-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There seems to be no way of setting permissions on the mount path #81676
Comments
/sig architecture |
/sig storage |
/remove-sig architecture |
There seems to be at least one way to avoid this problem. I went back to the same spec and this time added a top-level mount point as well as a deeper one. pod.yaml (checkout data2 and where it's mounted):
After applying and running a query I get:
As you can see the "storage" and "sample" also got their permissions inherited from the top-most level (/data) |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
In a statefulset aggregator config, we were observing errors like this: 2024-01-23T16:57:12.710877825Z ERR Ingestor: insert error: failed to write parquet for file federated/qa-gcp1/etl/bingen/allocations/1d/1705363200-1705449600: error writing container parquet file: error making directory /var/configs/waterfowl/parquet/kubernetes/qa-gcp1/container/1d: mkdir /var/configs/waterfowl/parquet: permission denied Some debugging commands to add context: → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- mkdir /var/configs/waterfowl/parquet mkdir: cannot create directory '/var/configs/waterfowl/parquet': Permission denied command terminated with exit code 1 → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- ls -alh /var/configs total 68K drwxrwsr-x 5 root 1001 4.0K Jan 18 10:50 . drwxr-xr-x 1 root root 4.0K Jan 23 16:52 .. -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 advanced-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 asset-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 budgets.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 cloud-cost-reports.json -rw-r--r-- 1 1001 1001 112 Jan 23 00:36 collections.json drwxrwsrwt 3 root 1001 100 Jan 23 16:52 etl -rw-r--r-- 1 1001 1001 378 Jan 23 16:52 group-reports.json drwxrws--- 2 root 1001 16K Dec 21 21:23 lost+found -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 recurring-budget-rules.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 teams.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 users.json drwxr-sr-x 3 root 1001 4.0K Jan 22 19:05 waterfowl (note that the /var/configs/waterfowl directory is owned by user root and the container process' group (100) does not have write permission, this is what I suspect the source of the error is) This issue seems to back up the theory: kubernetes/kubernetes#81676 Signed-off-by: Michael Dresser <michaelmdresser@gmail.com>
In a statefulset aggregator config, we were observing errors like this: 2024-01-23T16:57:12.710877825Z ERR Ingestor: insert error: failed to write parquet for file federated/qa-gcp1/etl/bingen/allocations/1d/1705363200-1705449600: error writing container parquet file: error making directory /var/configs/waterfowl/parquet/kubernetes/qa-gcp1/container/1d: mkdir /var/configs/waterfowl/parquet: permission denied Some debugging commands to add context: → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- mkdir /var/configs/waterfowl/parquet mkdir: cannot create directory '/var/configs/waterfowl/parquet': Permission denied command terminated with exit code 1 → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- ls -alh /var/configs total 68K drwxrwsr-x 5 root 1001 4.0K Jan 18 10:50 . drwxr-xr-x 1 root root 4.0K Jan 23 16:52 .. -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 advanced-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 asset-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 budgets.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 cloud-cost-reports.json -rw-r--r-- 1 1001 1001 112 Jan 23 00:36 collections.json drwxrwsrwt 3 root 1001 100 Jan 23 16:52 etl -rw-r--r-- 1 1001 1001 378 Jan 23 16:52 group-reports.json drwxrws--- 2 root 1001 16K Dec 21 21:23 lost+found -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 recurring-budget-rules.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 teams.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 users.json drwxr-sr-x 3 root 1001 4.0K Jan 22 19:05 waterfowl (note that the /var/configs/waterfowl directory is owned by user root and the container process' group (100) does not have write permission, this is what I suspect the source of the error is) This issue seems to back up the theory: kubernetes/kubernetes#81676 Signed-off-by: Michael Dresser <michaelmdresser@gmail.com>
