Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support securityContext:fsGroup (some container writes to volume using custom user/group id) #1604

Closed
WalkerWalker opened this issue Mar 7, 2023 · 2 comments · Fixed by #1613
Closed

Add support securityContext:fsGroup (some container writes to volume using custom user/group id) #1604

WalkerWalker opened this issue Mar 7, 2023 · 2 comments · Fixed by #1613
Assignees
@AhmedGrati
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@WalkerWalker
Copy link

WalkerWalker commented Mar 7, 2023
edited
Loading

Expected Behavior

Being able to convert a simple docker-compose with just one service -- pgadmin
and use the generated files directly

Actual Behavior

As the volume is mounted on the containers owned by root, the container cannot write into it. pgadmin gives out error message Permission denied: ‘/var/lib/pgadmin/sessions’

One way to solve it is to add securityContext: fsGroup

  spec:
      containers:
          ....
          name: pgadmin
          resources: {}
          volumeMounts:
            - mountPath: /var/lib/pgadmin
              name: pgadmin-data
      securityContext: # manutally added line
        fsGroup: 5050 # manutally added line

In this way the pod will run without error.

Steps To Reproduce

kompose convert -f docker-compose.yaml --provider openshift

Kompose Version

1.28.0 (c4137012e)

Docker-Compose file

version: '3.8'
volumes:
  pgadmin-data:

services:
  pgadmin:
    image: dpage/pgadmin4
    environment:
      PGADMIN_DEFAULT_EMAIL: [email protected]
      PGADMIN_DEFAULT_PASSWORD: pgadmin_password
    volumes:
      - pgadmin-data:/var/lib/pgadmin

Anything else?

I haven't figure out why the same error doesn't occur when using docker-compose. Apparently it does not always mount with root:root. fsGroup is just one way. Another way I know would be using initContainer and chmod the path but I guess that would be more messy in terms of kompose conversion. If we can just add some kompose label to indicate the fsGroup, then I think it would help a lot. pgadmin is just one example. grafana, and probably other commom images as well, all have this problem.
@WalkerWalker WalkerWalker added the kind/bug Categorizes issue or PR as related to a bug. label Mar 7, 2023
@AhmedGrati
Copy link
Contributor

/assign

@AhmedGrati AhmedGrati mentioned this issue Mar 12, 2023
Merged
@WalkerWalker
Copy link
Author

/reopen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AhmedGrati AhmedGrati

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feat support security fsgroup AhmedGrati/kompose
2 participants
@WalkerWalker @AhmedGrati