Re: file permissions changed in docker registry

2018-07-05 Thread Tim Dudgeon 

OK, I'll create an issue for this.

Though my comment is that both of the systems involved (docker registry 
and Hawkular metrics) are core parts of openshift so I would hole that 
no "fiddling" would be needed.



On 05/07/18 15:57, Ben Parees wrote:
I forwarded your problem on to our storage team lead, he had the 
following suggestions:


"I believe they will want to fiddle with the fsGroup or 
supplementalGroup so that it matches the GID of the cassandra user and 
make sure those GIDs are in the SCC ranges for the pod."


He also recommended you consider opening a bugzilla as it's easier to 
track these issues that way.





On Thu, Jul 5, 2018 at 7:42 AM, Tim Dudgeon > wrote:


I hit this problem again, this time with the cassandra pod for
Hawkular metrics.

This has been running without problem for some months, but now I
found that the cassandra pod could not start because of file
permissions writing to the /cassandra_data/data directory.

Looking at that directory the ownership was set to
14.65534, but cassandra was running as user 313 so could
not write to that directory. Manually changing permissions to
313.65534 (the 65534 group is nfsnobody, and the cassandra user is
a member of that group) fixed the problem and allowed the
cassandra pod to start.

Clearly the 14 user is an openshift assigned user, but as
the container is running as the cassandra user (313) I have no
idea how this could have happened.

Can anyone explain what is going on here?

Tim



On 02/07/18 16:27, Tim Dudgeon wrote:

I've hit a strange problem with directory ownership for the
docker registry a couple of times, and don't understand what
is causing this.

The registry was working fine for some time. I'm using a
Cinder volume for the registry storage, but don't know if
that's relevant.
Then something happened that stopped pods pushing to the
registry, with the problem being that the registry pod was
getting "Permission denied" errors when it was trying to
create directories under
/registry/docker/registry/v2/repositories.

Looking at the file system the directories were all owned by
10.10 which explains why the registry process
(running as user 1001) could not write to these directories. e.g.

sh-4.2$ cd /registry/docker/registry/v2/
sh-4.2$ ls -al
total 0
drwxrwsr-x.  4 10 10  39 Apr 20 15:51 .
drwxrwsr-x.  3 10 10  16 Apr 20 15:51 ..
drwxrwsr-x.  3 10 10  20 Apr 20 15:51 blobs
drwxrwsr-x. 15 10 10 215 May 29 14:14 repositories

Doing a `docker -exec -u 0  on the infra node
and then a `chown -R 1001.0 /registry/docker/registry`  to
reset the permissions fixed the problem.

Anyone any idea what's going on here?

Tim


___
users mailing list
users@lists.openshift.redhat.com

http://lists.openshift.redhat.com/openshiftmm/listinfo/users





--
Ben Parees | OpenShift



___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: file permissions changed in docker registry

2018-07-05 Thread Ben Parees 
I forwarded your problem on to our storage team lead, he had the following
suggestions:

"I believe they will want to fiddle with the fsGroup or supplementalGroup
so that it matches the GID of the cassandra user and make sure those GIDs
are in the SCC ranges for the pod."

He also recommended you consider opening a bugzilla as it's easier to track
these issues that way.




On Thu, Jul 5, 2018 at 7:42 AM, Tim Dudgeon  wrote:

> I hit this problem again, this time with the cassandra pod for Hawkular
> metrics.
>
> This has been running without problem for some months, but now I found
> that the cassandra pod could not start because of file permissions writing
> to the /cassandra_data/data directory.
>
> Looking at that directory the ownership was set to 14.65534, but
> cassandra was running as user 313 so could not write to that directory.
> Manually changing permissions to 313.65534 (the 65534 group is nfsnobody,
> and the cassandra user is a member of that group) fixed the problem and
> allowed the cassandra pod to start.
>
> Clearly the 14 user is an openshift assigned user, but as the
> container is running as the cassandra user (313) I have no idea how this
> could have happened.
>
> Can anyone explain what is going on here?
>
> Tim
>
>
>
> On 02/07/18 16:27, Tim Dudgeon wrote:
>
>> I've hit a strange problem with directory ownership for the docker
>> registry a couple of times, and don't understand what is causing this.
>>
>> The registry was working fine for some time. I'm using a Cinder volume
>> for the registry storage, but don't know if that's relevant.
>> Then something happened that stopped pods pushing to the registry, with
>> the problem being that the registry pod was getting "Permission denied"
>> errors when it was trying to create directories under
>> /registry/docker/registry/v2/repositories.
>>
>> Looking at the file system the directories were all owned by
>> 10.10 which explains why the registry process (running as
>> user 1001) could not write to these directories. e.g.
>>
>> sh-4.2$ cd /registry/docker/registry/v2/
>> sh-4.2$ ls -al
>> total 0
>> drwxrwsr-x.  4 10 10  39 Apr 20 15:51 .
>> drwxrwsr-x.  3 10 10  16 Apr 20 15:51 ..
>> drwxrwsr-x.  3 10 10  20 Apr 20 15:51 blobs
>> drwxrwsr-x. 15 10 10 215 May 29 14:14 repositories
>>
>> Doing a `docker -exec -u 0  on the infra node and then a
>> `chown -R 1001.0 /registry/docker/registry`  to reset the permissions fixed
>> the problem.
>>
>> Anyone any idea what's going on here?
>>
>> Tim
>>
>>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>



