Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added support for non-root EFS files ownership #268

Merged
merged 4 commits into from
Jul 28, 2022
Merged

Added support for non-root EFS files ownership #268

merged 4 commits into from
Jul 28, 2022

Conversation

AlexandreBrown
Copy link
Contributor

@AlexandreBrown AlexandreBrown commented Jun 21, 2022
edited
Loading

Which issue is resolved by this Pull Request:
Resolves #267

Description of your changes:
Added uid & gid parameters for the automated script to setup EFS for non-root user.

Testing:

  • Tested read/write of volumes on vanilla kubeflow 1.4.1 using v1.4.1-aws-b1.0.0 on a new eks cluster.
  • Tested read/write of volumes on vanilla kubeflow 1.5.1 using latest main (5d348d4) on a new eks cluster.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@AlexandreBrown AlexandreBrown changed the title Feat/267 Feat/267 Added possibility to use EFS as non-root user Jun 21, 2022
@AlexandreBrown AlexandreBrown force-pushed the feat/267 branch 5 times, most recently from 3259bb4 to 13c6243 Compare June 21, 2022 20:56
@AlexandreBrown AlexandreBrown changed the title Feat/267 Added possibility to use EFS as non-root user Added possibility to use EFS as non-root user Jun 21, 2022
@AlexandreBrown AlexandreBrown changed the title Added possibility to use EFS as non-root user Added support for using EFS as non-root user Jun 21, 2022
@AlexandreBrown AlexandreBrown changed the title Added support for using EFS as non-root user Added support for setting up EFS as non-root user Jun 21, 2022
@AlexandreBrown AlexandreBrown changed the title Added support for setting up EFS as non-root user Added support for setting up EFS for non-root notebook user Jun 21, 2022
@AlexandreBrown AlexandreBrown changed the title Added support for setting up EFS for non-root notebook user Added support for setting up EFS for non-root Notebook user Jun 21, 2022
@surajkota
Copy link
Contributor

@mbaijal can you look into this one?

@AlexandreBrown thanks for the contribution. Could you explain how you found the default UID and GID of this user?

@surajkota surajkota requested a review from mbaijal June 21, 2022 23:46
@AlexandreBrown
Copy link
Contributor Author

AlexandreBrown commented Jun 22, 2022
edited
Loading

@AlexandreBrown thanks for the contribution. Could you explain how you found the default UID and GID of this user?

Sure, here are some resources that I visisted to learn more about what the UID & GID should be for Kubeflow Notebooks :

It's also mentionned in some issues (eg: kubeflow/kubeflow#5808)

I also tested it on a fresh install by doing id -u jovyan in a terminal, this returned 1000 and id -g jovyan returned 100.

Also I noticed that in Kubeflow notebook base image, we set an environment variable to 1000 for the uid https://github.com/kubeflow/kubeflow/blob/7f4231de77eaaa2029112f950eea0245de8d3ef9/components/example-notebook-servers/base/Dockerfile#L5

@AlexandreBrown
Copy link
Contributor Author

AlexandreBrown commented Jun 22, 2022
edited
Loading

After further investigation I discovered that the parameters are ignored.

It seems like even though we can specify the gid and uid and that even kubectl describe sc efs-sc shows the parameters correctly applied, regardless of the gid and uid, the access points that get automatically created when a PVC is created ignores those.

Any idea why ?

Might be related :

I do not fully understand why but non-root user can read/write EFS volumes even as non-root.
The only issue that is still present is folders are not owned by the notebook user, they are owned by some generated uid/gid created by the access point (eg: 50000:50000, ... 50004:50004, ... etc).
Screenshot from 2022-06-22 21-21-28

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: efs-sc
mountOptions:
- tls
parameters:
  directoryPerms: '700'
  fileSystemId: fs-XXXXXX
  gid: "100"
  uid: "1000"
  provisioningMode: efs-ap
provisioner: efs.csi.aws.com
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true

This means that the issue about git complaning that the repo folder is not owned by the user is still present but at least it's not a blocker, users can still read write.

Will continue to investigate, let me know if you know why and how we can make sure files that are created are owned by the selected uid and gid.

Created an issue to get more insight: kubernetes-sigs/aws-efs-csi-driver#726

@AlexandreBrown AlexandreBrown changed the title Added support for setting up EFS for non-root Notebook user Added fix for running EFS as non-root Notebook user Jun 23, 2022
@AlexandreBrown
Copy link
Contributor Author

AlexandreBrown commented Jun 28, 2022
edited
Loading

UPDATE

Sorry for the delay @surajkota @mbaijal ,
After further testing and investigation (thanks to the Kubernetes community) I was able to confirm that the issue comes from the EFS CSI driver version.

Using v1.4.0 produces the expected behaviour and allows the fix from this MR to be applied for the gid and uid !

Result after setting up EFS with driver version v1.4.0 + using fix of this MR :
Screenshot from 2022-06-28 17-57-17
Screenshot from 2022-06-28 17-59-18

We can see the file system now correctly assigns the gid and uid that we passed in the efs setup script.
This completely fixes the issue where git new version complains that you don't own the directory and therefore cannot use git unless you add the directory to a safe directory whitelist etc.

@AlexandreBrown
Copy link
Contributor Author

Will improve doc for manual setup to mention that you need to replace the place holders for dynamic provisioning etc.

@AlexandreBrown AlexandreBrown changed the title Added fix for running EFS as non-root Notebook user Added support for non-root EFS files ownership Jun 29, 2022
@mbaijal
Copy link
Contributor

mbaijal commented Jul 6, 2022

UPDATE

Sorry for the delay @surajkota @mbaijal , After further testing and investigation (thanks to the Kubernetes community) I was able to confirm that the issue comes from the EFS CSI driver version.

Using v1.4.0 produces the expected behaviour and allows the fix from this MR to be applied for the gid and uid !

Result after setting up EFS with driver version v1.4.0 + using fix of this MR : Screenshot from 2022-06-28 17-57-17 Screenshot from 2022-06-28 17-59-18

We can see the file system now correctly assigns the gid and uid that we passed in the efs setup script. This completely fixes the issue where git new version complains that you don't own the directory and therefore cannot use git unless you add the directory to a safe directory whitelist etc.

Thanks a lot @AlexandreBrown for this effort and investigation. I will look into these changes and also test them from my side before approving this PR. Apologies for the delay on this.

ryansteakley
ryansteakley approved these changes Jul 28, 2022
View reviewed changes
Copy link
Contributor

@ryansteakley ryansteakley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

@mbaijal mbaijal merged commit d24b7eb into awslabs:main Jul 28, 2022
@AlexandreBrown AlexandreBrown deleted the feat/267 branch July 29, 2022 00:04
surajkota pushed a commit to surajkota/kubeflow-manifests that referenced this pull request Aug 6, 2022
@AlexandreBrown @surajkota
Added support for non-root EFS files ownership (awslabs#268)
adc9dcc 
* Updated documentation about EFS permissions

* Added gid & uid to auto efs script

* Updated EFS CSI driver to v1.4.0

* feat/267 Updated documentation about EFS & added default value for uid & gid
surajkota pushed a commit to surajkota/kubeflow-manifests that referenced this pull request Aug 6, 2022
@AlexandreBrown @surajkota
Added support for non-root EFS files ownership (awslabs#268)
26e02ef 
* Updated documentation about EFS permissions

* Added gid & uid to auto efs script

* Updated EFS CSI driver to v1.4.0

* feat/267 Updated documentation about EFS & added default value for uid & gid
surajkota added a commit that referenced this pull request Aug 6, 2022
@surajkota @rrrkharse
@AlexandreBrown @monkEsh @kjvjobin @theofpa
Cherry pick few more bug fixes to 1.5.1-1.0.1 (#316)
2a536c3 
* Set s3 endpoint in workflow-controller-configmap from pipeline-install-config (#291)

* Added support for non-root EFS files ownership (#268)

* Updated documentation about EFS permissions

* Added gid & uid to auto efs script

* Updated EFS CSI driver to v1.4.0

* feat/267 Updated documentation about EFS & added default value for uid & gid

* Update kserve.md (#304)

* update: Adding a missing preposition in cognito guide (#307)

The preposition "to" was missing in cognito guide

* add cdk support for private subnets detection (#295)

Co-authored-by: rrrkharse <[email protected]>
Co-authored-by: Alexandre Brown <[email protected]>
Co-authored-by: Gitesh Shinde <[email protected]>
Co-authored-by: Jobin <[email protected]>
Co-authored-by: Theofilos Papapanagiotou <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryansteakley ryansteakley ryansteakley approved these changes

@mbaijal mbaijal mbaijal approved these changes

@akartsky akartsky akartsky approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[EFS] Fix directory & file ownership for non-root users
5 participants
@AlexandreBrown @surajkota @mbaijal @akartsky @ryansteakley