Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Operation not permitted" inside pods #4078

Closed
sebiwi opened this Issue Aug 10, 2015 · 4 comments

Comments

Projects
None yet
4 participants
@sebiwi
Copy link

sebiwi commented Aug 10, 2015

Hello,

I'm trying to deploy a pod using this manifest: http://www.fpaste.org/253439/14392147/ , which I just translated from api v1beta1 to api v1. (It used to work on v1beta1)

The pod failed, so I saw the logs with `docker logs and I got the following result:

"chown: changing ownership of '/var/lib/postgresql': Operation not permitted"

I get the same error with every pod I try to deploy. Here's the error of a similar deployment, with a redis container:

"mkdir: cannot create directory '/run/redis': Permission denied"

I already disabled Selinux, and it's still not working. I don't know what to do anymore. I saw a similar issue here, but in that case the user was able to deploy a pod using permissive mode, whereas whereas I am not able to do so.

I'm running a single node installation on a CentOS 7 host, deployed with openshift-ansible.

[cloud@master ~]$ oc version
oc v1.0.4-1-g85eea33
kubernetes v1.0.0

Any ideas?

@smarterclayton

This comment has been minimized.

Copy link
Member

smarterclayton commented Aug 10, 2015

By default, images are run as a high, predictable UID. That means that the image doesn't automatically have access to files that it was created as. You can disable this protection per project, or use an image that doesn't require being run as a particular UID. @bparees can you link the other items?

@bparees

This comment has been minimized.

Copy link
Contributor

bparees commented Aug 10, 2015

@sebiwi please see "support arbitrary user ids" here:
https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines

specifically:
This means directories that need to be written to by processes in the image should be world-writable.

Other options include:

  • creating an emptydir volume for content you want your process to be able to write to (the volume will be created such that the uid of the container can write to it)

Also you need to make sure your process isn't trying to listen on a privileged port since it's not going to be running as root.

@bparees

This comment has been minimized.

Copy link
Contributor

bparees commented Aug 10, 2015

i've also just updated the docs to make things a bit clearer:
openshift/openshift-docs#868

@danmcp danmcp closed this Aug 18, 2015

@sebiwi

This comment has been minimized.

Copy link
Author

sebiwi commented Aug 20, 2015

Ok, this solved the problem. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.