Canonical Juju

Leader for k8s charms should be able to read/write its own databag

Bug #1876097 reported by Achilleas Anagnostopoulos on 2020-04-30

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Fix Released	Medium	Achilleas Anagnostopoulos	Canonical Juju 2.8-rc1

Bug Description

While the fix for https://bugs.launchpad.net/juju/+bug/1854348 resolved the problem for ordinary charms, it didn't resolve it for k8s charms.

To reproduce:

```
$ juju bootstrap microk8s mk8s
$ juju deploy cs:~aisrael/bundle/mediawiki-k8s-0
$ juju status
controller mk8s microk8s/localhost 2.8-rc1 unsupported 13:24:21+01:00

App Version Status Scale Charm Store Rev OS Address Notes
mariadb-k8s active 1 mariadb-k8s jujucharms 2 kubernetes 10.152.183.132
mediawiki-k8s active 1 mediawiki-k8s jujucharms 3 kubernetes 10.152.183.7

Unit Workload Agent Address Ports Message
mariadb-k8s/0* active idle 10.1.49.64 3306/TCP
mediawiki-k8s/0* active idle 10.1.49.65 80/TCP

# Writing or reading the app databag from the leader charm fails with permission errors
$ juju run --unit mariadb-k8s/0 'is-leader'
True

$ juju run --unit mariadb-k8s/0 'relation-set -r 0 --app myapp=mariadb'
ERROR cannot read relation application settings: permission denied

$ juju run --unit mariadb-k8s/0 'relation-get -r 0 --app - mariadb-k8s'
ERROR permission denied
```

Achilleas Anagnostopoulos (achilleasa) on 2020-04-30

Changed in juju:
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Achilleas Anagnostopoulos (achilleasa)
milestone:	none → 2.8-rc1

Revision history for this message

Junien F (axino) wrote on 2020-04-30:

Enabling TRACE logging on the controller, I can see :

controller-0: 12:57:00 TRACE juju.apiserver.common server RPC error [{/workspace/_build/src/github.com/juju/juju/apiserver/facades/agent/uniter/uniter.go:1672: } {/workspace/_build/src/github.com/juju/juju/apiserver/common/errors.go:128: permission denied}]

Note that this basically making the operator-framework pgsql interface [1] unusable.

[1] https://git.launchpad.net/~stub/interface-pgsql/+git/operator/

Revision history for this message

Achilleas Anagnostopoulos (achilleasa) wrote on 2020-05-01:

The problem occurs because in k8s scenarios, there is only one operator and it logs in as the application instead of the unit as agents do in non-k8s scenarios. As a result, the leadership check performed by the controller (requires both an app *and* a unit tag) fails and a permission error is returned back to the caller.

We are currently looking for a suitable workaround.

Revision history for this message

Achilleas Anagnostopoulos (achilleasa) wrote on 2020-05-04:

PR https://github.com/juju/juju/pull/11526 contains a fix for the develop branch.

Achilleas Anagnostopoulos (achilleasa) on 2020-05-05

Changed in juju:
status:	In Progress → Fix Committed

Harry Pidcock (hpidcock) on 2020-06-04

Changed in juju:
status:	Fix Committed → Fix Released

Revision history for this message

John A Meinel (jameinel) wrote on 2020-06-23:

Is it possible to have this fix backported to the 2.7 series?

Revision history for this message

Achilleas Anagnostopoulos (achilleasa) wrote on 2020-06-23:

The linked PR for the fix bumps the versioning of the uniter facade and that particular facade version on 2.8 contains additional changes for features that are part of the 2.8 release (e.g. commit hook changes in a single txn, the server-side state storage for charms). To this end, I am not sure whether backporting this to 2.7 is feasible unless we also want to backport the 2.8 features as well.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1876816

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.