Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-41247

No id found in /etc/groups inside container [openshift-4.13.z]

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.13.z
    • 4.13.z
    • Node / CRI-O
    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, a group ID was not added to the `/etc/group` within the container when the `spec.securityContext.runAsGroup` attribute was set in the Pod resource. With this release, this issue is fixed. (link:https://issues.redhat.com/browse/OCPBUGS-41247[*OCPBUGS-41247*])
      Show
      * Previously, a group ID was not added to the `/etc/group` within the container when the `spec.securityContext.runAsGroup` attribute was set in the Pod resource. With this release, this issue is fixed. (link: https://issues.redhat.com/browse/OCPBUGS-41247 [* OCPBUGS-41247 *])
    • Bug Fix
    • Done
    • Hide
      2024-09-18: Release Note Text - see above - agreed on Slack with Krysztof Wilczyński. Same text used in OCPBUGS-41243 (4.16.z), OCPBUGS-41245 (4.15.z), OCPBUGS-41246 (4.14.z), and OCPBUGS-41248 (4.12.z).
      Show
      2024-09-18: Release Note Text - see above - agreed on Slack with Krysztof Wilczyński. Same text used in OCPBUGS-41243 (4.16.z), OCPBUGS-41245 (4.15.z), OCPBUGS-41246 (4.14.z), and OCPBUGS-41248 (4.12.z).

      Description of problem:

       when set  runAsUser/runAsGroup /fsGroup=9999 at securityContext, it takes effect. while two unexpected observation: 
      1. why no group id found at '/etc/groups' ?
         bash-5.2$ cat /etc/group | grep 9999
         bash-5.2$
      
      2. why it's different output from below command ?
      bash-5.2$ id
      uid=9999(9999) gid=9999 groups=9999
      bash-5.2$ id 9999
      uid=9999(9999) gid=0(root) groups=0(root)

      Version-Release number of selected component (if applicable):

          

      How reproducible:

          

      Steps to Reproduce:

        set runAsGroup explicitly and check if group id exists in /etc/group inside container. 
      
      
      Create POD with below securitycontext
      securityContext:
      runAsUser: 64892
      runAsGroup: 6263
      fsGroup: 123Inside container no group id is created at /etc/group
      bash-5.2$ id
      uid=64892(64892) gid=6263 groups=6263,123
      bash-5.2$ id 64892
      uid=64892(64892) gid=0(root) groups=0(root)
      bash-5.2$ cat /etc/passwd | grep 64892
      64892:x:64892:0:64892 user:/:/sbin/nologin
      bash-5.2$ cat /etc/group | grep 6263
      bash-5.2$    

      Actual results:

       if group id is appointed by runAsGroup, this group id should exist at /etc/group inside container.
      

      Expected results:

          

      Additional info:

          

              rh-ee-kwilczyn Krzysztof Wilczyński
              rhn-support-ankimaha Ankit Mahajan
              David Darrah David Darrah (Inactive)
              Padraig OGrady Padraig OGrady
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: