Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

callhome pod doesn't start: permission denied #1784

Open
FamilieRo opened this issue Dec 17, 2024 · 5 comments
Open

callhome pod doesn't start: permission denied #1784

FamilieRo opened this issue Dec 17, 2024 · 5 comments
Labels
BUG Something isn't working

Comments

@FamilieRo
Copy link

FamilieRo commented Dec 17, 2024
edited
Loading

OpenEBS is running on an OpenShift cluster. Everything runs as expected except the callhome pod. I increased the loglevel and have a log file attached.

openebs-obs-callhome-6f47f84c55-dfbqw-obs-callhome (1).log

Short version, I get a permission denied:

obs_callhome: failed call-home error=encryption failed: IoError { source: Custom { kind: PermissionDenied, error: PathError { path: "/encryption_dir/.tmpudlRff", err: Os { code: 13, kind: PermissionDenied, message: "Permission denied" } } } }

But I don't get a clue where I should look or what I can do...
@tiagolobocastro
Copy link
Contributor

I think this is a callhome bug on OpenShift, because it's trying to access /encryption_dir/.tmpudlRff but on OpenShift containers are not run as the root user.
Wdyt @niladrih @Abhinandan-Purkait ?

@FamilieRo
Copy link
Author

Seems to be an issue with permissions. I created a sevice account that is allowed to run container as root and now I get this error:

2024-12-17T11:59:30.151658Z DEBUG kube_client::client: Unsuccessful: ErrorResponse { status: "Failure", message: "namespaces "kube-system" is forbidden: User "system:serviceaccount:openebs:allowed-anyuid-sa" cannot get resource "namespaces" in API group "" in the namespace "kube-system"", reason: "Forbidden", code: 403 }
2024-12-17T11:59:30.151681Z ERROR obs_callhome: failed call-home error=failed to generate kubernetes cluster ID: ClientError { source: Api(ErrorResponse { status: "Failure", message: "namespaces "kube-system" is forbidden: User "system:serviceaccount:openebs:allowed-anyuid-sa" cannot get resource "namespaces" in API group "" in the namespace "kube-system"", reason: "Forbidden", code: 403 }) }

But even when I add the cluster-admin role to the sa it doesn't work.

As far as I understood the callhome container is for sending stats to you and to offer metrics that I can use with Prometrics, right? If I cannot access metrics here I would delete the deployment...

@tiagolobocastro
Copy link
Contributor

For now you can disable it:
mayastor.obs.callhome.enabled=false

@FamilieRo
Copy link
Author

Okay, so for now I will disable it and we can close this issue. Maybe you can bring this to development so that openEBS will work completely with OpenShift.
Thanks for your help!

@tiagolobocastro
Copy link
Contributor

Thanks, I'll leave this open so we can track it as a bug fix

@tiagolobocastro tiagolobocastro added the BUG Something isn't working label Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BUG Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tiagolobocastro @FamilieRo