Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-41245

No id found in /etc/groups inside container [openshift-4.15.z]

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.15.z
    • 4.15.z
    • Node / CRI-O
    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, a group ID was not added to the `/etc/group` within the container when the `spec.securityContext.runAsGroup` attribute was set in the `Pod` resource. With this release, this issue is fixed. (link:https://issues.redhat.com/browse/OCPBUGS-41245[*OCPBUGS-41245*])

      Show
      * Previously, a group ID was not added to the `/etc/group` within the container when the `spec.securityContext.runAsGroup` attribute was set in the `Pod` resource. With this release, this issue is fixed. (link: https://issues.redhat.com/browse/OCPBUGS-41245 [* OCPBUGS-41245 *])
    • Bug Fix
    • Done
    • Hide
      2024-09-18: Release Note Text - see above - agreed on Slack with Krysztof Wilczyński. Same text used in OCPBUGS-41243 (4.16.z), OCPBUGS-41246 (4.14.z), OCPBUGS-41247 (4.13.z), and OCPBUGS-41248 (4.12.z).
      Show
      2024-09-18: Release Note Text - see above - agreed on Slack with Krysztof Wilczyński. Same text used in OCPBUGS-41243 (4.16.z), OCPBUGS-41246 (4.14.z), OCPBUGS-41247 (4.13.z), and OCPBUGS-41248 (4.12.z).

      Description of problem:

       when set  runAsUser/runAsGroup /fsGroup=9999 at securityContext, it takes effect. while two unexpected observation: 
      1. why no group id found at '/etc/groups' ?
   bash-5.2$ cat /etc/group | grep 9999
   bash-5.2$

2. why it's different output from below command ?
bash-5.2$ id
uid=9999(9999) gid=9999 groups=9999
bash-5.2$ id 9999
uid=9999(9999) gid=0(root) groups=0(root)

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

        set runAsGroup explicitly and check if group id exists in /etc/group inside container. 


Create POD with below securitycontext
securityContext:
runAsUser: 64892
runAsGroup: 6263
fsGroup: 123Inside container no group id is created at /etc/group
bash-5.2$ id
uid=64892(64892) gid=6263 groups=6263,123
bash-5.2$ id 64892
uid=64892(64892) gid=0(root) groups=0(root)
bash-5.2$ cat /etc/passwd | grep 64892
64892:x:64892:0:64892 user:/:/sbin/nologin
bash-5.2$ cat /etc/group | grep 6263
bash-5.2$    

      Actual results:

       if group id is appointed by runAsGroup, this group id should exist at /etc/group inside container.

      Expected results:

      Additional info:

            rh-ee-kwilczyn Krzysztof Wilczyński
            rhn-support-ankimaha Ankit Mahajan
            David Darrah David Darrah
            Padraig OGrady Padraig OGrady
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: