Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: OSSM 2.1.0
Component/s: Kiali
Labels:
None

Blocked:
False
Ready:
False
Release Note Text:
Undefined

SFDC Cases Links:
SFDC Cases Counter:

Description

There is a following error in the kiali log:

2021-05-17T17:16:11Z ERR File I/O error [open /opt/kiali/console/env.js: permission denied]

Full log:

2021-05-17T17:16:11Z INF Kiali: Version: v1.35.0-SNAPSHOT, Commit: a422a03bc2ce5390eb35fe8817eef770120e0552

2021-05-17T17:16:11Z INF Using authentication strategy [openshift]
2021-05-17T17:16:11Z INF Kiali: Console version: 1.35.0-local-3378d4c215248219fa0a66fe2a09b3efa6c30c0c
2021-05-17T17:16:11Z INF Generating env.js from config
2021-05-17T17:16:11Z ERR File I/O error [open /opt/kiali/console/env.js: permission denied]
2021-05-17T17:16:11Z INF Server endpoint will start at [:20001/]
2021-05-17T17:16:11Z INF Server endpoint will serve static content from [/opt/kiali/console]
2021-05-17T17:16:11Z INF Starting Metrics Server on [:9090]
2021-05-17T17:16:11Z INF Server endpoint will require https

Repro steps:

install the latest maistra 2.1 operator from quay.io/maistra/servicemesh-olm-iib:2.1.0-qe

install the latest master version of kiali operator (until we have v1.35 branch) e.g. like this:

helm install \
 --namespace istio-system \
 --set cr.create=false \
 --set image.pullPolicy=Always \
 --set image.repo=quay.io/kiali-qe/kiali-operator \
 --set image.tag=latest \
 --set allowAdHocKialiNamespace=true \
 --set allowAdHocKialiImage=true \
 --debug \
 kiali-operator \
 kiali-op-charts.tgz

create following smcp CR:

apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: install-istio-system
spec:
  version: v2.1
  security:
    dataPlane:
      mtls: true
      automtls: true
    controlPlane:
      mtls: true
  runtime:
    components:
      kiali: # kiali_sed_mark
        container:
          imageName: kiali
          imageRegistry: quay.io/kiali-qe
          imageTag: latest
  tracing:
    type: Jaeger
  addons:
    3scale:
      enabled: false
    jaeger:
      name: jaeger
      install:
        storage:
          type: Memory
    grafana:
      enabled: true
    kiali:
      name: kiali
      enabled: true

set
```
spec.version: default
```
in the kiali CR to workaround https://issues.redhat.com/browse/OSSM-470
check kiali pod log

It's not possible to open /opt/kiali/console/env.js file because of following reasons:

Kiali pod is using 'openshift.io/scc: restricted' so the pod is started with following random user:

sh-4.4$ id
uid=1000840000(1000840000) gid=0(root) groups=0(root),1000840000

and this user does not have perms to write to /opt/kiali/console/env.js:

sh-4.4$ ls -al /opt/kiali/console/
total 48
drwxrwxr-x. 1 kiali kiali   241 May 17 00:51 .
drwxr-xr-x. 1 root  root     21 May 17 00:51 ..
-rw-rw-r--. 1 kiali kiali  3943 May 17 00:51 asset-manifest.json
-rw-rw-r--. 1 kiali kiali   113 May 17 00:51 env.js
-rw-rw-r--. 1 kiali kiali  2316 May 17 00:51 index.html
-rw-rw-r--. 1 kiali kiali  1150 May 17 00:51 kiali_icon_lightbkg_16px.png
-rw-rw-r--. 1 kiali kiali   301 May 17 00:51 manifest.json
-rw-rw-r--. 1 kiali kiali 17703 May 17 00:51 precache-manifest.d6668f9ed8c99f672e9c3fa369e45996.js
-rw-rw-r--. 1 kiali kiali  1183 May 17 00:51 service-worker.js
drwxrwxr-x. 1 kiali kiali    40 May 17 00:51 static
-rw-rw-r--. 1 kiali kiali    54 May 17 00:51 version.txt

sh-4.4$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
kiali:x:1000:1000::/home/kiali:/bin/bash
1000840000:x:1000840000:0:1000840000 user:/:/sbin/nologin

This issue is not visible in the upstream kiali + istio as the kiali pod is using 'openshift.io/scc: anyuid' so it's started with following user id:

sh-4.4$ id
uid=1000(kiali) gid=1000(kiali) groups=1000(kiali)

The issue is also not visible for SM 2.0.z which is using kiali from v1.24 branch.
Although the perms are the same and it's also using 'openshift.io/scc: restricted' so it should not be able to write to the /opt/kiali/console/env.js file.
According to the kiali log it looks like it's not even trying to write to that file (just guessing, must be confirmed):

I0517 16:47:05.003877       1 kiali.go:64] Kiali: Version: v1.24.5.redhat1, Commit: unknown
I0517 16:47:05.004016       1 kiali.go:65] DEBUG: Kiali: Command line: [/opt/kiali/kiali -config /kiali-configuration/config.yaml -v 4]
I0517 16:47:05.004028       1 config.go:643] DEBUG: Reading YAML config from [/kiali-configuration/config.yaml]
I0517 16:47:05.006311       1 kiali.go:155] Using authentication strategy [openshift]
I0517 16:47:05.006378       1 kiali.go:85] Kiali: Console version: v1.24.5.redhat1
I0517 16:47:05.011613       1 server.go:67] Server endpoint will start at [:20001/]
I0517 16:47:05.011631       1 server.go:68] Server endpoint will serve static content from [/opt/kiali/console]
I0517 16:47:05.011647       1 metrics_server.go:18] Starting Metrics Server on [:9090]
I0517 16:47:05.011830       1 server.go:73] Server endpoint will require https

Notice that there is no "Generating env.js from config" msg.

Related issues upstream:

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Kiali_jira.png
2021/07/21 6:23 PM
65 kB
Praneeth Bajjuri

Activity

People

Assignee:: Filip Brychta

Reporter:: Filip Brychta

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2021/05/17 6:08 PM

Updated:: 2021/10/24 6:01 AM

Resolved:: 2021/07/21 6:24 PM