Re: Unable to get hostPath r/w without privileged: true

[Nick Bartos (nibartos)]

> chcon -u system_u -r object_r -t svirt_sandbox_file_t -l s0 /some/path

That worked perfectly.  Thanks!


From: users-boun...@lists.openshift.redhat.com 
<users-boun...@lists.openshift.redhat.com> on behalf of Tobias Florek 
<opensh...@ibotty.net>
Sent: Sunday, December 17, 2017 11:17 PM
To: users@lists.openshift.redhat.com
Subject: Re: Unable to get hostPath r/w without privileged: true

Hi!

>> [...] I cannot get anything inside a container to write to the
>> hostPath without setting 'privileged: true' for the container.
>>
> SELinux is probably preventing you from writing to the host path.
> Privileged completely bypasses those protections.  Marking the hostpath
> you want to expose as visible to containers should be sufficient (exact
> selinux chcon-fu escaping me at the minute).

chcon -u system_u -r object_r -t svirt_sandbox_file_t -l s0 /some/path

Greetings,
 Tobi(as Florek)

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Unable to get hostPath r/w without privileged: true

[Tobias Florek]

Hi!

>> [...] I cannot get anything inside a container to write to the
>> hostPath without setting 'privileged: true' for the container.
>>
> SELinux is probably preventing you from writing to the host path. 
> Privileged completely bypasses those protections.  Marking the hostpath
> you want to expose as visible to containers should be sufficient (exact
> selinux chcon-fu escaping me at the minute).

chcon -u system_u -r object_r -t svirt_sandbox_file_t -l s0 /some/path

Greetings,
 Tobi(as Florek)

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Unable to get hostPath r/w without privileged: true

[Clayton Coleman]

On Dec 13, 2017, at 8:36 PM, Nick Bartos (nibartos) 
wrote:

I am unable to get a writable hostPath volume for a "privileged: false"
container, even when the container's runAsUser owns the directory on the
host.


The k8s docs say "You either need to run your process as root in a
privileged container or modify the file permissions on the host to be able
to write to a hostPath volume".  I have tried origin via openshift-ansible
release-3.6 and master branches.


I have tried more permutations than I can remember in the manifest,
granting different permissions to the service account, but not matter what,
I cannot get anything inside a container to write to the hostPath without
setting 'privileged: true' for the container.

SELinux is probably preventing you from writing to the host path.
Privileged completely bypasses those protections.  Marking the hostpath you
want to expose as visible to containers should be sufficient (exact selinux
chcon-fu escaping me at the minute).


Here is a fairly simple example:

https://gist.github.com/nbartos/36319ddea5819284d76b667c69d8916f​

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Unable to get hostPath r/w without privileged: true

[Nick Bartos (nibartos)]

I am unable to get a writable hostPath volume for a "privileged: false" 
container, even when the container's runAsUser owns the directory on the host.


The k8s docs say "You either need to run your process as root in a privileged 
container or modify the file permissions on the host to be able to write to a 
hostPath volume".  I have tried origin via openshift-ansible release-3.6 and 
master branches.


I have tried more permutations than I can remember in the manifest, granting 
different permissions to the service account, but not matter what, I cannot get 
anything inside a container to write to the hostPath without setting 
'privileged: true' for the container.


Here is a fairly simple example:

https://gist.github.com/nbartos/36319ddea5819284d76b667c69d8916f?
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users