Re: CIFS access from pods

[Marc Boorshtein]

Yes, if it weren't changed the pod wouldn't be accepted and run the pod.

On Tue, Apr 10, 2018, 11:22 PM Yu Wei  wrote:

> Hi,
> Have you changed settings for using hostpath?
> Please reference following doc
>
> https://docs.openshift.org/latest/admin_guide/manage_scc.html#use-the-hostpath-volume-plugin
> --
> *From:* users-boun...@lists.openshift.redhat.com <
> users-boun...@lists.openshift.redhat.com> on behalf of Marc Boorshtein <
> mboorsht...@gmail.com>
> *Sent:* Wednesday, April 11, 2018 11:04 AM
> *To:* users
> *Subject:* CIFS access from pods
>
> OpenShifters,
>
> I'm trying to access CIFS mounts from my OpenShift pods using Origin 3.7
> on CentOS 7.  Here's my setup:
>
> 1.  FreeIPA deployed with domain trust to AD (ENT2K12.DOMAIN.COM)
> 2.  Node is member of FreeIPA domain
> 3.  On Node:
>   a.  Keytab generated
>   b.  CIFS share mounted as AD user using uid from IPA - mount -t cifs -o
> username=mmos...@ent2k12.domain.com,sec=krb5,version=3.0,uid=160811903,gid=0
> //adfs.ent2k12.domain.com/mmosley-share /mount/local-storage/cifs/mmosley
>   c.  marked /mount/local-storage/cifs/mmosley as owned by
> mmos...@ent2k12.domain.com/root
>
> 4.  In OpenShift:
>   a.  Enabled hostPath
>   b.  Set runAsUser to runAsAny
>
> 5.  in my pod added:
>
> securityContext:
> runAsUser: 160811903
>
> And
> volumes:
> - name: ext
>   hostPath:
> path: /mnt/local-storage/cifs/mmosley
> type: Directory
>
> Once my pod is running, i double check the id :
>
> sh-4.2$ id
> uid=160811903 gid=0(root) groups=0(root),100011
> sh-4.2$
>
> but when i try to access the mount I get permission denied:
> drwxrwxrwx.   2 160811903 root   0 Apr 10 13:58 ext
>
> rsh-4.2$ ls /ext/
> ls: cannot open directory /ext/: Permission denied
>
> Here's something interesting, if I unmount the volume I'm able to
> read/write files and files have the correct ownership.
>
> There's nothing in the selinux audit log.
>
> Any help would be greatly appreciated.
>
> Thanks
> Marc
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: CIFS access from pods

[Yu Wei]

Hi,
Have you changed settings for using hostpath?
Please reference following doc
https://docs.openshift.org/latest/admin_guide/manage_scc.html#use-the-hostpath-volume-plugin

From: users-boun...@lists.openshift.redhat.com 
 on behalf of Marc Boorshtein 

Sent: Wednesday, April 11, 2018 11:04 AM
To: users
Subject: CIFS access from pods

OpenShifters,

I'm trying to access CIFS mounts from my OpenShift pods using Origin 3.7 on 
CentOS 7.  Here's my setup:

1.  FreeIPA deployed with domain trust to AD 
(ENT2K12.DOMAIN.COM)
2.  Node is member of FreeIPA domain
3.  On Node:
  a.  Keytab generated
  b.  CIFS share mounted as AD user using uid from IPA - mount -t cifs -o 
username=mmos...@ent2k12.domain.com,sec=krb5,version=3.0,uid=160811903,gid=0
 
//adfs.ent2k12.domain.com/mmosley-share
 /mount/local-storage/cifs/mmosley
  c.  marked /mount/local-storage/cifs/mmosley as owned by 
mmos...@ent2k12.domain.com/root

4.  In OpenShift:
  a.  Enabled hostPath
  b.  Set runAsUser to runAsAny

5.  in my pod added:

securityContext:
runAsUser: 160811903

And
volumes:
- name: ext
  hostPath:
path: /mnt/local-storage/cifs/mmosley
type: Directory

Once my pod is running, i double check the id :

sh-4.2$ id
uid=160811903 gid=0(root) groups=0(root),100011
sh-4.2$

but when i try to access the mount I get permission denied:
drwxrwxrwx.   2 160811903 root   0 Apr 10 13:58 ext

rsh-4.2$ ls /ext/
ls: cannot open directory /ext/: Permission denied

Here's something interesting, if I unmount the volume I'm able to read/write 
files and files have the correct ownership.

There's nothing in the selinux audit log.

Any help would be greatly appreciated.

Thanks
Marc

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users