View Issue Details

IDProjectCategoryView StatusLast Update
0015559BuildsysCi.centos.org Ecosystem Testingpublic2019-01-09 10:33
Reporterlmilbaum 
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Summary0015559: Elevate Permissions to run a container which spins a VM with libvirt
DescriptionRunning on ember-csi namespace in OpenShift.

I can build the image from Jenkins after jenkins service account permissions were elevated.
Can't run a container based on that image.
TagsNo tags attached.

Activities

bstinson

bstinson

2018-12-10 04:39

administrator   ~0033288

Can you provide logs, and an idea of how you're trying to run this pod?
lmilbaum

lmilbaum

2018-12-12 08:41

reporter   ~0033320

I am running the pod in privileged mode from Jenkins. That should be covered since you elevated jenkins service account.
POD name: ember-csi-1-grwjp

I am trying to rsh the POD to check it is working properly and hit the following error:

 ~/Downloads/openshift-origin-server-v3.7.2-282e43f-linux-64bit/oc rsh ember-csi-1-grwjp
Error from server (InternalError): Internal error occurred: [exec operation is not allowed because the pod's security context exceeds your permissions: pods "ember-csi-1-grwjp" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed], object does not implement the Object interfaces]
lmilbaum

lmilbaum

2018-12-13 11:57

reporter   ~0033328

Another permissions issue from the log file:
https://jenkins-ember-csi.apps.ci.centos.org/job/PR_submitted_CI/job/ci-automation-2/124/console

OpenShiftCreator calling create on for type pods and resource {
    "apiVersion" : "v1",
    "kind" : "Pod",
    "metadata" : {"generateName" : "ember-csi-1-"},
    "spec" : {
        "containers" : [{
            "name" : "ember-csi",
            "image" : "172.30.254.79:5000/ember-csi/ember-csi:latest",
            "securityContext" : {"privileged" : true},
            "volumeMounts" : [{
                "mountPath" : "/sys",
                "name" : "sysfs"
            }]
        }],
        "volumes" : [{
            "name" : "sysfs",
            "hostPath" : {
                "path" : "/sys",
                "type" : "Directory"
            }
        }]
    }
}
com.openshift.restclient.authorization.ResourceForbiddenException: pods "ember-csi-1-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed provider restricted: .spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider scc-ember-csi: .spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used] pods "ember-csi-1-" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed provider restricted: .spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used provider scc-ember-csi: .spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used]
bstinson

bstinson

2018-12-17 19:09

administrator   ~0033376

I was curious why you need to mount /sys in your pod...so I took a look at your automation repos.

Are you sure that running vagrant within a pod (on an ubuntu image no less) is appropriate for running these tests?

We can certainly support scheduling VMs in pods, but the vagrant layer is going to cause some issues running in openshift.

If you truly need a vagrant workflow, we should revisit strategy here and get you access to bare metal.
lmilbaum

lmilbaum

2018-12-20 12:39

reporter   ~0033400

The /sys mount is required by the base image, consumed by the centos-vm image. Not sure I follow to where did you noticed, I am using an ubuntu image.
Can you please elaborate how adding the vagrant layer causing issues running in openshift?
lmilbaum

lmilbaum

2018-12-20 13:50

reporter   ~0033402

To clarify my previous note. I am using a centos 7 image (not ubuntu). You can find more info here:
https://hub.docker.com/r/nonameyet/systemd-libvirt
https://github.com/no-name-yet/container-images/blob/master/el7/systemd-base/Dockerfile
lmilbaum

lmilbaum

2018-12-20 14:26

reporter   ~0033404

I am bit confused about how vagrant might cause issues. It is only a front end layer which spins the VM with libvirt. Do you have experience or any knowledge (link) you can share with me on this issue?
lmilbaum

lmilbaum

2019-01-09 10:33

reporter   ~0033546

Following a solution we found not mount /sys to hostpath folder, we don't need elevated permissions.
Please close the ticket.

Issue History

Date Modified Username Field Change
2018-12-09 13:48 lmilbaum New Issue
2018-12-10 04:39 bstinson Status new => feedback
2018-12-10 04:39 bstinson Note Added: 0033288
2018-12-12 08:41 lmilbaum Note Added: 0033320
2018-12-12 08:41 lmilbaum Status feedback => assigned
2018-12-13 11:57 lmilbaum Note Added: 0033328
2018-12-17 19:09 bstinson Note Added: 0033376
2018-12-20 12:39 lmilbaum Note Added: 0033400
2018-12-20 13:50 lmilbaum Note Added: 0033402
2018-12-20 14:26 lmilbaum Note Added: 0033404
2019-01-09 10:33 lmilbaum Note Added: 0033546