Re: Unable to get hostPath r/w without privileged: true
> chcon -u system_u -r object_r -t svirt_sandbox_file_t -l s0 /some/path That worked perfectly. Thanks! From: users-boun...@lists.openshift.redhat.com <users-boun...@lists.openshift.redhat.com> on behalf of Tobias Florek <opensh...@ibotty.net> Sent: Sunday, December 17, 2017 11:17 PM To: users@lists.openshift.redhat.com Subject: Re: Unable to get hostPath r/w without privileged: true Hi! >> [...] I cannot get anything inside a container to write to the >> hostPath without setting 'privileged: true' for the container. >> > SELinux is probably preventing you from writing to the host path. > Privileged completely bypasses those protections. Marking the hostpath > you want to expose as visible to containers should be sufficient (exact > selinux chcon-fu escaping me at the minute). chcon -u system_u -r object_r -t svirt_sandbox_file_t -l s0 /some/path Greetings, Tobi(as Florek) ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: Unable to get hostPath r/w without privileged: true
Hi! >> [...] I cannot get anything inside a container to write to the >> hostPath without setting 'privileged: true' for the container. >> > SELinux is probably preventing you from writing to the host path. > Privileged completely bypasses those protections. Marking the hostpath > you want to expose as visible to containers should be sufficient (exact > selinux chcon-fu escaping me at the minute). chcon -u system_u -r object_r -t svirt_sandbox_file_t -l s0 /some/path Greetings, Tobi(as Florek) ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: Unable to get hostPath r/w without privileged: true
On Dec 13, 2017, at 8:36 PM, Nick Bartos (nibartos)wrote: I am unable to get a writable hostPath volume for a "privileged: false" container, even when the container's runAsUser owns the directory on the host. The k8s docs say "You either need to run your process as root in a privileged container or modify the file permissions on the host to be able to write to a hostPath volume". I have tried origin via openshift-ansible release-3.6 and master branches. I have tried more permutations than I can remember in the manifest, granting different permissions to the service account, but not matter what, I cannot get anything inside a container to write to the hostPath without setting 'privileged: true' for the container. SELinux is probably preventing you from writing to the host path. Privileged completely bypasses those protections. Marking the hostpath you want to expose as visible to containers should be sufficient (exact selinux chcon-fu escaping me at the minute). Here is a fairly simple example: https://gist.github.com/nbartos/36319ddea5819284d76b667c69d8916f ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Unable to get hostPath r/w without privileged: true
I am unable to get a writable hostPath volume for a "privileged: false" container, even when the container's runAsUser owns the directory on the host. The k8s docs say "You either need to run your process as root in a privileged container or modify the file permissions on the host to be able to write to a hostPath volume". I have tried origin via openshift-ansible release-3.6 and master branches. I have tried more permutations than I can remember in the manifest, granting different permissions to the service account, but not matter what, I cannot get anything inside a container to write to the hostPath without setting 'privileged: true' for the container. Here is a fairly simple example: https://gist.github.com/nbartos/36319ddea5819284d76b667c69d8916f? ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users