question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[OCP4] Che deployment fails due to permission denied in Postgres

See original GitHub issue

Describe the bug

I installed a basic OCP 4 cluster on AWS. The default aws-ebs storage is used. I tried to install Che from the OperatorHub marketplace and the install failed because Postgres entered a CrashLoopBackOff state.

The Postgres container’s logs show the following error:

johns-mbp-3:.odo johncollier$ oc logs postgres-cc6b567f-fc9hj
mkdir: cannot create directory '/var/lib/pgsql/data/userdata': Permission denied

Che version

  • latest
  • nightly
  • other: please specify

Steps to reproduce

  1. Deploy OpenShift 4 on AWS
  2. Make sure aws-ebs is used for default strorage (should be for new installs on AWS)
  3. Install the Che operator from OperatorHub
  4. Create a CheCluster custom resource to install Che
  5. The Che deployment will fail because Postgres will report the following error: Screen Shot 2019-09-04 at 5 53 17 PM

Expected behavior

Runtime

  • kubernetes (include output of kubectl version)
  • Openshift (include output of oc version)
  • minikube (include output of minikube version and kubectl version)
  • minishift (include output of minishift version and oc version)
  • docker-desktop + K8S (include output of docker version and kubectl version)
  • other: (please specify)
johns-mbp-3:.odo johncollier$ oc version
oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth

Server https://<url>:6443
kubernetes v1.14.0+573d946

Screenshots

Installation method

  • chectl
  • che-operator 7.0.0
  • minishift-addon
  • I don’t know

Environment

  • my computer
    • Windows
    • Linux
    • macOS
  • Cloud
    • Amazon
    • Azure
    • GCE
    • other (please specify)
  • other: please specify

Additional context

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:25 (25 by maintainers)

github_iconTop GitHub Comments

2reactions
tomgeorgecommented, Oct 29, 2019

Comparing Che installed in the che namespace to Che installed in the default namespace reveals that the securityContext gets set to {} in default, and is properly set in the che namespace:

  securityContext:
    seLinuxOptions:
      level: 's0:c22,c9'
    fsGroup: 1000480000
1reaction
tomgeorgecommented, Oct 30, 2019

As I’m investigating this more, it seems like default does not respect any of the security context constraints by default that are present in openshift… If I make a new user and give them create access to pods and deployments, and they run a pod, it will run as root/the default UID present in that images Dockerfile. When I run the same pod in another namespace it is runs in a security context. default seems to have annotations regarding security contexts, but does not respect them:

apiVersion: v1
kind: Namespace
metadata:
  annotations:
    openshift.io/sa.scc.mcs: s0:c6,c5
    openshift.io/sa.scc.supplemental-groups: 1000040000/10000
    openshift.io/sa.scc.uid-range: 1000040000/10000
  creationTimestamp: "2019-10-28T20:25:55Z"
  name: default
  resourceVersion: "7335"
  selfLink: /api/v1/namespaces/default
  uid: 2515d6e5-f9c1-11e9-9124-028754979780
spec:
  finalizers:
  - kubernetes
status:
  phase: Active
apiVersion: project.openshift.io/v1
kind: Project
metadata:
  annotations:
    openshift.io/sa.scc.mcs: s0:c6,c5
    openshift.io/sa.scc.supplemental-groups: 1000040000/10000
    openshift.io/sa.scc.uid-range: 1000040000/10000
  creationTimestamp: "2019-10-28T20:25:55Z"
  name: default
  resourceVersion: "7335"
  selfLink: /apis/project.openshift.io/v1/projects/default
  uid: 2515d6e5-f9c1-11e9-9124-028754979780
spec:
  finalizers:
  - kubernetes
status:
  phase: Active

I’m starting to think this is just a documentation issue that we will need to point out as @l0rd and @davidfestal have suggested. I reached out on the aos-devel slack channel but haven’t had a reply yet.

Read more comments on GitHub >

github_iconTop Results From Across the Web

PostgreSQL ERROR: permission denied for schema public
Public schema default permissions changed in PostgreSQL 15 - it might hurt you during application deployment. Here's what to do.
Read more >
Facing permission issue when creating application using ...
When postrgres image is used with persistent storage it always fails with below errors : Raw. waiting for server to start.
Read more >
Postgres fails with '/var/lib/pgsql/data/userdata': Permission ...
I'm trying to deploy Keycloak into our test cluster on DigitalOcean Kubernetes (DOKS). My manifest yaml looks like this: apiVersion: keycloak.
Read more >
Kubernetes ImagePullBackOff error: what you need to know
The status ImagePullBackOff means that a Pod couldn't start, because Kubernetes couldn't pull a container image. The 'BackOff' part means that ...
Read more >
chmod: changing permissions of '/var/lib/postgresql/data'
It eventually fails and just keeps retrying. When I run kubectl logs pod postgres-deployment-<id> it just says: chmod: changing permissions ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found