Index permission denied on openshift

[daFritz84]

Hi,

so, I tried to build an Index and deploy it via catalog source to an openshift cluster according to the README. This went without hickups, except that the spawned pod crashlooped after deployment.

After some initial debugging, I figured out that the index.db could not be opened due to insufficient write permissions. Then, I examined the existing RedHat marketplace index and found that they have a folder /registry with permissions 755. I replicated this behavior by generating the dockerfile, patch it, and pushed it to our registry. And guess what? It worked.

However, my solution seems kinda fishy. I just expected it to work out of the box, and not having to modify the generated Dockerfile.
Does anyone have any insights what I might did wrong? Do I need to set some additional service account permissions in openshift? Or is my solution fine?

Here is my current solution:

opm index add --bundles XXX/operator-test/memcached-operator-bundle:latest --tag XXX/operator-test/index:latest --generate --container-tool docker

Modify the generated Dockerfile, creating the /registry folder and set it as working dir.

FROM quay.io/operator-framework/upstream-opm-builder
LABEL operators.operatorframework.io.index.database.v1=/database/index.db
ADD database/index.db /database/index.db
RUN mkdir /registry && chmod 775 /registry
EXPOSE 50051
WORKDIR /registry
ENTRYPOINT ["/bin/opm"]
CMD ["registry", "serve", "--database", "/database/index.db"]

And push it to the registry

docker build . -f index.Dockerfile -t XXX/operator-test/index:latest
docker push XXX/operator-test/index:latest

[exdx]

Hi @daFritz84, what version of opm are you on?

We ran into this same issue where registry was using the umask of the terminal session, but it should be fixed in the most recent upstream opm releases.

[daFritz84]

Hi @exdx ,

I originally used version 1.15.4:

❯ opm version
Version: version.Version{OpmVersion:"v1.15.4-6-ga97d366a", GitCommit:"a97d366a92d302ff2056fa2d19aa3e48b0fbc99c", BuildDate:"2021-03-13T02:24:44Z", GoOs:"linux", GoArch:"amd64"}

Next, I tried the latest opm available from the openshift-v4 mirror.

❯ opm version
Version: version.Version{OpmVersion:"v1.15.4-6-ga97d366a", GitCommit:"a97d366a92d302ff2056fa2d19aa3e48b0fbc99c", BuildDate:"2021-04-14T22:47:35Z", GoOs:"linux", GoArch:"amd64"}

Same version but slightly newer build date.

Regardless of the build date, I still see the CrashLoopBackoff, i.e.:

Error: open db-522839942: permission denied

Finally, I tried the latest version from the github repository release page:

❯ opm version
Version: version.Version{OpmVersion:"v1.17.0", GitCommit:"ebeac77", BuildDate:"2021-04-13T18:40:36Z", GoOs:"linux", GoArch:"amd64"}

But sadly, I encountered the same CrashLoopBackoff situation.

One thing I noticed, that opm inside the pod does not seem to have any version information (openshift remote shell):

/registry $ opm version
Version: version.Version{OpmVersion:"unknown", GitCommit:"", BuildDate:"", GoOs:"linux", GoArch:"amd64"}

Maybe I am fetching some wrong base container image? Here ist the output of my docker build command (with my /registry folder fix):

 => [internal] load build definition from index.Dockerfile                                                                                                                             0.0s
 => => transferring dockerfile: 379B                                                                                                                                                   0.0s
 => [internal] load .dockerignore                                                                                                                                                      0.0s
 => => transferring context: 2B                                                                                                                                                        0.0s
 => [internal] load metadata for quay.io/operator-framework/upstream-opm-builder:latest                                                                                                0.6s
 => [internal] load build context                                                                                                                                                      0.0s
 => => transferring context: 68B                                                                                                                                                       0.0s
 => [1/4] FROM quay.io/operator-framework/upstream-opm-builder@sha256:6d3677d60356613b5e9f51012a44f826cb08b592e0f3e90fa8133b853c7720ac                                                 0.0s
 => CACHED [2/4] ADD database/index.db /database/index.db                                                                                                                              0.0s
 => [3/4] RUN mkdir /registry && chmod 775 /registry                                                                                                                                   0.3s
 => [4/4] WORKDIR /registry                                                                                                                                                            0.0s
 => exporting to image                                                                                                                                                                 0.1s
 => => exporting layers                                                                                                                                                                0.0s
 => => writing image sha256:7c18d4d6784e97e1dd966f0c98c605326bec2c8c7aeecd08c998cddbe03ef63b                                                                                           0.0s
 => => naming to XXX/operator-test/seconet-index:latest                                                                                          0.0s