Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permission problems #129

Closed
ptitvert opened this issue Jul 28, 2021 · 6 comments
Closed

Permission problems #129

ptitvert opened this issue Jul 28, 2021 · 6 comments
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@ptitvert
Copy link

ptitvert commented Jul 28, 2021

Hello,

I don't know if that's the correct place to ask my question, please advice me where is the correct location, in case this is not it.

Our problem is the following, we have an external NFS server using V4, the ID for the files/directories are UID=56008 and GID=56001.
We configure the "nfs-subdir-external-provisioner" like that:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nfs-zy-provisioner
  labels:
    app: nfs-zy-provisioner
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: nfs-zy-provisioner
  template:
    metadata:
      labels:
        app: nfs-zy-provisioner
    spec:
      serviceAccountName: nfs-client-provisioner
      containers:
        - name: nfs-zy-provisioner
          image: internal.repository.example.com/k8s-staging-sig-storage/nfs-subdir-external-provisioner:v4.0.2
          volumeMounts:
            - name: nfs-client-root
              mountPath: /persistentvolumes
          env:
            - name: PROVISIONER_NAME
              value: k8s-sigs.io/nfs-XYZ-zy-provisioner
            - name: NFS_SERVER
              value: externalnfs.example.com
            - name: NFS_PATH
              value: /some/where/down/is/my/path/for/exporting
      volumes:
        - name: nfs-client-root
          nfs:
            server: externalnfs.example.com
            path: /some/where/down/is/my/path/for/exporting

That works correctly, then we have another pod where we mount that resource, and here is an example of what we have:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: docboss-zy-pvc
  annotations:
    volume.beta.kubernetes.io/storage-class: "managed-XYZ-zy-nfs-storage"
spec:
  storageClassName: "managed-XYZ-zy-nfs-storage"
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi

and

apiVersion: apps/v1
kind: Deployment
metadata:
  name: docbase-deployment
spec:
  template:
    spec:
      volumes:
        - name: docboss-zy
          persistentVolumeClaim:
            claimName: docboss-zy-pvc    
      containers:
        - name: docboss
          volumeMounts:
            - name: docboss-zy
              mountPath: /mnt/externalnfs

And when I connect to the container, I get the following permissions:

drwxrws--- 3 65534 4294967294  73728 Jul  2 07:52 33
drwxrws--- 2 65534 4294967294  69632 Jul  2 07:52 44
drwxrws--- 2 65534 4294967294  90112 Jul  2 07:52 55
-rwxrws--- 1 65534 4294967294 630793 Oct 20  2014 5905001_00001.ZIP

So we have the UID=65534 and GID=4294967294.
I've tried to change the fsgroup to 4294967294, but kubernetes is complaining, that it can use number from 0 to 2147483647 inclusive.
I've tried to use supplementalGroups, with the same error message.

My user/group is quite simple:

/etc/passwd:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin

and /etc/group

root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
input:x:999:
systemd-journal:x:190:
systemd-network:x:192:
dbus:x:81:
ssh_keys:x:998:
sshd:x:74:

of course the GID=4294967294 is not available there. I've tried to add a dummy group in /etc/group with GID=4294967294 and assign it to root, and then reconnect to the session, and I cannot enter directories or read the files, because I get a "permission denied". Fair enough.

So all of that to ask, how can I access these files, without asking to change all the files with permission 777?
Is there a way to add a group in /etc/group and assign it to root?
Or better a way to add the original UID/GID and assign it to the root user which is the container running user?
Or do you have any idea that could help solving that problem?

Thank you very much for your help.

Kind regards,
Alessandro

@ptitvert
Copy link
Author

ptitvert commented Aug 5, 2021

Hi,
I have found the problem, our installation of K8S doesn't run 'idmapd' on the worker node.
And in addition to that, the people in charge of the k8s cluster are not willing to do a "systemctl start idmapd" or change anything in the image at all... so all the benefit of NFS V4 is not there.

So how can we use your project if we cannot use 'idmapd' on the worker node?
Or do we need to downgrade and go to NFS V3?

Thank you for your time with my problem. (if someone will ever answer it...)

Regards,
Alessandro

@yonatankahana
Copy link
Contributor

yonatankahana commented Sep 9, 2021

Hi,
did you try the solution with downgrading to nfsv3 protocol?
you should be able to do it pretty easily with mountOptions and nfsvers=3 on the storageClass:

mountOptions:
  - nfsvers=3

did it worked?

spiffxp added a commit to spiffxp/nfs-subdir-external-provisioner that referenced this issue Sep 20, 2021
5489de6 Merge pull request kubernetes-sigs#174 from mauriciopoppe/bump-kind-version
0c675d4 Bump kind version to v0.11.1
ef69a88 Merge pull request kubernetes-sigs#173 from nick5616/add-ws2022
44c710c added WS2022 to build platforms
0883be4 Merge pull request kubernetes-sigs#171 from pohly/example-commands
02cda51 build.make: support binaries outside of cmd, with optional go.mod
65922ea Merge pull request kubernetes-sigs#170 from pohly/canary-snapshot-controller
c0bdfb3 prow.sh: deploy canary snapshot-controller in canary jobs
0438f15 Merge pull request kubernetes-sigs#167 from c0va23/feature/release-armv7-image
4786f4d Merge pull request kubernetes-sigs#168 from msau42/update-release-prereq
6a2dc64 Remove requirement to be top-level approver. Only maintainers membership is required to do a release
30a4f7b Release armv7 image
ac8108f Merge pull request kubernetes-sigs#165 from consideRatio/pr/update-github-links-ref-to-master-to-HEAD
999b483 docs: make github links reference HEAD instead of main
fd67069 docs: make github links reference HEAD instead of master
c0a4fb1 Merge pull request kubernetes-sigs#164 from anubha-v-ardhan/patch-1
9c6a6c0 Master to main cleanup
682c686 Merge pull request kubernetes-sigs#162 from pohly/pod-name-via-shell-command
36a29f5 Merge pull request kubernetes-sigs#163 from pohly/remove-bazel
68e43ca prow.sh: remove Bazel build support
c5f59c5 prow.sh: allow shell commands in CSI_PROW_SANITY_POD
71c810a Merge pull request kubernetes-sigs#161 from pohly/mock-test-fixes
9e438f8 prow.sh: fix mock testing
d7146c7 Merge pull request kubernetes-sigs#160 from pohly/kind-update
4b6aa60 prow.sh: update to KinD v0.11.0
7cdc76f Merge pull request kubernetes-sigs#159 from pohly/fix-deployment-selection
ef8bd33 prow.sh: more flexible CSI_PROW_DEPLOYMENT, part II
204bc89 Merge pull request kubernetes-sigs#158 from pohly/fix-deployment-selection
61538bb prow.sh: more flexible CSI_PROW_DEPLOYMENT
2b0e6db Merge pull request kubernetes-sigs#157 from humblec/csi-release
a2fcd6d Adding myself to csi reviewers group
f325590 Merge pull request kubernetes-sigs#149 from pohly/cluster-logs
4b03b30 Merge pull request kubernetes-sigs#155 from pohly/owners
a6453c8 owners: introduce aliases
ad83def Merge pull request kubernetes-sigs#153 from pohly/fix-image-builds
5561780 build.make: fix image publishng
29bd39b Merge pull request kubernetes-sigs#152 from pohly/bump-csi-test
bc42793 prow.sh: use csi-test v4.2.0
b546baa Merge pull request kubernetes-sigs#150 from mauriciopoppe/windows-multiarch-args
bfbb6f3 add parameter base_image and addon_image to BUILD_PARAMETERS
2d61d3b Merge pull request kubernetes-sigs#151 from humblec/cm
48e71f0 Replace `which` command ( non standard)  with `command -v` builtin
feb20e2 prow.sh: collect cluster logs
7b96bea Merge pull request kubernetes-sigs#148 from dobsonj/add-checkpathcmd-to-prow
2d2e03b prow.sh: enable -csi.checkpathcmd option in csi-sanity
09d4151 Merge pull request kubernetes-sigs#147 from pohly/mock-testing
74cfbc9 prow.sh: support mock tests
4a3f110 prow.sh: remove obsolete test suppression
6616a6b Merge pull request kubernetes-sigs#146 from pohly/kubernetes-1.21
510fb0f prow.sh: support Kubernetes 1.21
c63c61b prow.sh: add CSI_PROW_DEPLOYMENT_SUFFIX
51ac11c Merge pull request kubernetes-sigs#144 from pohly/pull-jobs
dd54c92 pull-test.sh: test importing csi-release-tools into other repo
7d2643a Merge pull request kubernetes-sigs#143 from pohly/path-setup
6880b0c prow.sh: avoid creating paths unless really running tests
bc0504a Merge pull request kubernetes-sigs#140 from jsafrane/remove-unused-k8s-libs
5b1de1a go-get-kubernetes.sh: remove unused k8s libs
49b4269 Merge pull request kubernetes-sigs#120 from pohly/add-kubernetes-release
a1e1127 Merge pull request kubernetes-sigs#139 from pohly/kind-for-kubernetes-latest
1c0fb09 prow.sh: use KinD main for latest Kubernetes
1d77cfc Merge pull request kubernetes-sigs#138 from pohly/kind-update-0.10
bff2fb7 prow.sh: KinD 0.10.0
95eac33 Merge pull request kubernetes-sigs#137 from pohly/fix-go-version-check
437e431 verify-go-version.sh: fix check after removal of travis.yml
1748b16 Merge pull request kubernetes-sigs#136 from pohly/go-1.16
ec844ea remove travis.yml, Go 1.16
df76aba Merge pull request kubernetes-sigs#134 from andyzhangx/add-build-arg
e314a56 add build-arg ARCH for building multi-arch images, e.g. ARG ARCH FROM k8s.gcr.io/build-image/debian-base-${ARCH}:v2.1.3
7bc70e5 Merge pull request kubernetes-sigs#129 from pohly/squash-documentation
e0b02e7 README.md: document usage of --squash
316cb95 Merge pull request kubernetes-sigs#132 from yiyang5055/bugfix/boilerplate
26e2ab1 fix: default boilerplate path
1add8c1 Merge pull request kubernetes-sigs#133 from pohly/kubernetes-1.20-tag
3e811d6 prow.sh: fix "on-master" prow jobs
1d60e77 Merge pull request kubernetes-sigs#131 from pohly/kubernetes-1.20-tag
9f10459 prow.sh: support building Kubernetes for a specific version
f7e7ee4 docs: steps for adding testing against new Kubernetes release
fe1f284 Merge pull request kubernetes-sigs#121 from kvaps/namespace-check
8fdf0f7 Merge pull request kubernetes-sigs#128 from fengzixu/master
1c94220 fix: fix a bug of csi-sanity
a4c41e6 Merge pull request kubernetes-sigs#127 from pohly/fix-boilerplate
ece0f50 check namespace for snapshot-controller
dbd8967 verify-boilerplate.sh: fix path to script
9289fd1 Merge pull request kubernetes-sigs#125 from sachinkumarsingh092/optional-spelling-boilerplate-checks
ad29307 Make the spelling and boilerplate checks optional
5f06d02 Merge pull request kubernetes-sigs#124 from sachinkumarsingh092/fix-spellcheck-boilerplate-tests
48186eb Fix spelling and boilerplate errors
71690af Merge pull request kubernetes-sigs#122 from sachinkumarsingh092/include-spellcheck-boilerplate-tests
981be3f Adding spelling and boilerplate checks.
2bb7525 Merge pull request kubernetes-sigs#117 from fengzixu/master
4ab8b15 use the tag to replace commit of csi-test
5d74e45 change the csi-test import path to v4
7dcd0a9 upgrade csi-test to v4.0.2

git-subtree-dir: release-tools
git-subtree-split: 5489de6
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 8, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 7, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

humblec pushed a commit to humblec/nfs-subdir-external-provisioner that referenced this issue May 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Development

No branches or pull requests

4 participants