Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-41243

No id found in /etc/groups inside container [openshift-4.16.z]

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.16.z
    • 4.16.z
    • Node / CRI-O
    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, a group ID was not added to the /etc/group within the container when the spec.securityContext.runAsGroup attribute was set in the Pod resource. With this release, this issue is fixed. (OCPBUGS-41243)
      Show
      Previously, a group ID was not added to the /etc/group within the container when the spec.securityContext.runAsGroup attribute was set in the Pod resource. With this release, this issue is fixed. ( OCPBUGS-41243 )
    • Bug Fix
    • In Progress
    • Hide
      2024-09-18: Release Note Text - see above - agreed on Slack with Krysztof Wilczyński. Same text used in OCPBUGS-41245 (4.15.z), OCPBUGS-41246 (4.14.z), OCPBUGS-41247 (4.13.z), and OCPBUGS-41248 (4.12.z).
      2024-09-16: Contacted assignee Krzysztof Wilczyński regarding the fix. Public Holiday in Japan. (Krzysztof: I responded on Slack)
      2024-09-13: Contacted reporter Ankit Makajan. Bug in verified state / errata is still there / release for the bug is still not done yet which means the bug fix is still not merged and released to OCP .
      Show
      2024-09-18: Release Note Text - see above - agreed on Slack with Krysztof Wilczyński. Same text used in OCPBUGS-41245 (4.15.z), OCPBUGS-41246 (4.14.z), OCPBUGS-41247 (4.13.z), and OCPBUGS-41248 (4.12.z). 2024-09-16: Contacted assignee Krzysztof Wilczyński regarding the fix. Public Holiday in Japan. (Krzysztof: I responded on Slack) 2024-09-13: Contacted reporter Ankit Makajan. Bug in verified state / errata is still there / release for the bug is still not done yet which means the bug fix is still not merged and released to OCP .

      Description of problem:

       when set  runAsUser/runAsGroup /fsGroup=9999 at securityContext, it takes effect. while two unexpected observation: 
      1. why no group id found at '/etc/groups' ?
   bash-5.2$ cat /etc/group | grep 9999
   bash-5.2$

2. why it's different output from below command ?
bash-5.2$ id
uid=9999(9999) gid=9999 groups=9999
bash-5.2$ id 9999
uid=9999(9999) gid=0(root) groups=0(root)

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

        set runAsGroup explicitly and check if group id exists in /etc/group inside container. 


Create POD with below securitycontext
securityContext:
runAsUser: 64892
runAsGroup: 6263
fsGroup: 123Inside container no group id is created at /etc/group
bash-5.2$ id
uid=64892(64892) gid=6263 groups=6263,123
bash-5.2$ id 64892
uid=64892(64892) gid=0(root) groups=0(root)
bash-5.2$ cat /etc/passwd | grep 64892
64892:x:64892:0:64892 user:/:/sbin/nologin
bash-5.2$ cat /etc/group | grep 6263
bash-5.2$    

      Actual results:

       if group id is appointed by runAsGroup, this group id should exist at /etc/group inside container.

      Expected results:

      Additional info:

            rh-ee-kwilczyn Krzysztof Wilczyński
            rhn-support-ankimaha Ankit Mahajan
            David Darrah David Darrah
            Padraig OGrady Padraig OGrady
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: