Giters

openebs-archive / dynamic-nfs-provisioner

Operator for dynamically provisioning an NFS server on any Kubernetes Persistent Volume. Also creates an NFS volume on the dynamically provisioned server for enabling Kubernetes RWX volumes.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

nfs share volume is not accessible for non-root applications

mittachaitu opened this issue · comments

commented

Describe the problem/challenge you have

  • Provisioned dynamic-nfs volume for a non-root application.
  • Volume provisioning got succeeded and the application came into a running state but it
    was observed application is not able to perform writes on nfs-share volume.

Describe the solution you'd like

  • A better way to address this issue is to add the gid (group ID) option under nfs storageclass parameters.
  • During volume provisioning time nfs-share volume can be created with the given gid value (if omitted defaults to root).
  • Now, nfs-share volume is accessible only for users with groupID (Or) supplemental group having as gid value (or) root users.

Anything else you would like to add:

Backend storage class user for provisioning is LVM-LocalPV.

Environment:

  • OpenEBS version (use kubectl get po -n openebs --show-labels):
  • Kubernetes version (use kubectl version):
  • Cloud provider or hardware configuration:
  • OS (e.g: cat /etc/os-release):
  • kernel (e.g: uname -a):
  • others:

Vote on this issue!

This is an invitation to the OpenEBS community to vote on issues.
Use the "reaction smiley face" up to the right of this comment to vote.

  • 👍 for "The project would be better with this feature added"
  • 👎 for "This feature will not enhance the project in a meaningful way"
commented

Workaround:

As of now, it can be fixed with a manual steps:

  • Provision a dynamic-nfs-volume by following described steps.
  • Once the provisioning is succeeded a new deployment starts with nfs-<pv-name> will be created in openebs namespace by using backend storageclass.
  • By default, this nfs-share is accessible only by root users, and let's make it accessible for specific non-root users also by running the following patch command(backend storageclasss should be specified with fsType to support changes).
kubectl patch deploy nfs-pvc-ab34af92-c914-4afb-a25a-517ba2aa12bf -p '{"spec":{"template":{"spec":{"securityContext": {"fsGroup": 100, "fsGroupChangePolicy": "OnRootMismatch"}}}}}' -n openebs

Note: now nfs-share volume permission is updated to 100.

  • Add value of NFS volume group 100 under supplementalGroups of your application deployment/sts.
kubectl patch deploy transmission -p '{"spec":{"template":{"spec":{"securityContext": {"supplementalGroups": [100]}}}}}'