Description of problem: When the additional supplementary group for a user is is set via GEAR_SUPL_GRPS in /etc/openshift/node.conf, creating an application in the node results to failure in cloning the app's git repo and inability to ssh to the app. Commit: https://github.com/openshift/origin-server/pull/2005/files How reproducible: Always Steps to Reproduce: 1. vi /etc/openshift/node.conf in the current node 2. Set variable GEAR_SUPL_GRPS to an existing group: GEAR_SUPL_GRPS="wheel" 3. Create an application in the node rhc create app <appName> <appType> 4. Attempt to ssh to the application Actual results: For Step 3. (under Steps to Reproduce), creating an application in the node results to the following: [root@ip-10-38-13-78 ~]# rhc app create rubyAppTest ruby-1.9 Application Options ------------------- Namespace: nimbus Cartridges: ruby-1.9 Gear Size: default Scaling: no Creating application 'rubyAppTest' ... done Waiting for your DNS name to be available ... done Downloading the application Git repository ... Initialized empty Git repository in /root/rubyapptest/.git/ The authenticity of host 'rubyapptest-nimbus.dev.rhcloud.com (10.38.13.78)' can't be established. RSA key fingerprint is d8:48:6b:4e:bb:0f:9c:37:df:42:03:d4:80:22:6d:b1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'rubyapptest-nimbus.dev.rhcloud.com' (RSA) to the list of known hosts. fatal: protocol error: bad line length character: Inva Unable to clone your repository. Called Git with: git clone ssh://c32fb9bacf3a11e2a33812313d2722a4.rhcloud.com/~/git/rubyapptest.git/ "rubyapptest" rubyapptest @ http://rubyapptest-nimbus.dev.rhcloud.com/ (uuid: c32fb9bacf3a11e2a33812313d2722a4) ------------------------------------------------------------------------------------------------- Created: 2:23 AM Gears: 1 (defaults to small) Git URL: ssh://c32fb9bacf3a11e2a33812313d2722a4.rhcloud.com/~/git/rubyapptest.git/ SSH: c32fb9bacf3a11e2a33812313d2722a4.rhcloud.com ruby-1.9 (Ruby 1.9) ------------------- Gears: 1 small !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: Your application was created successfully but had problems during configuration. Below is a list of the issues and steps you can take to complete the configuration of your application. Application URL: http://rubyapptest-nimbus.dev.rhcloud.com/ Issues: 1. We were unable to clone your application's git repo - Unable to clone your repository. Called Git with: git clone ssh://c32fb9bacf3a11e2a33812313d2722a4.rhcloud.com/~/git/rubyapptest.git/ "rubyapptest" Steps to complete your configuration: 1. Clone your git repo $ rhc git-clone rubyapptest If you can't get your application 'rubyapptest' running in the browser, you can try destroying and recreating the application: $ rhc app delete rubyapptest --confirm If this doesn't work for you, let us know in the forums or in IRC and we'll make sure to get you up and running. Forums - https://www.openshift.com/forums/openshift IRC - #openshift (on Freenode) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! After attempting to clone git repo as suggested in step 1 ('rhc git-clone rubyapptest'), the response output cloning is: [root@ip-10-38-13-78 ~]# rhc git-clone rubyapptest Initialized empty Git repository in /root/rubyapptest/.git/ fatal: protocol error: bad line length character: Inva Unable to clone your repository. Called Git with: git clone ssh://c32fb9bacf3a11e2a33812313d2722a4.rhcloud.com/~/git/rubyapptest.git/ "rubyapptest" For Step 4 under the (under Steps to Reproduce),attempting to ssh to the app results to [root@ip-10-38-13-78 ~]# ssh c32fb9bacf3a11e2a33812313d2722a4.rhcloud.com Invalid context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, expected unconfined_u:system_r:openshift_t:s0:c0,c504 Connection to rubyapptest-nimbus.dev.rhcloud.com closed. Expected results: App should be created successfully without any warning about git repo not being cloned and ssh access to the app should be allowed Additional info: The /etc/group in the node is updated correctly wheel:x:10:root,c32fb9bacf3a11e2a33812313d2722a4 Running groups <user> in the node also shows the group being added [root@ip-10-38-13-78 ~]# groups c32fb9bacf3a11e2a33812313d2722a4 c32fb9bacf3a11e2a33812313d2722a4 : c32fb9bacf3a11e2a33812313d2722a4 wheel When the GEAR_SUPL_GRPS is commented out, (#GEAR_SUPL_GRPS="wheel") and another application is created, the result from creating a new app is: RESULT: Application rubyapptest2 was created. The cartridge ruby deployed a template application and ssh access to rubyapptest2 is successful. Running 'usermod -a -G wheel 51b17f14160d2c130600000a' (after a new app is created and the GEAR_SUPL_GRPS is commented out) and trying to ssh to the app results to the same ssh error: [root@ip-10-38-13-78 ~]# ssh 51b17f14160d2c130600000a.rhcloud.com Invalid context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, expected unconfined_u:system_r:openshift_t:s0:c0,c505 Connection to rubyapptest2-nimbus.dev.rhcloud.com closed.
We've found that pam_openshift.c makes a special case for the root and wheel group. You won't be able to use these two groups for the GEAR_SUPL_GRPS node.conf setting.