SAP Edge Integration Cell (EIC) - "Permission Denied" on ODF CephFS RWX Shared Volumes

Solution Unverified - Updated

Environment

  • Red Hat OpenShift Container Platform 4.x
  • Red Hat OpenShift Data Foundation (ODF) 4.x
  • CephFS CSI driver
  • SAP Edge Integration Cell (EIC)
  • Pods using privileged SCC with seLinuxContext: RunAsAny
  • RWX (ReadWriteMany) PersistentVolumeClaim (shared-pvc)

Note: This issue applies only to standard SAP EIC deployments using a kubeconfig with cluster-admin privileges, where pods run with the privileged SCC.

This issue does not apply to the Restricted-Access OpenShift Cluster deployment model. In restricted-access deployments, pods do not use the privileged SCC and therefore do not experience the MCS label conflicts described here.

Issue

SAP Edge Integration Cell (EIC) pods sharing a CephFS RWX volume receive "Permission Denied" errors when accessing shared directories. The edge-api pod fails to access /mnt/diagnostics/ and /mnt/dumps/ while the worker pod succeeds.

This causes the Diagnostic Task feature in SAP EIC to fail. When users attempt to run diagnostic tasks via the SAP Integration Suite, the edge-api pod cannot write diagnostic data to the shared volume, resulting in task failures.

Example error from edge-api pod:

ls: cannot open directory '/mnt/diagnostics/': Permission Denied
ls: cannot open directory '/mnt/dumps/': Permission Denied

Affected SAP EIC pods sharing the shared-pvc volume:

  • edge-api
  • worker
  • edc
  • mdc
  • esac
  • auditlog-agent

Resolution

Choose one of the following solutions:

Create a StorageClass with kernelMountOptions that forces a generic SELinux context:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: ocs-storagecluster-cephfs-sap-eic-shared
provisioner: openshift-storage.cephfs.csi.ceph.com
parameters:
  clusterID: openshift-storage
  fsName: ocs-storagecluster-cephfilesystem
  csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
  csi.storage.k8s.io/provisioner-secret-namespace: openshift-storage
  csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
  csi.storage.k8s.io/node-stage-secret-namespace: openshift-storage
  kernelMountOptions: context="system_u:object_r:container_file_t:s0"
reclaimPolicy: Delete
allowVolumeExpansion: true
volumeBindingMode: Immediate

When deploying SAP EIC, specify this new StorageClass as the Shared File System Storage Class in the deployment configuration.

Solution 2: Patch Existing PersistentVolume (For Existing Deployments)

For existing deployments where redeployment is not possible, follow the steps in Red Hat KB 7124833 to patch the existing PV with kernelMountOptions.

See: Red Hat KB 7124833 - "Permission Denied" on ODF CephFS RWX Volumes with Custom SCCs

Root Cause

SAP EIC uses the privileged SCC which has seLinuxContext: RunAsAny. The EIC pods do not specify explicit seLinuxOptions in their pod specs, so the container runtime assigns each pod a unique MCS (Multi-Category Security) label (e.g., s0:c10,c25, s0:c18,c42).

The CephFS CSI driver relabels the shared volume with each pod's specific MCS label during mount. This causes a conflict:

  1. edge-api pod mounts the volume → volume is labeled with edge-api's MCS label
  2. worker pod mounts the volume → volume is relabeled with worker's MCS label
  3. edge-api can no longer access the volume → "Permission Denied"

The last pod to mount the volume "wins" (in this case worker), and other pods like edge-api lose access to /mnt/diagnostics/ and /mnt/dumps/.

Note: This issue does not occur with NFS or CIFS because they do not support SELinux relabeling and receive generic labels (nfs_t:s0, cifs_t:s0).

Diagnostic Steps

  1. Identify the EIC namespace and check pods sharing the volume:

    oc get pods -n edge-icell -o wide

  2. Check the SELinux labels on the affected pods:

    oc get pod edge-api-xxx -n edge-icell -o jsonpath='{.spec.securityContext}'
oc get pod worker-xxx -n edge-icell -o jsonpath='{.spec.securityContext}'

  3. Verify the SCC being used (should show privileged):

    oc get pod edge-api-xxx -n edge-icell -o jsonpath='{.metadata.annotations.openshift\.io/scc}'

  4. Confirm the SCC uses RunAsAny:

    oc get scc privileged -o jsonpath='{.seLinuxContext.type}'

  5. Check the PVC used by EIC pods:

    oc get pvc shared-pvc -n edge-icell -o yaml

  6. Test access from affected pod:

    oc exec -it edge-api-xxx -n edge-icell -- ls -laZ /mnt/diagnostics/
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.