nfs share volume is not accessible for non-root applications
mittachaitu opened this issue · comments
Sai Chaithanya commented
Describe the problem/challenge you have
- Provisioned dynamic-nfs volume for a non-root application.
- Volume provisioning got succeeded and the application came into a running state but it
was observed application is not able to perform writes on nfs-share volume.
Describe the solution you'd like
- A better way to address this issue is to add the
gid
(group ID) option under nfs storageclass parameters. - During volume provisioning time nfs-share volume can be created with the given
gid
value (if omitted defaults to root). - Now, nfs-share volume is accessible only for users with groupID (Or) supplemental group having as
gid
value (or) root users.
Anything else you would like to add:
Backend storage class user for provisioning is LVM-LocalPV.
Environment:
- OpenEBS version (use
kubectl get po -n openebs --show-labels
): - Kubernetes version (use
kubectl version
): - Cloud provider or hardware configuration:
- OS (e.g:
cat /etc/os-release
): - kernel (e.g:
uname -a
): - others:
Vote on this issue!
This is an invitation to the OpenEBS community to vote on issues.
Use the "reaction smiley face" up to the right of this comment to vote.
- 👍 for "The project would be better with this feature added"
- 👎 for "This feature will not enhance the project in a meaningful way"
Sai Chaithanya commented
Workaround:
As of now, it can be fixed with a manual steps:
- Provision a dynamic-nfs-volume by following described steps.
- Once the provisioning is succeeded a new deployment starts with
nfs-<pv-name>
will be created in openebs namespace by using backend storageclass. - By default, this nfs-share is accessible only by root users, and let's make it accessible for specific non-root users also by running the following patch command(backend storageclasss should be specified with fsType to support changes).
kubectl patch deploy nfs-pvc-ab34af92-c914-4afb-a25a-517ba2aa12bf -p '{"spec":{"template":{"spec":{"securityContext": {"fsGroup": 100, "fsGroupChangePolicy": "OnRootMismatch"}}}}}' -n openebs
Note: now nfs-share volume permission is updated to 100.
- Add value of NFS volume group 100 under supplementalGroups of your application deployment/sts.
kubectl patch deploy transmission -p '{"spec":{"template":{"spec":{"securityContext": {"supplementalGroups": [100]}}}}}'