Restore
      Back to home
      1. Help Center
      2. Debugging
      3. Restore

      Clone job fails due to scc issue

      Cloned-restore fails on Openshift clusters with (scc) permissions issue

      Description: Cloned-restore Job failed to be executed

      Similar to the way RBAC resources control user access, administrators can use Security Context Constraints (SCCs) to control permissions for pods. K10 allows applications to be restored in-place (overwriting) or cloned-restore (to a different namespace) on the same cluster.

      Generally, an SCC is added to a Service Account (SA) in the application namespace. Depending on how an application is configured with SCC permissions, cloned-restores can fail, because application resources are brought-back to a new-namespace.

      Error: Failed to restore spec artifacts

      Cloned-restore jobs time-out and eventually fail because an application's security context provides permissions in the original application namespace. This results in the application's pod to be in a non-running state. Following the steps below can help resolve this issue. 

      e.g. 
      Namespace = quay-enterprise 
      SCC (during deployment) = anyuid
      SA = default
      Cloned namespace = quay-enterprise-restore
      $ oc logs postgres-856bf449fb-p7r6t 
      chmod: changing permissions of '/var/lib/pgsql/data/userdata': Operation not permitted 

      $ oc get pods 
      NAME                                        READY  STATUS           RESTARTS  AGE 
      postgres-856bf449fb-p7r6t                   0/1    CrashLoopBackOff 5         3m40s 
      quay-enterprise-app-dff657895-nvh8n         1/1    Running          1         3m40s 
      quay-enterprise-config-app-74f5cd5558-94w6d 1/1    Running          0         3m40s 
      quay-enterprise-redis-65fb758bff-l2c8l      1/1    Running          0         3m40s

      Resolution

      There are a few ways to overcome such failures:

      1. Identify the SCC used for this application in the appropriate Service Account and manually update the SA (default) with this SCC (anyuid) in the cloned-restore namespace 
        e.g. 
        $ oc project quay-enterprise-restore
        $ oc edit serviceaccount default
      2. Run the following command to patch the default Service Account  
        $ oc project quay-enterprise-restore
        $ oc adm policy add-scc-to-user anyuid -z default
      3. Deploy the application into a target namespace and use K10 to recover all data:

        Go to the K10 dashboard --> Applications
        Select restore under the original namespace (quay-enterprise)
        Select the restorepoint
        Click Restore using a Different Name: type quay-enterprise-restore
        Select Data-Only Restore --> Restore