Samba Pod fails to start on OpenShift about samba-operator HOT 10 CLOSED

The "real" errors seem to be:

Failed to initialize the registry: WERR_ACCESS_DENIED
Failed to initialize the registry: WERR_ACCESS_DENIED

But it isn't clear to me what is triggering those access denies when trying to init the registry.
@nixpanic do you feel comfortable hacking sambacc to add a -d10 (or similar) to the net command line? Or do you prefer I teach sambacc more tricks related to debugging?

from samba-operator.

I think it would be really helpful if a SmbShare has options to enable debugging, maybe through an annotation?

Not sure when I will be looking at this again, but I can try to add additional command line options and see where I get.

from samba-operator.

I'll look into adding some options in order to do advanced debugging. This needs to touch all the layers in our stack and thus will require some amount of plumbing. Stay tuned. :-)

from samba-operator.

Hi @nixpanic I've merged code to support debugging. Please take a look at the dev doc and try that out and see if it helps.

from samba-operator.

@phlogistonjohn I turned on debug level, and I now see the following lines:

$ oc logs -f myshare-6db88964d4-qjcz2

doing parameter registry shares = yes                                                                                                                                                                                                  
tdb(/var/lib/samba/registry.tdb): tdb_open_ex: could not open file /var/lib/samba/registry.tdb: No such file or directory                                                                                                              
Could not open tdb: No such file or directory                                                                                                                                                                                          
tdb(/var/lib/samba/registry.tdb): tdb_open_ex: could not open file /var/lib/samba/registry.tdb: Permission denied                                                                                                                      
Could not open tdb: Permission denied                                                                                                                                                                                                  
regdb_init: Failed to open registry /var/lib/samba/registry.tdb (Permission denied)                                                                                                                                                    
Failed to initialize the registry: WERR_ACCESS_DENIED                                                                                                                                                                                  
error initializing registry configuration: SBC_ERR_BADFILE            

from samba-operator.

tdb(/var/lib/samba/registry.tdb): tdb_open_ex: could not open file /var/lib/samba/registry.tdb: No such file or directory
Could not open tdb: No such file or directory

This is probably normal when the tdb file does not already exist.

tdb(/var/lib/samba/registry.tdb): tdb_open_ex: could not open file /var/lib/samba/registry.tdb: Permission denied
Could not open tdb: Permission denied

My guess is this is the real error condition. Something on OpenShift is restricting this process from writing to the file system in a way standard k8s clusters do not. Let's keep digging. :-)

from samba-operator.

After spending the better part of the day on this one, I realized that OpenShift assigns UIDs differently[1]; Indeed, adding a simple echo $(id) upon container's start gives:
uid=1000800000(1000800000) gid=0(root) groups=0(root),1000800000

Changing permissions with chmod 770 /var/lib/samba solved this issue, just to hit the next one:

Traceback (most recent call last):
  File "/usr/local/bin/samba-container", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/sambacc/commands/main.py", line 211, in main
    cfunc(CommandContext(cli))
  File "/usr/local/lib/python3.9/site-packages/sambacc/commands/run.py", line 75, in run_container
    init_container(ctx)
  File "/usr/local/lib/python3.9/site-packages/sambacc/commands/initialize.py", line 94, in init_container
    cmds[step_name].cmd_func(ctx)
  File "/usr/local/lib/python3.9/site-packages/sambacc/commands/users.py", line 48, in import_sys_users
    etc_passwd_loader.write()
  File "/usr/local/lib/python3.9/site-packages/sambacc/textfile.py", line 33, in write
    with open(tpath, "w") as f:
PermissionError: [Errno 13] Permission denied: '/etc/passwd.tmp'

I will try to setup appropriate SCC[2].

@phlogistonjohn Does smbd realy needs write access to /etc/passwd.tmp ?

[1] https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids
[2] https://cloud.redhat.com/blog/managing-sccs-in-openshift

from samba-operator.

After spending the better part of the day on this one, I realized that OpenShift assigns UIDs differently[1]; Indeed, adding a simple echo $(id) upon container's start gives: uid=1000800000(1000800000) gid=0(root) groups=0(root),1000800000

Good find, thanks.

Changing permissions with chmod 770 /var/lib/samba solved this issue, just to hit the next one:

Traceback (most recent call last):
  File "/usr/local/bin/samba-container", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/sambacc/commands/main.py", line 211, in main
    cfunc(CommandContext(cli))
  File "/usr/local/lib/python3.9/site-packages/sambacc/commands/run.py", line 75, in run_container
    init_container(ctx)
  File "/usr/local/lib/python3.9/site-packages/sambacc/commands/initialize.py", line 94, in init_container
    cmds[step_name].cmd_func(ctx)
  File "/usr/local/lib/python3.9/site-packages/sambacc/commands/users.py", line 48, in import_sys_users
    etc_passwd_loader.write()
  File "/usr/local/lib/python3.9/site-packages/sambacc/textfile.py", line 33, in write
    with open(tpath, "w") as f:
PermissionError: [Errno 13] Permission denied: '/etc/passwd.tmp'

I will try to setup appropriate SCC[2].

Great. We need smbd & friends to actually start as root (uid 0) and in the case of smbd be able to change uids. Samba "impersonates" each user that connects to it.

@phlogistonjohn Does smbd realy needs write access to /etc/passwd.tmp ?

Yeah, but it's sambacc trying to set up our custom /etc/passwd. We need to be able to write this file when we're initializing the environment. This may not be required on the AD setup (I forget) but is required for users & groups for the same reason smbd needs to be able to change to specific uids & gids.

from samba-operator.

AFAICT the status of OpenShift-Support is the following.

Configure samba-operator to use the samba serviceaccount.
For any namespace that shares live in, the serviceaccount, role and rolebinding from 8e3292e is needed.

Is there a downside in creating a clusterrole (akin to the role) and binding the serviceaccount to it? One less object to create. I can create documentation to

from samba-operator.

@ibotty We want to simplify the deployment over OpenShift and make it and make it as seamless as possible. Unfortunately, patches are still under review and did not make it to v0.2. Take a look at #216 or use the operator image from quay.io/ssharon/sink:openshift

from samba-operator.