-- 
Ben Parees | OpenShift
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Utilizing Jenkins linter with Jenkins hosted within OpenShift

2018-07-05 Thread Gabe Montero 
We support passing in a valid OpenShift token as a bearer token with curl
requests against
a deployment of the OpenShift Jenkins image.

You should be able to leverage the curl based accessed noted at the link
you posted.

See
https://github.com/openshift/jenkins-openshift-login-plugin#non-browser-access
https://github.com/openshift/jenkins#jenkins-admin-user
https://docs.openshift.org/latest/using_images/other_images/jenkins.html#jenkins-openshift-oauth-authentication



On Thu, Jul 5, 2018 at 7:51 AM, Andrew Feller  wrote:

> I imagine developers leveraging Jenkins declarative linter
>  from Jenkins
> hosted within OpenShift is more difficult because OpenShift is handling
> identity management, but has anyone had luck with supporting this?  I
> realize the nature of Jenkins makes this complicated so don't expect there
> to be a great solution here.
>
> Thanks!
>
> --
>
> [image: BandwidthMaroon.png]
>
> Andy Feller  •  Sr DevOps Engineer
>
> 900 Main Campus Drive, Suite 500, Raleigh, NC 27606
>
>
> e: afel...@bandwidth.com
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Utilizing Jenkins linter with Jenkins hosted within OpenShift

2018-07-05 Thread Andrew Feller 
I imagine developers leveraging Jenkins declarative linter
 from Jenkins
hosted within OpenShift is more difficult because OpenShift is handling
identity management, but has anyone had luck with supporting this?  I
realize the nature of Jenkins makes this complicated so don't expect there
to be a great solution here.

Thanks!

-- 

[image: BandwidthMaroon.png]

Andy Feller  •  Sr DevOps Engineer

900 Main Campus Drive, Suite 500, Raleigh, NC 27606


e: afel...@bandwidth.com
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: file permissions changed in docker registry

2018-07-05 Thread Tim Dudgeon 
I hit this problem again, this time with the cassandra pod for Hawkular 
metrics.


This has been running without problem for some months, but now I found 
that the cassandra pod could not start because of file permissions 
writing to the /cassandra_data/data directory.


Looking at that directory the ownership was set to 14.65534, but 
cassandra was running as user 313 so could not write to that directory. 
Manually changing permissions to 313.65534 (the 65534 group is 
nfsnobody, and the cassandra user is a member of that group) fixed the 
problem and allowed the cassandra pod to start.


Clearly the 14 user is an openshift assigned user, but as the 
container is running as the cassandra user (313) I have no idea how this 
could have happened.


Can anyone explain what is going on here?

Tim


On 02/07/18 16:27, Tim Dudgeon wrote:
I've hit a strange problem with directory ownership for the docker 
registry a couple of times, and don't understand what is causing this.


The registry was working fine for some time. I'm using a Cinder volume 
for the registry storage, but don't know if that's relevant.
Then something happened that stopped pods pushing to the registry, 
with the problem being that the registry pod was getting "Permission 
denied" errors when it was trying to create directories under 
/registry/docker/registry/v2/repositories.


Looking at the file system the directories were all owned by 
10.10 which explains why the registry process (running 
as user 1001) could not write to these directories. e.g.


sh-4.2$ cd /registry/docker/registry/v2/
sh-4.2$ ls -al
total 0
drwxrwsr-x.  4 10 10  39 Apr 20 15:51 .
drwxrwsr-x.  3 10 10  16 Apr 20 15:51 ..
drwxrwsr-x.  3 10 10  20 Apr 20 15:51 blobs
drwxrwsr-x. 15 10 10 215 May 29 14:14 repositories

Doing a `docker -exec -u 0  on the infra node and then a 
`chown -R 1001.0 /registry/docker/registry`  to reset the permissions 
fixed the problem.


Anyone any idea what's going on here?

Tim



___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users