Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POD mount with filepersona enabled PVC's fail with chcon error #640

Closed
wdurairaj opened this issue Jun 4, 2019 · 5 comments
Closed

POD mount with filepersona enabled PVC's fail with chcon error #640

wdurairaj opened this issue Jun 4, 2019 · 5 comments
Assignees
@wdurairaj
Labels
bug Fixed Code fixed high

Comments

@wdurairaj
Copy link
Collaborator

Looking at the dory logs, the chcon is failing with an error and bind mount is failing with rc=1 (exit code)

--
Debug: 2019/06/03 15:12:16 flexvol.go:509: doMount: bind mounted dockerPath=/opt/hpe/data/hpedocker-dm-uuid-mpath-360002ac0000000000001c7e40001db31 at flexvolPath=/var/lib/origin/openshift.local.volumes/pods/3742a7c2-85e3-11e9-a3b6-f40343a90200/volumes/hpe.com~hpe/sc1-2ddf8eda-85e1-11e9-a3b6-f40343a90200
Debug: 2019/06/03 15:12:16 cmd.go:33: ExecCommandOutput called with selinuxenabled[]
Debug: 2019/06/03 15:12:16 cmd.go:49: out :
Debug: 2019/06/03 15:12:16 selinux.go:32: selinuxenabled returned 0 and err=<nil>
Debug: 2019/06/03 15:12:16 selinux.go:43: Chcon about to change context of /opt/hpe/data/hpedocker-dm-uuid-mpath-360002ac0000000000001c7e40001db31 to svirt_sandbox_file_t
Debug: 2019/06/03 15:12:16 cmd.go:33: ExecCommandOutput called with chcon[-t svirt_sandbox_file_t /opt/hpe/data/hpedocker-dm-uuid-mpath-360002ac0000000000001c7e40001db31]
Debug: 2019/06/03 15:12:16 cmd.go:49: out :
Info : 2019/06/03 15:12:16 dory.go:100: [107298] reply  : mount [/var/lib/origin/openshift.local.volumes/pods/3742a7c2-85e3-11e9-a3b6-f40343a90200/volumes/hpe.com~hpe/sc1-2ddf8eda-85e1-11e9-a3b6-f40343a90200 {"kubernetes.io/fsType":"","kubernetes.io/pod.name":"pod1","kubernetes.io/pod.namespace":"default","kubernetes.io/pod.uid":"3742a7c2-85e3-11e9-a3b6-f40343a90200","kubernetes.io/pvOrVolumeName":"sc1-2ddf8eda-85e1-11e9-a3b6-f40343a90200","kubernetes.io/readwrite":"rw","kubernetes.io/serviceAccount.name":"default","name":"sc1-2ddf8eda-85e1-11e9-a3b6-f40343a90200","size":"16"}]: {"status":"Success"}


