POD mount with filepersona enabled PVC's fail with chcon error

[wdurairaj]

Looking at the dory logs, the chcon is failing with an error and bind mount is failing with rc=1 (exit code)

--
Debug: 2019/06/03 15:12:16 flexvol.go:509: doMount: bind mounted dockerPath=/opt/hpe/data/hpedocker-dm-uuid-mpath-360002ac0000000000001c7e40001db31 at flexvolPath=/var/lib/origin/openshift.local.volumes/pods/3742a7c2-85e3-11e9-a3b6-f40343a90200/volumes/hpe.com~hpe/sc1-2ddf8eda-85e1-11e9-a3b6-f40343a90200
Debug: 2019/06/03 15:12:16 cmd.go:33: ExecCommandOutput called with selinuxenabled[]
Debug: 2019/06/03 15:12:16 cmd.go:49: out :
Debug: 2019/06/03 15:12:16 selinux.go:32: selinuxenabled returned 0 and err=<nil>
Debug: 2019/06/03 15:12:16 selinux.go:43: Chcon about to change context of /opt/hpe/data/hpedocker-dm-uuid-mpath-360002ac0000000000001c7e40001db31 to svirt_sandbox_file_t
Debug: 2019/06/03 15:12:16 cmd.go:33: ExecCommandOutput called with chcon[-t svirt_sandbox_file_t /opt/hpe/data/hpedocker-dm-uuid-mpath-360002ac0000000000001c7e40001db31]
Debug: 2019/06/03 15:12:16 cmd.go:49: out :
Info : 2019/06/03 15:12:16 dory.go:100: [107298] reply  : mount [/var/lib/origin/openshift.local.volumes/pods/3742a7c2-85e3-11e9-a3b6-f40343a90200/volumes/hpe.com~hpe/sc1-2ddf8eda-85e1-11e9-a3b6-f40343a90200 {"kubernetes.io/fsType":"","kubernetes.io/pod.name":"pod1","kubernetes.io/pod.namespace":"default","kubernetes.io/pod.uid":"3742a7c2-85e3-11e9-a3b6-f40343a90200","kubernetes.io/pvOrVolumeName":"sc1-2ddf8eda-85e1-11e9-a3b6-f40343a90200","kubernetes.io/readwrite":"rw","kubernetes.io/serviceAccount.name":"default","name":"sc1-2ddf8eda-85e1-11e9-a3b6-f40343a90200","size":"16"}]: {"status":"Success"}

--
Debug: 2019/06/03 16:06:48 flexvol.go:509: doMount: bind mounted dockerPath=/opt/hpe/data/hpedocker-bbb2ba9d-85eb-11e9-b4ea-f40343a90200 at flexvolPath=/var/lib/origin/openshift.local.volumes/pods/bbb2ba9d-85eb-11e9-b4ea-f40343a90200/volumes/hpe.com~hpe/sc-personafile-3f5e1c79-85eb-11e9-b4ea-f40343a90200
Debug: 2019/06/03 16:06:48 cmd.go:33: ExecCommandOutput called with selinuxenabled[]
Debug: 2019/06/03 16:06:48 cmd.go:49: out :
Debug: 2019/06/03 16:06:48 selinux.go:32: selinuxenabled returned 0 and err=<nil>
Debug: 2019/06/03 16:06:48 selinux.go:43: Chcon about to change context of /opt/hpe/data/hpedocker-bbb2ba9d-85eb-11e9-b4ea-f40343a90200 to svirt_sandbox_file_t
Debug: 2019/06/03 16:06:48 cmd.go:33: ExecCommandOutput called with chcon[-t svirt_sandbox_file_t /opt/hpe/data/hpedocker-bbb2ba9d-85eb-11e9-b4ea-f40343a90200]
Debug: 2019/06/03 16:06:48 cmd.go:49: out :chcon: failed to change context of ‘/opt/hpe/data/hpedocker-bbb2ba9d-85eb-11e9-b4ea-f40343a90200’ to ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
Debug: 2019/06/03 16:06:48 cmd.go:49: out :
Info : 2019/06/03 16:06:48 dory.go:100: [13807] reply  : mount [/var/lib/origin/openshift.local.volumes/pods/bbb2ba9d-85eb-11e9-b4ea-f40343a90200/volumes/hpe.com~hpe/sc-personafile-3f5e1c79-85eb-11e9-b4ea-f40343a90200 {"filePersona":"","fpg":"DockerFpg_0","kubernetes.io/fsType":"","kubernetes.io/pod.name":"pod-filepersona","kubernetes.io/pod.namespace":"default","kubernetes.io/pod.uid":"bbb2ba9d-85eb-11e9-b4ea-f40343a90200","kubernetes.io/pvOrVolumeName":"sc-personafile-3f5e1c79-85eb-11e9-b4ea-f40343a90200","kubernetes.io/readwrite":"rw","kubernetes.io/serviceAccount.name":"default","name":"sc-personafile-3f5e1c79-85eb-11e9-b4ea-f40343a90200"}]: {"status":"Failure","message":"rc=1"}

[wdurairaj]

Actually running the pod in privileged mode allows data writes on the exported location

kind: Pod
apiVersion: v1
metadata:
  name: podfiletestw2
spec:
  containers:
  - name: nginx
    securityContext:
      privileged: true
      capabilities:
        add: ["SYS_ADMIN"]
      allowPrivilegeEscalation: true
    image: nginx
    volumeMounts:
    - name: export
      mountPath: /export
  restartPolicy: Always
  volumes:
  - name: export
    persistentVolumeClaim:
      claimName: pvcfile-sandesh4

[prablr79]

@nilangekarss is this real fix going as part of 3.2 ?

[amitk1977]

Leena to verify the fix in OpenShift environment

[c-raghav]

Verified with below ymls, able to mount and write data

'''

kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: sc-file2 provisioner: hpe.com/hpe parameters: name: TEST_SHARE size: "100" filePersona: "" fpg: rC_r6_FPG

---

kind: PersistentVolumeClaim apiVersion: v1 metadata: name: pvcfile2-rc spec: accessModes:

• ReadWriteMany resources: requests: storage: 20Gi storageClassName: sc-file2

---

kind: Pod apiVersion: v1 metadata: name: pod-file2-rc spec: containers:

• name: nginx securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: nginx volumeMounts:
  • name: export mountPath: /export restartPolicy: Always volumes:
• name: export persistentVolumeClaim: claimName: pvcfile2-rc

'''

[wdurairaj]

Closing based on the Raghavendra's comment