UNCLASSIFIED - NO CUI

Skip to content

Improper PID permission prevents `nginx` startup on OpenShift

Summary

Improper PID permission prevents nginx startup when running as random UID on OpenShift.

Steps to reproduce

  • Reference the existing Ironbank image in a deployment manifest
  • Apply/create the deployment on OpenShift 4.6.z+
  • Observe failed container startup and error msg: nginx: [emerg] open() "/tmp/nginx.pid" failed (13: Permission denied)

What is the current bug behavior?

nginx container fails to start with error:

2021/07/01 13:24:26 [emerg] 1#1: open() "/tmp/nginx.pid" failed (13: Permission denied)
nginx: [emerg] open() "/tmp/nginx.pid" failed (13: Permission denied)

What is the expected correct behavior?

Standard log output should appear and the pod should remain in a "Running" state:

[jrmorgan@ahub openshift-nginx-sidecar]# oc logs sidecar-7dcf9cbb95-c99q4 -c nginx
10.128.2.1 - - [01/Jul/2021:13:29:52 +0000] "GET / HTTP/1.1" 200 9593 "-" "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0" "192.168.1.177" "sidecar-sidecar.apps.vmx.int.shifti.us" sn="localhost" rt=0.024 ua="[::1]:8888, 127.0.0.1:8888" us="502, 200" ut="0.000, 0.024" ul="0, 9593" cs=- 67933c3d8ff6a8a3edfc4986585207f0
10.128.2.1 - - [01/Jul/2021:13:29:52 +0000] "GET /flasgger_static/swagger-ui.css HTTP/1.1" 200 47921 "http://sidecar-sidecar.apps.vmx.int.shifti.us/" "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0" "192.168.1.177" "sidecar-sidecar.apps.vmx.int.shifti.us" sn="localhost" rt=0.011 ua="127.0.0.1:8888" us="200" ut="0.010" ul="81499" cs=- c92eff50f69cd51b749d9dc3816954ce

Relevant logs and/or screenshots

When attempting to run the container on OpenShift 4.6.z an error may be encountered due to current pid permissions and the assigned project uid range:

## Error message:
[jrmorgan@ahub openshift-nginx-sidecar]# oc logs sidecar-7dcf9cbb95-6gfhh -c nginx
2021/07/01 13:24:26 [emerg] 1#1: open() "/tmp/nginx.pid" failed (13: Permission denied)
nginx: [emerg] open() "/tmp/nginx.pid" failed (13: Permission denied)

## project uid range:
[jrmorgan@ahub openshift-nginx-sidecar]# oc describe project sidecar
Name:                   sidecar
Created:                43 hours ago
Labels:                 <none>
Annotations:            openshift.io/description=
...
                        openshift.io/sa.scc.supplemental-groups=1000610000/10000
                        openshift.io/sa.scc.uid-range=1000610000/10000

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)

Defintion of Done

  • Bug has been identified and corrected within the container
Edited by J.R. Morgan
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI