Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
OSSM 2.1.0
-
None
-
False
-
False
-
Undefined
Description
There is a following error in the kiali log:
2021-05-17T17:16:11Z ERR File I/O error [open /opt/kiali/console/env.js: permission denied]
Full log:
2021-05-17T17:16:11Z INF Kiali: Version: v1.35.0-SNAPSHOT, Commit: a422a03bc2ce5390eb35fe8817eef770120e0552
2021-05-17T17:16:11Z INF Using authentication strategy [openshift]
2021-05-17T17:16:11Z INF Kiali: Console version: 1.35.0-local-3378d4c215248219fa0a66fe2a09b3efa6c30c0c
2021-05-17T17:16:11Z INF Generating env.js from config
2021-05-17T17:16:11Z ERR File I/O error [open /opt/kiali/console/env.js: permission denied]
2021-05-17T17:16:11Z INF Server endpoint will start at [:20001/]
2021-05-17T17:16:11Z INF Server endpoint will serve static content from [/opt/kiali/console]
2021-05-17T17:16:11Z INF Starting Metrics Server on [:9090]
2021-05-17T17:16:11Z INF Server endpoint will require https
Repro steps:
- install the latest maistra 2.1 operator from quay.io/maistra/servicemesh-olm-iib:2.1.0-qe
- install the latest master version of kiali operator (until we have v1.35 branch) e.g. like this:
helm install \ --namespace istio-system \ --set cr.create=false \ --set image.pullPolicy=Always \ --set image.repo=quay.io/kiali-qe/kiali-operator \ --set image.tag=latest \ --set allowAdHocKialiNamespace=true \ --set allowAdHocKialiImage=true \ --debug \ kiali-operator \ kiali-op-charts.tgz
- create following smcp CR:
apiVersion: maistra.io/v2 kind: ServiceMeshControlPlane metadata: name: install-istio-system spec: version: v2.1 security: dataPlane: mtls: true automtls: true controlPlane: mtls: true runtime: components: kiali: # kiali_sed_mark container: imageName: kiali imageRegistry: quay.io/kiali-qe imageTag: latest tracing: type: Jaeger addons: 3scale: enabled: false jaeger: name: jaeger install: storage: type: Memory grafana: enabled: true kiali: name: kiali enabled: true
- set
spec.version: default
in the kiali CR to workaround https://issues.redhat.com/browse/OSSM-470
- check kiali pod log
It's not possible to open /opt/kiali/console/env.js file because of following reasons:
Kiali pod is using 'openshift.io/scc: restricted' so the pod is started with following random user:
sh-4.4$ id uid=1000840000(1000840000) gid=0(root) groups=0(root),1000840000
and this user does not have perms to write to /opt/kiali/console/env.js:
sh-4.4$ ls -al /opt/kiali/console/
total 48
drwxrwxr-x. 1 kiali kiali 241 May 17 00:51 .
drwxr-xr-x. 1 root root 21 May 17 00:51 ..
-rw-rw-r--. 1 kiali kiali 3943 May 17 00:51 asset-manifest.json
-rw-rw-r--. 1 kiali kiali 113 May 17 00:51 env.js
-rw-rw-r--. 1 kiali kiali 2316 May 17 00:51 index.html
-rw-rw-r--. 1 kiali kiali 1150 May 17 00:51 kiali_icon_lightbkg_16px.png
-rw-rw-r--. 1 kiali kiali 301 May 17 00:51 manifest.json
-rw-rw-r--. 1 kiali kiali 17703 May 17 00:51 precache-manifest.d6668f9ed8c99f672e9c3fa369e45996.js
-rw-rw-r--. 1 kiali kiali 1183 May 17 00:51 service-worker.js
drwxrwxr-x. 1 kiali kiali 40 May 17 00:51 static
-rw-rw-r--. 1 kiali kiali 54 May 17 00:51 version.txt
sh-4.4$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin kiali:x:1000:1000::/home/kiali:/bin/bash 1000840000:x:1000840000:0:1000840000 user:/:/sbin/nologin
This issue is not visible in the upstream kiali + istio as the kiali pod is using 'openshift.io/scc: anyuid' so it's started with following user id:
sh-4.4$ id uid=1000(kiali) gid=1000(kiali) groups=1000(kiali)
The issue is also not visible for SM 2.0.z which is using kiali from v1.24 branch.
Although the perms are the same and it's also using 'openshift.io/scc: restricted' so it should not be able to write to the /opt/kiali/console/env.js file.
According to the kiali log it looks like it's not even trying to write to that file (just guessing, must be confirmed):
I0517 16:47:05.003877 1 kiali.go:64] Kiali: Version: v1.24.5.redhat1, Commit: unknown
I0517 16:47:05.004016 1 kiali.go:65] DEBUG: Kiali: Command line: [/opt/kiali/kiali -config /kiali-configuration/config.yaml -v 4]
I0517 16:47:05.004028 1 config.go:643] DEBUG: Reading YAML config from [/kiali-configuration/config.yaml]
I0517 16:47:05.006311 1 kiali.go:155] Using authentication strategy [openshift]
I0517 16:47:05.006378 1 kiali.go:85] Kiali: Console version: v1.24.5.redhat1
I0517 16:47:05.011613 1 server.go:67] Server endpoint will start at [:20001/]
I0517 16:47:05.011631 1 server.go:68] Server endpoint will serve static content from [/opt/kiali/console]
I0517 16:47:05.011647 1 metrics_server.go:18] Starting Metrics Server on [:9090]
I0517 16:47:05.011830 1 server.go:73] Server endpoint will require https
Notice that there is no "Generating env.js from config" msg.
Related issues upstream: