cephfs: dont set explicit permissions on the volume #2847

humblec · 2022-02-02T09:27:57Z

At present we are node staging with worldwide permissions which is
not correct. We should allow the CO to take care of it and make
the decision

Considering we have set to worldwide permission, we are defaulting to fsgroup = None for CephFS atm, once this is in, we can change to FSGroupChangePolicy to ReadWriteOnceWithFSTpe for CephFS too.

Fixes #2356

Signed-off-by: Humble Chirammal hchiramm@redhat.com

humblec · 2022-02-03T06:33:38Z

@Mergifyio rebase

mergify · 2022-02-03T06:34:19Z

rebase

✅ Branch has been successfully rebased

internal/cephfs/nodeserver.go

humblec · 2022-02-08T06:06:07Z

Again ? @nixpanic @Rakshith-R https://jenkins-ceph-csi.apps.ocp.ci.centos.org/blue/organizations/jenkins/k8s-e2e-external-storage-1.21/detail/k8s-e2e-external-storage-1.21/2658/pipeline

[](https://jenkins-ceph-csi.apps.ocp.ci.centos.org/blue/organizations/jenkins/k8s-e2e-external-storage-1.21/detail/k8s-e2e-external-storage-1.21/2658/pipeline#step-69-log-69)[](https://jenkins-ceph-csi.apps.ocp.ci.centos.org/blue/organizations/jenkins/k8s-e2e-external-storage-1.21/detail/k8s-e2e-external-storage-1.21/2658/pipeline#step-69-log-70)Apache Arrow for CentOS 8 - x86_64              122  B/s |  80  B     00:00    

Errors during downloading metadata for repository 'apache-arrow-centos':

  - Status code: 404 for https://apache.jfrog.io/artifactory/arrow/centos/8/x86_64/repodata/repomd.xml[](https://jenkins-ceph-csi.apps.ocp.ci.centos.org/blue/organizations/jenkins/k8s-e2e-external-storage-1.21/detail/k8s-e2e-external-storage-1.21/2658/pipeline#step-69-log-71)[](https://jenkins-ceph-csi.apps.ocp.ci.centos.org/blue/organizations/jenkins/k8s-e2e-external-storage-1.21/detail/k8s-e2e-external-storage-1.21/2658/pipeline#step-69-log-72)[](https://jenkins-ceph-csi.apps.ocp.ci.centos.org/blue/organizations/jenkins/k8s-e2e-external-storage-1.21/detail/k8s-e2e-external-storage-1.21/2658/pipeline#step-69-log-73)[](https://jenkins-ceph-csi.apps.ocp.ci.centos.org/blue/organizations/jenkins/k8s-e2e-external-storage-1.21/detail/k8s-e2e-external-storage-1.21/2658/pipeline#step-69-log-74)[](https://jenkins-ceph-csi.apps.ocp.ci.centos.org/blue/organizations/jenkins/k8s-e2e-external-storage-1.21/detail/k8s-e2e-external-storage-1.21/2658/pipeline#step-69-log-75) (IP: 52.33.92.242)

Error: Failed to download metadata for repo 'apache-arrow-centos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

[2/2] STEP 1/6: FROM quay.io/ceph/ceph:v16

Error: error building at STEP "RUN dnf -y install 	librados-devel librbd-devel 	/usr/bin/cc 	make 	git     && true": error while running runtime: exit status 1

make: *** [Makefile:229: image-cephcsi] Error 125

script returned exit code 2

humblec · 2022-02-08T09:25:35Z

/retest ci/centos/mini-e2e-helm/k8s-1.22

humblec · 2022-02-08T09:25:44Z

/retest ci/centos/upgrade-tests-rbd

humblec · 2022-02-08T09:26:57Z

Cool.. Tests are passing after rebase.. so please discard the previous comment :) @nixpanic @Rakshith-R ptal.. thanks !

Rakshith-R

I am not sure how this will affect already created volumes/ new volumes and about FSGroups, I'll let others review this pr.

humblec · 2022-02-09T11:00:47Z

@nixpanic ptal.. thanks.

nixpanic · 2022-02-09T13:19:26Z

/retest ci/centos/upgrade-tests-cephfs

nixpanic · 2022-02-09T13:20:47Z

/retest ci/centos/upgrade-tests-cephfs

Feb  9 12:58:53.130: FAIL: failed to create storageclass: etcdserver: request timed out

nixpanic · 2022-02-09T13:21:00Z

@Mergifyio refresh

mergify · 2022-02-09T13:21:20Z

refresh

✅ Pull request refreshed

At present we are node staging with worldwide permissions which is not correct. We should allow the CO to take care of it and make the decision. This commit also remove `fuseMountOptions` and `KernelMountOptions` as they are no longer needed Signed-off-by: Humble Chirammal <hchiramm@redhat.com>

``` ReadWriteOnceWithFSType: Indicates that volumes will be examined to determine if volume ownership and permissions should be modified to match the pod's security policy. Changes will only occur if the fsType is defined and the persistent volume's accessModes contains ReadWriteOnce. ``` In between considering we are giving 0777 permission on nodestage of cephfs shares, we defaulted to NONE. However giving worldwide permission to the volume is not the right thing and it has been fixed in cephfs via ceph/ceph-csi#2847 This commit brings it back to the value which is also in parity with RBD driver. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>

nixpanic · 2022-02-14T16:05:13Z

/retest ci/centos/upgrade-tests-cephfs

Feb  9 12:58:53.130: FAIL: failed to create storageclass: etcdserver: request timed out

Expected to be addressed with #2880

``` ReadWriteOnceWithFSType: Indicates that volumes will be examined to determine if volume ownership and permissions should be modified to match the pod's security policy. Changes will only occur if the fsType is defined and the persistent volume's accessModes contains ReadWriteOnce. ``` In between considering we are giving 0777 permission on nodestage of cephfs shares, we defaulted to NONE. However giving worldwide permission to the volume is not the right thing and it has been fixed in cephfs via ceph/ceph-csi#2847 This commit brings it back to the value which is also in parity with RBD driver. Signed-off-by: Humble Chirammal <hchiramm@redhat.com> (cherry picked from commit 6561bda)

``` ReadWriteOnceWithFSType: Indicates that volumes will be examined to determine if volume ownership and permissions should be modified to match the pod's security policy. Changes will only occur if the fsType is defined and the persistent volume's accessModes contains ReadWriteOnce. ``` In between considering we are giving 0777 permission on nodestage of cephfs shares, we defaulted to NONE. However giving worldwide permission to the volume is not the right thing and it has been fixed in cephfs via ceph/ceph-csi#2847 This commit brings it back to the value which is also in parity with RBD driver. Signed-off-by: Humble Chirammal <hchiramm@redhat.com> (cherry picked from commit 6561bda) (cherry picked from commit e324059)

mergify bot added the component/cephfs Issues related to CephFS label Feb 2, 2022

humblec force-pushed the cephfs-fsgroup branch from 00db59d to 3456746 Compare February 2, 2022 09:35

humblec force-pushed the cephfs-fsgroup branch from 3456746 to 2fa4642 Compare February 3, 2022 06:34

humblec requested a review from a team February 3, 2022 09:47

Madhu-1 reviewed Feb 3, 2022

View reviewed changes

internal/cephfs/nodeserver.go Outdated Show resolved Hide resolved

internal/cephfs/nodeserver.go Outdated Show resolved Hide resolved

nixpanic requested changes Feb 3, 2022

View reviewed changes

internal/cephfs/nodeserver.go Outdated Show resolved Hide resolved

humblec force-pushed the cephfs-fsgroup branch from 2fa4642 to 2301987 Compare February 8, 2022 04:07

humblec requested a review from nixpanic February 8, 2022 04:10

humblec force-pushed the cephfs-fsgroup branch from 2301987 to c7dd4c6 Compare February 8, 2022 06:07

humblec requested a review from Rakshith-R February 8, 2022 09:27

humblec added the backport-to-release-v3.5 label Feb 8, 2022

humblec self-assigned this Feb 8, 2022

humblec added this to the release-3.6 milestone Feb 8, 2022

humblec requested a review from Madhu-1 February 9, 2022 04:59

Madhu-1 approved these changes Feb 9, 2022

View reviewed changes

Rakshith-R reviewed Feb 9, 2022

View reviewed changes

nixpanic approved these changes Feb 9, 2022

View reviewed changes

humblec force-pushed the cephfs-fsgroup branch from c7dd4c6 to e86e474 Compare February 9, 2022 12:37

humblec force-pushed the cephfs-fsgroup branch from e86e474 to b79209a Compare February 9, 2022 15:17

mergify bot merged commit 8f6a7da into ceph:devel Feb 9, 2022

mergify bot mentioned this pull request Feb 9, 2022

cephfs: dont set explicit permissions on the volume (backport #2847) #2870

Merged

humblec mentioned this pull request Feb 11, 2022

csi: default to ReadWriteOnceWithFSType for cephfs rook/rook#9729

Merged

10 tasks

humblec mentioned this pull request Mar 1, 2022

Bug 2059248: csi: default to ReadWriteOnceWithFSType for cephfs red-hat-storage/rook#355

Merged

10 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cephfs: dont set explicit permissions on the volume #2847

cephfs: dont set explicit permissions on the volume #2847

humblec commented Feb 2, 2022 •

edited

humblec commented Feb 3, 2022

mergify bot commented Feb 3, 2022

humblec commented Feb 8, 2022 •

edited

humblec commented Feb 8, 2022

humblec commented Feb 8, 2022

humblec commented Feb 8, 2022

Rakshith-R left a comment

humblec commented Feb 9, 2022

nixpanic commented Feb 9, 2022

nixpanic commented Feb 9, 2022

nixpanic commented Feb 9, 2022

mergify bot commented Feb 9, 2022

nixpanic commented Feb 14, 2022

cephfs: dont set explicit permissions on the volume #2847

cephfs: dont set explicit permissions on the volume #2847

Conversation

humblec commented Feb 2, 2022 • edited

humblec commented Feb 3, 2022

mergify bot commented Feb 3, 2022

✅ Branch has been successfully rebased

humblec commented Feb 8, 2022 • edited

humblec commented Feb 8, 2022

humblec commented Feb 8, 2022

humblec commented Feb 8, 2022

Rakshith-R left a comment

Choose a reason for hiding this comment

humblec commented Feb 9, 2022

nixpanic commented Feb 9, 2022

nixpanic commented Feb 9, 2022

nixpanic commented Feb 9, 2022

mergify bot commented Feb 9, 2022

✅ Pull request refreshed

nixpanic commented Feb 14, 2022

humblec commented Feb 2, 2022 •

edited

humblec commented Feb 8, 2022 •

edited