--
Debug: 2019/06/03 16:06:48 flexvol.go:509: doMount: bind mounted dockerPath=/opt/hpe/data/hpedocker-bbb2ba9d-85eb-11e9-b4ea-f40343a90200 at flexvolPath=/var/lib/origin/openshift.local.volumes/pods/bbb2ba9d-85eb-11e9-b4ea-f40343a90200/volumes/hpe.com~hpe/sc-personafile-3f5e1c79-85eb-11e9-b4ea-f40343a90200
Debug: 2019/06/03 16:06:48 cmd.go:33: ExecCommandOutput called with selinuxenabled[]
Debug: 2019/06/03 16:06:48 cmd.go:49: out :
Debug: 2019/06/03 16:06:48 selinux.go:32: selinuxenabled returned 0 and err=<nil>
Debug: 2019/06/03 16:06:48 selinux.go:43: Chcon about to change context of /opt/hpe/data/hpedocker-bbb2ba9d-85eb-11e9-b4ea-f40343a90200 to svirt_sandbox_file_t
Debug: 2019/06/03 16:06:48 cmd.go:33: ExecCommandOutput called with chcon[-t svirt_sandbox_file_t /opt/hpe/data/hpedocker-bbb2ba9d-85eb-11e9-b4ea-f40343a90200]
Debug: 2019/06/03 16:06:48 cmd.go:49: out :chcon: failed to change context of ‘/opt/hpe/data/hpedocker-bbb2ba9d-85eb-11e9-b4ea-f40343a90200’ to ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
Debug: 2019/06/03 16:06:48 cmd.go:49: out :
Info : 2019/06/03 16:06:48 dory.go:100: [13807] reply  : mount [/var/lib/origin/openshift.local.volumes/pods/bbb2ba9d-85eb-11e9-b4ea-f40343a90200/volumes/hpe.com~hpe/sc-personafile-3f5e1c79-85eb-11e9-b4ea-f40343a90200 {"filePersona":"","fpg":"DockerFpg_0","kubernetes.io/fsType":"","kubernetes.io/pod.name":"pod-filepersona","kubernetes.io/pod.namespace":"default","kubernetes.io/pod.uid":"bbb2ba9d-85eb-11e9-b4ea-f40343a90200","kubernetes.io/pvOrVolumeName":"sc-personafile-3f5e1c79-85eb-11e9-b4ea-f40343a90200","kubernetes.io/readwrite":"rw","kubernetes.io/serviceAccount.name":"default","name":"sc-personafile-3f5e1c79-85eb-11e9-b4ea-f40343a90200"}]: {"status":"Failure","message":"rc=1"}
@wdurairaj wdurairaj self-assigned this Jun 11, 2019
@wdurairaj
Copy link
Collaborator Author

Actually running the pod in privileged mode allows data writes on the exported location

kind: Pod
apiVersion: v1
metadata:
  name: podfiletestw2
spec:
  containers:
  - name: nginx
    securityContext:
      privileged: true
      capabilities:
        add: ["SYS_ADMIN"]
      allowPrivilegeEscalation: true
    image: nginx
    volumeMounts:
    - name: export
      mountPath: /export
  restartPolicy: Always
  volumes:
  - name: export
    persistentVolumeClaim:
      claimName: pvcfile-sandesh4

@prablr79
Copy link
Contributor

@nilangekarss is this real fix going as part of 3.2 ?

wdurairaj added a commit to wdurairaj/python-hpedockerplugin that referenced this issue Jun 18, 2019
@wdurairaj
Fix for chcon error -- issue hpe-storage#640
275defe
@wdurairaj wdurairaj mentioned this issue Jun 18, 2019
Merged
wdurairaj added a commit that referenced this issue Jun 24, 2019
@wdurairaj
Fix chcon error -- Issue #640 (#658)
73fcc74 
* Fix Issue #534 (#576)

* Fix Issue #390, Allow 'size' in snapshot options

* Updated usage doc

* Fix issue #534 - invalid config entry creates session leak

* Fix for chcon error -- issue #640
@prablr79 prablr79 added the Fixed Code fixed label Jun 25, 2019
@amitk1977 amitk1977 assigned wdurairaj and unassigned wdurairaj Jul 2, 2019
@amitk1977
Copy link
Collaborator

Leena to verify the fix in OpenShift environment

@c-raghav
Copy link

c-raghav commented Jul 9, 2019

Verified with below ymls, able to mount and write data

'''

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: sc-file2
provisioner: hpe.com/hpe
parameters:
name: TEST_SHARE
size: "100"
filePersona: ""
fpg: rC_r6_FPG

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: pvcfile2-rc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 20Gi
storageClassName: sc-file2

kind: Pod
apiVersion: v1
metadata:
name: pod-file2-rc
spec:
containers:

  • name: nginx
    securityContext:
    privileged: true
    capabilities:
    add: ["SYS_ADMIN"]
    allowPrivilegeEscalation: true
    image: nginx
    volumeMounts:
    • name: export
      mountPath: /export
      restartPolicy: Always
      volumes:
  • name: export
    persistentVolumeClaim:
    claimName: pvcfile2-rc

'''

@wdurairaj
Copy link
Collaborator Author

Closing based on the Raghavendra's comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wdurairaj wdurairaj

Labels
bug Fixed Code fixed high
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wdurairaj @amitk1977 @prablr79 @c-raghav