Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-41243

No id found in /etc/groups inside container [openshift-4.16.z]

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.16.z
    • 4.16.z
    • Node / CRI-O
    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, a group ID was not added to the `/etc/group` within the container when the `spec.securityContext.runAsGroup` attribute was set in the Pod resource. With this release, this issue is fixed. (OCPBUGS-41243)
      Show
      Previously, a group ID was not added to the `/etc/group` within the container when the `spec.securityContext.runAsGroup` attribute was set in the Pod resource. With this release, this issue is fixed. ( OCPBUGS-41243 )
    • Bug Fix
    • Done
    • Hide
      2024-09-18: Release Note Text - see above - agreed on Slack with Krysztof Wilczyński. Same text used in OCPBUGS-41245 (4.15.z), OCPBUGS-41246 (4.14.z), OCPBUGS-41247 (4.13.z), and OCPBUGS-41248 (4.12.z).
      2024-09-16: Contacted assignee Krzysztof Wilczyński regarding the fix. Public Holiday in Japan. (Krzysztof: I responded on Slack)
      2024-09-13: Contacted reporter Ankit Makajan. Bug in verified state / errata is still there / release for the bug is still not done yet which means the bug fix is still not merged and released to OCP .
      Show
      2024-09-18: Release Note Text - see above - agreed on Slack with Krysztof Wilczyński. Same text used in OCPBUGS-41245 (4.15.z), OCPBUGS-41246 (4.14.z), OCPBUGS-41247 (4.13.z), and OCPBUGS-41248 (4.12.z). 2024-09-16: Contacted assignee Krzysztof Wilczyński regarding the fix. Public Holiday in Japan. (Krzysztof: I responded on Slack) 2024-09-13: Contacted reporter Ankit Makajan. Bug in verified state / errata is still there / release for the bug is still not done yet which means the bug fix is still not merged and released to OCP .

      Description of problem:

       when set  runAsUser/runAsGroup /fsGroup=9999 at securityContext, it takes effect. while two unexpected observation: 
      1. why no group id found at '/etc/groups' ?
         bash-5.2$ cat /etc/group | grep 9999
         bash-5.2$
      
      2. why it's different output from below command ?
      bash-5.2$ id
      uid=9999(9999) gid=9999 groups=9999
      bash-5.2$ id 9999
      uid=9999(9999) gid=0(root) groups=0(root)

      Version-Release number of selected component (if applicable):

          

      How reproducible:

          

      Steps to Reproduce:

        set runAsGroup explicitly and check if group id exists in /etc/group inside container. 
      
      
      Create POD with below securitycontext
      securityContext:
      runAsUser: 64892
      runAsGroup: 6263
      fsGroup: 123Inside container no group id is created at /etc/group
      bash-5.2$ id
      uid=64892(64892) gid=6263 groups=6263,123
      bash-5.2$ id 64892
      uid=64892(64892) gid=0(root) groups=0(root)
      bash-5.2$ cat /etc/passwd | grep 64892
      64892:x:64892:0:64892 user:/:/sbin/nologin
      bash-5.2$ cat /etc/group | grep 6263
      bash-5.2$    

      Actual results:

       if group id is appointed by runAsGroup, this group id should exist at /etc/group inside container.
      

      Expected results:

          

      Additional info:

          

              rh-ee-kwilczyn Krzysztof Wilczyński
              rhn-support-ankimaha Ankit Mahajan
              David Darrah David Darrah (Inactive)
              Padraig OGrady Padraig OGrady
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: