-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows EmptyDir volumes are not created with 0777 #75049
Comments
Seems like at least part of the problem is that |
:-( Ref: code to set permission to 777 in emptydir
/cc @jingxu97, who ran into similar problems writing tests. |
Started looking at this today, it's more difficult than I imagined. What I mean by "are not created with 0777" is that on Linux kubernetes/pkg/volume/emptydir/empty_dir.go Lines 326 to 361 in f8024ab
I don't know that there is a super straightforward way to translate something like 0777 to Windows, except maybe putting ACLs on the directory giving |
This is what was done in the stackoverflow answer: https://stackoverflow.com/questions/33445727/how-to-control-file-access-in-windows |
cc @andyzhangx Could we fix this issue this the package mentioned by @yujuhong? https://github.com/hectane/go-acl |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@benmoss @PatrickLang do you know of a better way to handle this, or would we have to change the ACLs as the comments above suggest? |
I think we would have to use ACLs. I ultimately added these lines just to make these tests pass: https://github.com/cloudfoundry-incubator/kubo-release-windows/blob/0831c11effeafb16f56e347daa229adb10757eeb/jobs/kubelet-windows/templates/bin/kubelet_ctl.ps1.erb#L133-L138 |
Tried reproducing this by deploying that pod using the yaml file, and this seems like already been fixed in someway. We could mark this as fixed if it cannot be reproduced any more. cc @yujuhong
|
@benmoss could you still reproduce the issue? |
No, I'm not sure this is still an issue |
@benmoss: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened:
Running a Windows pod with an EmptyDir volume attached should allow a non-Administrator user to read, write, and execute files inside that directory. Instead, it appears that this currently only works if the host's filesystem has ACLs set on a parent directory that set these permissions on all subdirectories. Basically the equivalent of setting 0777 on all of
/var/lib/kubelet
or something like that.What you expected to happen:
EmptyDir directories should be created with 0777 permissions, just like on Linux.
How to reproduce it (as minimally and precisely as possible):
BUILTIN\Users
do not have write permission over/var/lib/kubelet/
, run this spec: https://gist.github.com/benmoss/cfea81267982d5d17c4c7ed2a58bf541touch /cache/foo
line does not emittouch: /cache/foo: Permission denied
in the logs/sig windows
The text was updated successfully, but these errors were encountered: