authenticity of host 'rubyapptest-nimbus.dev.rhcloud.com (10.38.13.78)' can't be established.
RSA key fingerprint is d8:48:6b:4e:bb:0f:9c:37:df:42:03:d4:80:22:6d:b1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rubyapptest-nimbus.dev.rhcloud.com' (RSA) to the list of known hosts.
fatal: protocol error: bad line length character: Inva

Unable to clone your repository. Called Git with: git clone ssh://c32fb9bacf3a11e2a33812313d2722a4@rubyapptest-nimbus.dev.rhcloud.com/~/git/rubyapptest.git/
"rubyapptest"

rubyapptest @ http://rubyapptest-nimbus.dev.rhcloud.com/ (uuid: c32fb9bacf3a11e2a33812313d2722a4)
-------------------------------------------------------------------------------------------------
  Created: 2:23 AM
  Gears:   1 (defaults to small)
  Git URL: ssh://c32fb9bacf3a11e2a33812313d2722a4@rubyapptest-nimbus.dev.rhcloud.com/~/git/rubyapptest.git/
  SSH:     c32fb9bacf3a11e2a33812313d2722a4@rubyapptest-nimbus.dev.rhcloud.com

  ruby-1.9 (Ruby 1.9)
  -------------------
    Gears: 1 small

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING:  Your application was created successfully but had problems during
          configuration. Below is a list of the issues and steps you can
          take to complete the configuration of your application.

  Application URL: http://rubyapptest-nimbus.dev.rhcloud.com/

  Issues:
    1. We were unable to clone your application's git repo - Unable to clone your repository. Called Git with: git clone
ssh://c32fb9bacf3a11e2a33812313d2722a4@rubyapptest-nimbus.dev.rhcloud.com/~/git/rubyapptest.git/ "rubyapptest"

  Steps to complete your configuration:
    1. Clone your git repo
      $ rhc git-clone rubyapptest

  If you can't get your application 'rubyapptest' running in the browser,
  you can try destroying and recreating the application:

    $ rhc app delete rubyapptest --confirm

  If this doesn't work for you, let us know in the forums or in IRC and we'll
  make sure to get you up and running.

    Forums - https://www.openshift.com/forums/openshift
    IRC - #openshift (on Freenode)

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


After attempting to clone git repo as suggested in step 1 ('rhc git-clone rubyapptest'), the response output cloning is:

[root@ip-10-38-13-78 ~]# rhc git-clone rubyapptest
Initialized empty Git repository in /root/rubyapptest/.git/
fatal: protocol error: bad line length character: Inva
Unable to clone your repository. Called Git with: git clone ssh://c32fb9bacf3a11e2a33812313d2722a4@rubyapptest-nimbus.dev.rhcloud.com/~/git/rubyapptest.git/
"rubyapptest"


For Step 4 under the (under Steps to Reproduce),attempting to ssh to the app results to

[root@ip-10-38-13-78 ~]# ssh c32fb9bacf3a11e2a33812313d2722a4@rubyapptest-nimbus.dev.rhcloud.com
Invalid context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, expected unconfined_u:system_r:openshift_t:s0:c0,c504

Connection to rubyapptest-nimbus.dev.rhcloud.com closed.


Expected results:
App should be created successfully without any warning about git repo not being cloned and ssh access to the app should be allowed


Additional info:
The /etc/group in the node is updated correctly 
  wheel:x:10:root,c32fb9bacf3a11e2a33812313d2722a4

Running groups <user> in the node also shows the group being added

[root@ip-10-38-13-78 ~]# groups c32fb9bacf3a11e2a33812313d2722a4
c32fb9bacf3a11e2a33812313d2722a4 : c32fb9bacf3a11e2a33812313d2722a4 wheel



When the GEAR_SUPL_GRPS is commented out,  (#GEAR_SUPL_GRPS="wheel") and another application is created, the result from creating a new app is:
RESULT:
Application rubyapptest2 was created.
The cartridge ruby deployed a template application

and ssh access to rubyapptest2 is successful.


Running 'usermod -a -G wheel 51b17f14160d2c130600000a' (after a new app is created and the GEAR_SUPL_GRPS is commented out) and trying to ssh to the app results to the same ssh error:

[root@ip-10-38-13-78 ~]# ssh 51b17f14160d2c130600000a@rubyapptest2-nimbus.dev.rhcloud.com
Invalid context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, expected unconfined_u:system_r:openshift_t:s0:c0,c505

Connection to rubyapptest2-nimbus.dev.rhcloud.com closed.
Comment 1 chris alfonso 2013-06-07 09:41:41 EDT
We've found that pam_openshift.c makes a special case for the root and wheel group. You won't be able to use these two groups for the GEAR_SUPL_GRPS node.conf setting.

Note You need to log in before you can comment on or make changes to this bug.