[Bug 1272146] New: Mounted secrets unreadible with SELinux enabled
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1272146
Bug ID: 1272146
Summary: Mounted secrets unreadible with SELinux enabled
Product: Fedora
Version: 23
Component: kubernetes
Severity: high
Assignee: jchaloup(a)redhat.com
Reporter: thijs.elferink(a)topicus.nl
QA Contact: extras-qa(a)fedoraproject.org
CC: eparis(a)redhat.com, golang(a)lists.fedoraproject.org,
jcajka(a)redhat.com, jchaloup(a)redhat.com,
lsm5(a)redhat.com, nhorman(a)redhat.com, vbatts(a)redhat.com
Description of problem:
On a freshly installed Fedora Atomic host (as well as on a CentOS Atomic host);
When mounting a secret in a pod, the mount shows up with garbled permissions
and is inaccessible.
Version-Release number of selected component (if applicable):
ostree images (both have this problem):
TIMESTAMP (UTC) VERSION ID OSNAME
REFSPEC
2015-10-14 11:25:03 23.33 89be310d70 centos-atomic-host
fedora-atomic:fedora-atomic/f23/x86_64/docker-host
2015-10-01 09:32:09 7.20151001 1e9838ce88 centos-atomic-host
centos-atomic-host:centos-atomic-host/7/x86_64/standard
kubernetes node description:
Kernel Version: 4.2.3-300.fc23.x86_64
OS Image: Fedora 23 (Twenty Three)
Container Runtime Version: docker://1.7.0-dev.fc23
Kubelet Version: v1.1.0-alpha.0.1588+e44c8e6661c931
Kube-Proxy Version: v1.1.0-alpha.0.1588+e44c8e6661c931
How reproducible:
always
Steps to Reproduce:
1. fresh fedora/centos atomic host
2. deploy secret (kubectl create -f secret.json)
secret.json:
{
"apiVersion": "v1",
"kind": "Secret",
"metadata" : {
"name": "test-secret"
},
"type": "Opaque",
"data": {
"test-data":"dGVzdDEyMw=="
}
}
3. deploy pod (kubectl create -f test-pod.yaml)
test-pod.yaml:
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: test
image: busybox
volumeMounts:
- name: "test-volume"
mountPath: "/test"
readOnly: true
command: ["sh"]
args: ["-c 'ls -l /test/test-data; cat /test/test-data'"]
volumes:
- name: "test-volume"
secret:
secretName: "test-secret"
Actual results:
output:
-bash-4.2# kubectl logs test-pod
ls: cannot access /test/test-data: Permission denied
total 0
-????????? ? ? ? ? ? test-data
cat: /test/test-data: Permission denied
Expected results:
output:
-bash-4.2# kubectl logs test-pod
total 4
-r--r--r--. 1 root root 7 Oct 15 08:08 test-data
test123
Additional info:
After disabling SELinux (setenforce 0) the secret is accessible.
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 10 months
[Bug 1326890] New: FTBFS with gcc-go on s390x
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1326890
Bug ID: 1326890
Summary: FTBFS with gcc-go on s390x
Product: Fedora
Version: 24
Component: golang-googlecode-net
Assignee: fpokorny(a)redhat.com
Reporter: dan(a)danny.cz
QA Contact: extras-qa(a)fedoraproject.org
CC: fpokorny(a)redhat.com, golang(a)lists.fedoraproject.org,
jchaloup(a)redhat.com, mattdm(a)redhat.com,
vbatts(a)redhat.com
Blocks: 467765 (ZedoraTracker)
Created attachment 1146911
--> https://bugzilla.redhat.com/attachment.cgi?id=1146911&action=edit
build.log
Build of golang-googlecode-net fails on s390x that uses gcc-go with tons of
errors
...
+ go test -compiler gccgo -gccgoflags '-O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -march=z9-109 -mtune=z10 '
golang.org/x/net/ipv4
# golang.org/x/net/ipv4
../../BUILDROOT/golang-googlecode-net-0-0.31.git6acef71.fc24.s390x/usr/share/gocode/src/golang.org/x/net/ipv4/icmp.go:34:2:
error: use of undefined type 'sysICMPFilter'
sysICMPFilter
^
../../BUILDROOT/golang-googlecode-net-0-0.31.git6acef71.fc24.s390x/usr/share/gocode/src/golang.org/x/net/ipv4/control_pktinfo.go:19:11:
error: reference to undefined name 'sysIP_PKTINFO'
m.Type = sysIP_PKTINFO
^
../../BUILDROOT/golang-googlecode-net-0-0.31.git6acef71.fc24.s390x/usr/share/gocode/src/golang.org/x/net/ipv4/control_pktinfo.go:20:27:
error: reference to undefined name 'sysSizeofInetPktinfo'
...
see http://s390.koji.fedoraproject.org/koji/taskinfo?taskID=2183406 for full
logs, or attachment for build.log
Version-Release number of selected component (if applicable):
golang-googlecode-net-0-0.31.git6acef71.fc24
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=467765
[Bug 467765] Fedora for System z (s390): Bug Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 10 months
[Bug 1348875] New: consul-0.6.4 available
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1348875
Bug ID: 1348875
Summary: consul-0.6.4 available
Product: Fedora
Version: rawhide
Component: consul
Severity: medium
Assignee: fpokorny(a)redhat.com
Reporter: sspreitz(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fpokorny(a)redhat.com, golang(a)lists.fedoraproject.org,
jchaloup(a)redhat.com
A new version of consul is available.
Will you also be brewing consul for EL7 ?
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 10 months