In a statefulset aggregator config, we were observing errors like this: 2024-01-23T16:57:12.710877825Z ERR Ingestor: insert error: failed to write parquet for file federated/qa-gcp1/etl/bingen/allocations/1d/1705363200-1705449600: error writing container parquet file: error making directory /var/configs/waterfowl/parquet/kubernetes/qa-gcp1/container/1d: mkdir /var/configs/waterfowl/parquet: permission denied Some debugging commands to add context: → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- mkdir /var/configs/waterfowl/parquet mkdir: cannot create directory '/var/configs/waterfowl/parquet': Permission denied command terminated with exit code 1 → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- ls -alh /var/configs total 68K drwxrwsr-x 5 root 1001 4.0K Jan 18 10:50 . drwxr-xr-x 1 root root 4.0K Jan 23 16:52 .. -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 advanced-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 asset-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 budgets.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 cloud-cost-reports.json -rw-r--r-- 1 1001 1001 112 Jan 23 00:36 collections.json drwxrwsrwt 3 root 1001 100 Jan 23 16:52 etl -rw-r--r-- 1 1001 1001 378 Jan 23 16:52 group-reports.json drwxrws--- 2 root 1001 16K Dec 21 21:23 lost+found -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 recurring-budget-rules.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 teams.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 users.json drwxr-sr-x 3 root 1001 4.0K Jan 22 19:05 waterfowl (note that the /var/configs/waterfowl directory is owned by user root and the container process' group (100) does not have write permission, this is what I suspect the source of the error is) This issue seems to back up the theory: kubernetes/kubernetes#81676 Signed-off-by: Michael Dresser <michaelmdresser@gmail.com>
In a statefulset aggregator config, we were observing errors like this: 2024-01-23T16:57:12.710877825Z ERR Ingestor: insert error: failed to write parquet for file federated/qa-gcp1/etl/bingen/allocations/1d/1705363200-1705449600: error writing container parquet file: error making directory /var/configs/waterfowl/parquet/kubernetes/qa-gcp1/container/1d: mkdir /var/configs/waterfowl/parquet: permission denied Some debugging commands to add context: → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- mkdir /var/configs/waterfowl/parquet mkdir: cannot create directory '/var/configs/waterfowl/parquet': Permission denied command terminated with exit code 1 → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- ls -alh /var/configs total 68K drwxrwsr-x 5 root 1001 4.0K Jan 18 10:50 . drwxr-xr-x 1 root root 4.0K Jan 23 16:52 .. -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 advanced-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 asset-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 budgets.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 cloud-cost-reports.json -rw-r--r-- 1 1001 1001 112 Jan 23 00:36 collections.json drwxrwsrwt 3 root 1001 100 Jan 23 16:52 etl -rw-r--r-- 1 1001 1001 378 Jan 23 16:52 group-reports.json drwxrws--- 2 root 1001 16K Dec 21 21:23 lost+found -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 recurring-budget-rules.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 teams.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 users.json drwxr-sr-x 3 root 1001 4.0K Jan 22 19:05 waterfowl (note that the /var/configs/waterfowl directory is owned by user root and the container process' group (100) does not have write permission, this is what I suspect the source of the error is) This issue seems to back up the theory: kubernetes/kubernetes#81676 Signed-off-by: Michael Dresser <michaelmdresser@gmail.com>
In a statefulset aggregator config, we were observing errors like this: 2024-01-23T16:57:12.710877825Z ERR Ingestor: insert error: failed to write parquet for file federated/qa-gcp1/etl/bingen/allocations/1d/1705363200-1705449600: error writing container parquet file: error making directory /var/configs/waterfowl/parquet/kubernetes/qa-gcp1/container/1d: mkdir /var/configs/waterfowl/parquet: permission denied Some debugging commands to add context: → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- mkdir /var/configs/waterfowl/parquet mkdir: cannot create directory '/var/configs/waterfowl/parquet': Permission denied command terminated with exit code 1 → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- ls -alh /var/configs total 68K drwxrwsr-x 5 root 1001 4.0K Jan 18 10:50 . drwxr-xr-x 1 root root 4.0K Jan 23 16:52 .. -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 advanced-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 asset-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 budgets.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 cloud-cost-reports.json -rw-r--r-- 1 1001 1001 112 Jan 23 00:36 collections.json drwxrwsrwt 3 root 1001 100 Jan 23 16:52 etl -rw-r--r-- 1 1001 1001 378 Jan 23 16:52 group-reports.json drwxrws--- 2 root 1001 16K Dec 21 21:23 lost+found -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 recurring-budget-rules.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 teams.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 users.json drwxr-sr-x 3 root 1001 4.0K Jan 22 19:05 waterfowl (note that the /var/configs/waterfowl directory is owned by user root and the container process' group (100) does not have write permission, this is what I suspect the source of the error is) This issue seems to back up the theory: kubernetes/kubernetes#81676 Signed-off-by: Michael Dresser <michaelmdresser@gmail.com>
