Permission denied error for redhat-operators pod in RHOCP 4

Solution Verified - Updated

Environment

  • Red Hat Openshift Container Platform 4
  • Disconnected/Air-gapped Environment

Issue

  • Resulting redhat-operator catalog pod with /configs/index.json: permission denied error.

  • In air-gapped/disconnected OpenShift installation, redhat-operator pods in openshift-marketplace project does not start and fail with below error:

Error: load declarative config directory: open /configs/index.json: permission denied

Resolution

  • Change umask to 0022 on RHEL host machine where oc mirror commands are working.

Note : Before setting umask value 022 please confirm with internal security team because all others have read access only to owner's files, and read/search access to owner's directories.

$ umask 0022
  • If above umask value does not met with condition, 0077 can be tried.
    • But depending on other security settings on the system this might not help with the issue
    • umask 0077 assigns permissions so that only owner have read/write access for files, and read/write/search for directories owner own. All others have no access permissions to owner's files or directories.
$ umask 0077
  • Check if the image has been build after the changes.

Root Cause

  • The process to build catalog images significantly changed from the RHOCP 4.10 version of oc-mirror (Tech Preview) to the RHOCP 4.11 version , so the file permissions for index.json have been changed.

Diagnostic Steps

  • Check if redhat-operators pods are with CrashLoopBackOff state in openshift-marketplace project :
$ oc get pods

NAME                                   READY   STATUS             RESTARTS      AGE
marketplace-operator-db78b9d5d-jznm7   1/1     Running            0             13d
redhat-operators-44qw8                 0/1     CrashLoopBackOff   4 (52s ago)   2m32s
  • Check logs of redhat-operators pod if file index.json is facing permission denied issue:
$ oc logs redhat-operators-8ms4f

Error: load declarative config directory: open /configs/index.json: permission denied
SBR
Product(s)
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.