Ownership /usr/local/bin changed to kube by Kubespray

[basvandenbrink]

Kubespray changes the owner of /usr/local/bin to the kube user. With Red Hat, this directory is created by the filesystem package. The permissions should not be modified by any application, since it is a core directory of the OS. This also causes verification errors when verifying RPM packages.

The owner is modified by Kubespray here: https://github.com/kubernetes-sigs/kubespray/blob/v2.11.0/roles/kubernetes/preinstall/tasks/0050-create_directories.yml#L20.

Environment:

• Cloud provider or hardware configuration: bare metal

• OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"):

Linux 3.10.0-1062.el7.x86_64 x86_64
NAME="Red Hat Enterprise Linux Server"
VERSION="7.7 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.7"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.7 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.7:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.7
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.7"

• Version of Ansible (ansible --version): ansible 2.7.12

Kubespray version (commit) (git rev-parse --short HEAD): 86cc703 (v2.11.0)

Network plugin used: Calico

[jseguillon]

Indeed, this line is here to create the directory with kube user as owner if the directory does not exists. Testing if the directory exists before creating it may be a good idea, to avoid owner being changed.

Would you have time to test and provide a pull request ?

[basvandenbrink]

I would love to provide a pull request, but I have to wait until the company gives us permission to sign the CNCF CLA, unfortunately. I cannot give an indication when this will happen.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[basvandenbrink]

/remove-lifecycle stale

[floryut]

I would love to provide a pull request, but I have to wait until the company gives us permission to sign the CNCF CLA, unfortunately. I cannot give an indication when this will happen.

If you can't sign cla, don't hesitate to propose a patch and we'll pr this for you 👍

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[mpepping]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[basvandenbrink]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

[basvandenbrink]

Seems to be fixed by this commit.

[floryut]

Seems to be fixed by this commit.

Indeed, we forgot to update the issue, sorry for the inconvenience.

[basvandenbrink]

No problem. Just for the sake of administration: it is PR #6814.