Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provisioned disks for custom agent permission denied #741

Closed
Dobosz opened this issue Dec 9, 2023 · 3 comments
Closed

Provisioned disks for custom agent permission denied #741

Dobosz opened this issue Dec 9, 2023 · 3 comments

Comments

@Dobosz
Copy link
Contributor

Dobosz commented Dec 9, 2023

Custom agent running on stateful set mounts volume with 755 and is owned by id=0. Since container is running on user id=10000 there is no write permission on mounted disk. I understand this is not desired behaviour.

Agent description:

  - name: "Google Drive Source"
    id: "google-drive-src"
    type: "python-source"
    configuration:
      className: "application.GoogleDriveFileLangChain"
      driveId: "[redacted]"
      idleTime: 60
      pageSize: 20
      environment:
        - key: "DRIVE_CREDENTIALS"
          value: "${secrets.drive.drive_credentials}"
    resources:
      disk:
        enabled: true
        size: 10M
        type: "google-drive-src"

Runtime

My runtime is GCP GKE cluster version 1.27.5-gke.200 running on autopilot. The default storage class is as follows:

allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"allowVolumeExpansion":true,"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{},"name":"default"},"parameters":{"type":"pd-standard"},"provisioner":"kubernetes.io/gce-pd","reclaimPolicy":"Delete","volumeBindingMode":"WaitForFirstConsumer"}
  creationTimestamp: "2023-12-08T14:55:37Z"
  name: default
  resourceVersion: "1854463"
  uid: 8706e67d-3cdd-414b-822c-eae6e265153a
parameters:
  type: pd-standard
provisioner: kubernetes.io/gce-pd
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer

It's probably a GKE specific issue, but I've not tested it yet on other runtime yet.
@nicoloboschi
Copy link
Member

Probably related to https://stackoverflow.com/questions/46873796/allowing-access-to-a-persistentvolumeclaim-to-non-root-user

@Dobosz
Copy link
Contributor Author

Dobosz commented Dec 11, 2023

I can confirm that setting fsGroup on pod's security context solves the issue. I can PR this, but it's important to note it's dependent on the image's id used in runtime.

Dobosz added a commit to Dobosz/langstream that referenced this issue Dec 11, 2023
@Dobosz
[Issue LangStream#741] Add fsGroup for runtime pod
8899281
@nicoloboschi
Copy link
Member

@Dobosz I saw you pushed the commit in your fork, can you open a PR? the change LGTM and I'd do the same fix

Dobosz added a commit to Dobosz/langstream that referenced this issue Dec 11, 2023
@Dobosz
[Issue LangStream#741] Add fsGroup for runtime pod
a714a28
eolivelli pushed a commit that referenced this issue Dec 11, 2023
@Dobosz
[Issue #741] Add fsGroup for runtime pod (#743)
2cd631c
@Dobosz Dobosz closed this as completed Dec 12, 2023
Dobosz added a commit to Dobosz/langstream that referenced this issue Dec 13, 2023
@Dobosz
Revert "[Issue LangStream#741] Add fsGroup for runtime pod (LangStrea…
48235bc 
…m#743)"

This reverts commit 2cd631c.
Dobosz added a commit to Dobosz/langstream that referenced this issue Dec 13, 2023
@Dobosz
[Issue LangStream#741] Fixes previous commit. fsGroup will now be ass…
9b3f318 
…ign to Agent STS and not App
Dobosz added a commit to Dobosz/langstream that referenced this issue Dec 14, 2023
@Dobosz
Revert "[Issue LangStream#741] Add fsGroup for runtime pod (LangStrea…
4abf702 
…m#743)"

This reverts commit 2cd631c.
Dobosz added a commit to Dobosz/langstream that referenced this issue Dec 14, 2023
@Dobosz
[Issue LangStream#741] Fixes previous commit. fsGroup will now be ass…
cfc993e 
…ign to Agent STS and not App
nicoloboschi pushed a commit that referenced this issue Dec 14, 2023
@Dobosz
Issue 741 fix (#748)
f9b2d66 
* Revert "[Issue #741] Add fsGroup for runtime pod (#743)"

This reverts commit 2cd631c.

* [Issue #741] Fixes previous commit. fsGroup will now be assign to Agent STS and not App
benfrank241 pushed a commit to vectorize-io/langstream that referenced this issue May 2, 2024
@Dobosz
[Issue LangStream#741] Add fsGroup for runtime pod (LangStream#743)
c80f4a9
benfrank241 pushed a commit to vectorize-io/langstream that referenced this issue May 2, 2024
@Dobosz
Issue 741 fix (LangStream#748)
0eb2b64 
* Revert "[Issue LangStream#741] Add fsGroup for runtime pod (LangStream#743)"

This reverts commit 2cd631c.

* [Issue LangStream#741] Fixes previous commit. fsGroup will now be assign to Agent STS and not App
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Dobosz @nicoloboschi