[
https://issues.apache.org/jira/browse/FLINK-36544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17889756#comment-17889756
]
Keith Wall edited comment on FLINK-36544 at 10/16/24 9:53 AM:
--------------------------------------------------------------
I've investigated the error and I can see the issue is a file permission error
on the manifests/flink-kubernetes-operator.clusterserviceversion.yaml within
the bundle container image.
{{docker save quay.io/k_wall/flink-op-bundle:1.10.0_f > bundle.tar}}
{{tar xvf bundle.tar}}
{{for i in $(find . -name layer.tar)}}
{{do}}
{{ tar tvf $i}}
{{done}}
{{drwxr-xr-x 0 0 0 0 15 Oct 17:40 metadata/}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 575 15 Oct 17:40
metadata/annotations.yaml}}
{{drwxr-xr-x 0 0 0 0 15 Oct 17:40 manifests/}}
{{{-}rw{-}------ 0 0 0 127947 15 Oct 17:40
manifests/flink-kubernetes-operator.clusterserviceversion.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 8828 15 Oct 17:40
manifests/flink-operator-config_v1_configmap.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 124 15 Oct 17:40
manifests/flink-operator-webhook-secret_v1_secret.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 503 15 Oct 17:40
manifests/flink-role-binding_rbac.authorization.k8s.io_v1_rolebinding.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 520843 15 Oct 17:40
manifests/flink.apache.org_flinkdeployments.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 8316 15 Oct 17:40
manifests/flink.apache.org_flinksessionjobs.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 2579 15 Oct 17:40
manifests/flink.apache.org_flinkstatesnapshots.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 658 15 Oct 17:40
manifests/flink_rbac.authorization.k8s.io_v1_role.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 342 15 Oct 17:40
manifests/flink_v1_serviceaccount.yaml}}
Notice that the manifests/flink-kubernetes-operator.clusterserviceversion.yaml
has no group or other read permission.
I found this issue is the sed --in-place command
[https://github.com/apache/flink-kubernetes-operator/blob/d72e3ce294e3902cf041811e0fcf2ba50880cc31/tools/olm/docker-entry.sh#L101]
sed doesn't preserve the group permissions as it shuffles the replacement file
over the original one.
EDIT: there seems to be a host dimension to this issue. [~sbarker] who uses
Linux couldn't reproduce this issue.
was (Author: k-wall):
I've investigated the error and I can see the issue is a file permission error
on the manifests/flink-kubernetes-operator.clusterserviceversion.yaml within
the bundle container image.
{{docker save quay.io/k_wall/flink-op-bundle:1.10.0_f > bundle.tar}}
{{tar xvf bundle.tar}}
{{for i in $(find . -name layer.tar)}}
{{do}}
{{ tar tvf $i}}
{{done}}
{{drwxr-xr-x 0 0 0 0 15 Oct 17:40 metadata/}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 575 15 Oct 17:40
metadata/annotations.yaml}}
{{drwxr-xr-x 0 0 0 0 15 Oct 17:40 manifests/}}
{{{-}rw{-}------ 0 0 0 127947 15 Oct 17:40
manifests/flink-kubernetes-operator.clusterserviceversion.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 8828 15 Oct 17:40
manifests/flink-operator-config_v1_configmap.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 124 15 Oct 17:40
manifests/flink-operator-webhook-secret_v1_secret.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 503 15 Oct 17:40
manifests/flink-role-binding_rbac.authorization.k8s.io_v1_rolebinding.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 520843 15 Oct 17:40
manifests/flink.apache.org_flinkdeployments.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 8316 15 Oct 17:40
manifests/flink.apache.org_flinksessionjobs.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 2579 15 Oct 17:40
manifests/flink.apache.org_flinkstatesnapshots.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 658 15 Oct 17:40
manifests/flink_rbac.authorization.k8s.io_v1_role.yaml}}
{{{-}rw-r{-}{-}r{-}- 0 0 0 342 15 Oct 17:40
manifests/flink_v1_serviceaccount.yaml}}
Notice that the manifests/flink-kubernetes-operator.clusterserviceversion.yaml
has no group or other read permission.
I found this issue is the sed --in-place command
[https://github.com/apache/flink-kubernetes-operator/blob/d72e3ce294e3902cf041811e0fcf2ba50880cc31/tools/olm/docker-entry.sh#L101]
sed doesn't preserve the group permissions as it shuffles the replacement file
over the original one.
> Failing to generate working OLM bundle (open
> manifests/flink-kubernetes-operator.clusterserviceversion.yaml: permission
> denied)
> -------------------------------------------------------------------------------------------------------------------------------
>
> Key: FLINK-36544
> URL: https://issues.apache.org/jira/browse/FLINK-36544
> Project: Flink
> Issue Type: Bug
> Components: Kubernetes Operator
> Environment: minikube version
> minikube version: v1.33.1
> commit: 248d1ec5b3f9be5569977749a725f47b018078ff
> Host:
> uname -a
> Darwin Oslo.fritz.box 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul 31
> 21:42:48 PDT 2024; root:xnu-8796.141.3.707.4~1/RELEASE_X86_64 x86_64
> I get the same beneath on OpenShift
> oc version
> Client Version: 4.14.3
> Kustomize Version: v5.0.1
> Server Version: 4.16.9
> Kubernetes Version: v1.29.7+4510e9c
>
> Reporter: Keith Wall
> Priority: Major
> Labels: pull-request-available
>
> I'm trying to generate an updated OLM bundle from main.
> I have overridden BUNDLE_VERSION (to 1.10.0), DOCKER_REGISTRY, DOCKER_ORG and
> IMAGE_TAG to 1.10.0 (to my organisation on Quay.io).
> I run tools/olm/generate-olm-bundle.sh successfully and then follow the
> prompts produced by the script to create the resources.
> CatalogSource step succeeds but I fail at the next step (after creating
> OperatorGroup and Subscription).
> The job that gets created by OLM:
> {{oc get jobs}}
> {{NAME
> COMPLETIONS DURATION AGE}}
> {{{}29c1443d94822f7573c33016099d04790c8f9849aaa938374a0fd807fe11048 0/1
> 6m{}}}19s 6m19s
> fails like this:
> {{oc get pods}}
> {{NAME READY
> STATUS RESTARTS AGE}}
> {{29c1443d94822f7573c33016099d04790c8f9849aaa938374a0fd807fe7vbgf 0/1
> Init:Error 0 7m17s}}
> {{29c1443d94822f7573c33016099d04790c8f9849aaa938374a0fd807fejdf7v 0/1
> Init:Error 0 7m27s}}
> {{29c1443d94822f7573c33016099d04790c8f9849aaa938374a0fd807fezfxqh 0/1
> Init:Error 0 6m17s}}
> {{29c1443d94822f7573c33016099d04790c8f9849aaa938374a0fd807feztg5v 0/1
> Init:Error 0 6m57s}}
> {{olm-flink-operator-catalog-48rp4 1/1
> Running 0 8m19s}}
> Doing an oc describe on the pod:
> {{ State: Terminated}}
> {{ Reason: Error}}
> {{ Message: skipping a dir without errors: /}}
> {{skipping a dir without errors: /bundle}}
> {{skipping all files in the dir: /dev}}
> {{skipping a dir without errors: /etc}}
> {{skipping a dir without errors: /manifests}}
> {{skipping a dir without errors: /metadata}}
> {{skipping all files in the dir: /proc}}
> {{skipping a dir without errors: /run}}
> {{skipping a dir without errors: /run/secrets}}
> {{skipping a dir without errors: /run/secrets/rhsm}}
> {{skipping a dir without errors: /run/secrets/rhsm/ca}}
> {{skipping all files in the dir: /sys}}
> {{skipping a dir without errors: /util}}
> {{skipping a dir without errors: /var}}
> {{skipping a dir without errors: /var/run}}
> {{skipping a dir without errors: /var/run/secrets}}
> {{skipping a dir without errors: /var/run/secrets/kubernetes.io}}
> {{skipping a dir without errors:
> /var/run/secrets/kubernetes.io/serviceaccount}}
> {{skipping a dir without errors:
> /var/run/secrets/kubernetes.io/serviceaccount/..2024_10_15_16_42_33.823288185}}
> {{{}&{metadata/annotations.yaml manifests/{}}}}
> {{open manifests/flink-kubernetes-operator.clusterserviceversion.yaml:
> permission denied}}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