In a statefulset aggregator config, we were observing errors like this: 2024-01-23T16:57:12.710877825Z ERR Ingestor: insert error: failed to write parquet for file federated/qa-gcp1/etl/bingen/allocations/1d/1705363200-1705449600: error writing container parquet file: error making directory /var/configs/waterfowl/parquet/kubernetes/qa-gcp1/container/1d: mkdir /var/configs/waterfowl/parquet: permission denied Some debugging commands to add context: → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- mkdir /var/configs/waterfowl/parquet mkdir: cannot create directory '/var/configs/waterfowl/parquet': Permission denied command terminated with exit code 1 → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- ls -alh /var/configs total 68K drwxrwsr-x 5 root 1001 4.0K Jan 18 10:50 . drwxr-xr-x 1 root root 4.0K Jan 23 16:52 .. -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 advanced-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 asset-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 budgets.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 cloud-cost-reports.json -rw-r--r-- 1 1001 1001 112 Jan 23 00:36 collections.json drwxrwsrwt 3 root 1001 100 Jan 23 16:52 etl -rw-r--r-- 1 1001 1001 378 Jan 23 16:52 group-reports.json drwxrws--- 2 root 1001 16K Dec 21 21:23 lost+found -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 recurring-budget-rules.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 teams.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 users.json drwxr-sr-x 3 root 1001 4.0K Jan 22 19:05 waterfowl (note that the /var/configs/waterfowl directory is owned by user root and the container process' group (100) does not have write permission, this is what I suspect the source of the error is) This issue seems to back up the theory: kubernetes/kubernetes#81676 Signed-off-by: Michael Dresser <michaelmdresser@gmail.com>
In a statefulset aggregator config, we were observing errors like this: 2024-01-23T16:57:12.710877825Z ERR Ingestor: insert error: failed to write parquet for file federated/qa-gcp1/etl/bingen/allocations/1d/1705363200-1705449600: error writing container parquet file: error making directory /var/configs/waterfowl/parquet/kubernetes/qa-gcp1/container/1d: mkdir /var/configs/waterfowl/parquet: permission denied Some debugging commands to add context: → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- mkdir /var/configs/waterfowl/parquet mkdir: cannot create directory '/var/configs/waterfowl/parquet': Permission denied command terminated with exit code 1 → k exec -it -n kubecost-cloudcost kubecost-cloudcost-aggregator-0 -- ls -alh /var/configs total 68K drwxrwsr-x 5 root 1001 4.0K Jan 18 10:50 . drwxr-xr-x 1 root root 4.0K Jan 23 16:52 .. -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 advanced-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 asset-reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 budgets.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 cloud-cost-reports.json -rw-r--r-- 1 1001 1001 112 Jan 23 00:36 collections.json drwxrwsrwt 3 root 1001 100 Jan 23 16:52 etl -rw-r--r-- 1 1001 1001 378 Jan 23 16:52 group-reports.json drwxrws--- 2 root 1001 16K Dec 21 21:23 lost+found -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 recurring-budget-rules.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 reports.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 teams.json -rw-r--r-- 1 1001 1001 2 Jan 23 16:52 users.json drwxr-sr-x 3 root 1001 4.0K Jan 22 19:05 waterfowl (note that the /var/configs/waterfowl directory is owned by user root and the container process' group (100) does not have write permission, this is what I suspect the source of the error is) This issue seems to back up the theory: kubernetes/kubernetes#81676 Signed-off-by: Michael Dresser <michaelmdresser@gmail.com> Co-authored-by: Michael Dresser <michaelmdresser@gmail.com>
I have posted this to StackOverflow (https://stackoverflow.com/questions/57566773/how-to-change-the-umask-when-mounting-volumes-in-kubernetes-pods) however, I think there is something missing in the design and as such it should be posted here.
I have tried this in Kubernetes 1.5
Given a
SecurityContext
for a pod, a volume to mount and a nested path as the mount point one can clearly see that the intermediate folders in the mount path are left to their own devices as far as permissions are concerned. Allow me to demonstrate:Resulting folder permissions:
As you can see other than the final folder (demo) all other folders are still owned by root:root in a way that my pod/container user will have no write permissions to them.
So if my pod/container user were to say create a folder like
/data/storage/folder2
this would fail since neitherrunAsGroup
norroot
groups have any kind of write permissions to that path!The text was updated successfully, but these errors were encountered: