【OpenShift】define UID using ServiceAccount

0
votes

【Error Summary】

I am new to RedHat OpenShift.

OpenShift Pod status CrashLoopBackOff.

Pod logs shows “id: cannot find name for user ID 1000660000” and “java.io.FileNotFoundException: ..(Permission denied)”. I tried to solve this problem by changing UID but it doesn’t work.

If the cause is not UID ,it might be access to pvc. Is there any way to check and change pvc?

【Error Reproduction(using OpenShift web console and terminal)】

1.Create OpenShift cluster and project.

2.Add container image from external registry and create deployment.

(Application and component are created at the same time)

At this point the pod was running.

3.Open Deployment page and change Pod number to 0.

4.Remove existing Container Volume.

5.Add storage and create PVC.

6.Change Pod number to 1.

7.Pod is not running and the pod status is CrashLoopBackOff.

8.Create service account “awag-sa” by command below.

   oc create sa awag-sa
 
   oc adm policy add-scc-to-user anyuid-z awag-sa

9.Create patch yaml file “patch-file.yaml” for patching serviceAccount

spec:
  template:
    spec:
      serviceAccountName: awag-sa

10.Patch yaml file to deployment by command below

kubectl patch deployment nexus3-comp --patch "$(cat patch-file.yaml)"

11.Check Deployment yaml file(OpenShift web console) that spec.template.spec.serviceAccountName is modified correctly. But the pod status is still CrashLoopBackOff .

…
spec:
  replicas: 0
  selector:
    matchLabels:
      app: nexus3-comp
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: nexus3-comp
        deploymentconfig: nexus3-comp
      annotations:
        openshift.io/generated-by: OpenShiftWebConsole
    spec:
      restartPolicy: Always
      serviceAccountName: awag-sa
      schedulerName: default-scheduler
      terminationGracePeriodSeconds: 30
      securityContext: {}
      containers:
        - name: nexus3-comp

…
2
kubernetesopenshift

2 Answers

0
votes

OpenShift would use "random" UIDs -- relative to your Project / Namespace, there's an annotation telling you which UID was allocated to your Project. Unless otherwise configured, your containers would run as that UID.

If your application somehow needs a working getpwnam / resolution from UID to user name, then you want to use nsswrapper.

Make sure it is installed, in your Dockerfile

apt-get install libnss-wrapper
yum install nss_wrapper

Then, in your entrypoint, load your own passwd / groups:

RUNTIME_USER=${RUNTIME_USER:-nexus}
RUNTIME_GROUP=${RUNTIME_GROUP:-$RUNTIME_USER}
RUNTIME_HOME=${RUNTIME_HOME:-/tmp}
echo Setting up nsswrapper mapping `id -u` to $RUNTIME_GROUP
(
    grep -v ^$RUNTIME_USER /etc/passwd
    echo "$RUNTIME_USER:x:`id -u`:`id -g`:$RUNTIME_USER:$RUNTIME_HOME:/usr/sbin/nologin"
) >/tmp/java-passwd
(
    grep -v ^$RUNTIME_GROUP /etc/group
    echo "$RUNTIME_GROUP:x:`id -g`:"
) >/tmp/java-group
export NSS_WRAPPER_PASSWD=/tmp/java-passwd
export NSS_WRAPPER_GROUP=/tmp/java-group
export LD_PRELOAD=/usr/lib/libnss_wrapper.so
# or /usr/lib64/libnss_wrapper.so, on EL x86_64

[rest of your entrypoint.sh -- eg: exec $@]

edit: actually, nexus doesn't care -- though previous notes would still apply, if a container crashes complaining about some missing UID.

I can't reproduce the message you're getting. As far as I've seen nexus would first crash, failing to write logs. Then its data. Fixed it both times adding a volume:

oc create deploy nexus --image=sonatype/nexus3
oc edit deploy/nexus
[...]
    volumeMounts:
    - mountPath: /opt/sonatype/nexus3/log
      name: empty
      subPath: log
    - mountPath: /nexus-data
      name: empty
      subPath: data
...
  volumes:
  - emptyDir: {}
    name: empty

Now, in your case, /nexus-data should probably be stored in a PVC, rather than some emptyDir. Either way, adding those two volumes fixed it:

# oc logs -f nexus-f7c577ff9-pqmdc
id: cannot find name for user ID 1000230000
2021-07-10 16:36:48,155+0000 INFO  [FelixStartLevel] *SYSTEM org.sonatype.nexus.pax.logging.NexusLogActivator - start
2021-07-10 16:36:49,184+0000 INFO  [FelixStartLevel] *SYSTEM org.sonatype.nexus.features.internal.FeaturesWrapper - Fast FeaturesService starting
2021-07-10 16:36:53,004+0000 INFO  [FelixStartLevel] *SYSTEM ROOT - bundle org.apache.felix.scr:2.1.26 (63) Starting with globalExtender setting: false
2021-07-10 16:36:53,038+0000 INFO  [FelixStartLevel] *SYSTEM ROOT - bundle org.apache.felix.scr:2.1.26 (63)  Version = 2.1.26
...
0
votes

※Answered by questionner

I needed to change volumeMounts setttings of my deployment.

  volumeMounts:
            - name: nexus-data-pvc
              mountPath: /nexus-data
              subPath: data
            - name: nexus-data-pvc
              mountPath: /opt/sonatype/nexus3/log
              subPath: log