-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix permissions when using fsGroup #37009
fix permissions when using fsGroup #37009
Conversation
Jenkins GCI GCE e2e failed for commit a349fa7. Full PR test history. The magic incantation to run this job again is |
@k8s-bot gci gce e2e test this |
I think this fix is good, but we need to encode some context about why it is okay to skip symlinks. Remember, this code might also run against any number of block device-provided volumes, so we need a broad understanding of why the code is the way it is to be communicated with this change as comments. |
test case? |
Yes, this needs E2E coverage added for configmap/secret/downward API |
cc @kubernetes/sig-storage |
@saad-ali -- i would like this to be a cherry-pick for 1.5 once a test case is added. |
63314ed
to
f898967
Compare
@derekwaynecarr @pmorie added comments and e2e tests |
The issue it is fixing, was it introduced in 1.5? How bad is the issue it is fixing, can we ship 1.5 with it? How risky is the fix to the rest of the 1.5 release? |
@saad-ali it isn't risky as chowning/chmoding symlinks was only corrupting the mode of underlying files before this PR. I'm not sure when it was introduced exactly but it predates the 1.5 cycle. |
This has been an issue since 1.3 afaict On Friday, November 18, 2016, Seth Jennings notifications@github.com
|
Ack. Ok for post-code freeze merge. As an FYI, last chance for automatic merge to 1.5 branch will Nov 23 10 AM PST. At that point: https://groups.google.com/forum/#!topic/kubernetes-dev/n-vqlX-HHSM |
@pmorie bump |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking closer, but I thought we were going to add tests for downward API volume as well.
@@ -51,6 +51,17 @@ func SetVolumeOwnership(mounter Mounter, fsGroup *int64) error { | |||
return err | |||
} | |||
|
|||
// chown and chmod pass through to the underlying file for symlinks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
underlying
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
weird rendering error, disregard
@@ -41,6 +41,11 @@ var _ = framework.KubeDescribe("ConfigMap", func() { | |||
doConfigMapE2EWithoutMappings(f, 0, 0, &defaultMode) | |||
}) | |||
|
|||
It("should be consumable from pods in volume with defaultMode and fsGroup set [Conformance]", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about a test for non-root, default mode, and fsgroup?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
after thinking about it, this should probably be a non-root only test
doSecretE2EWithoutMapping(f, &defaultMode, "secret-test-"+string(uuid.NewUUID()), nil) | ||
}) | ||
|
||
It("should be consumable from pods in volume with defaultMode and fsGroup set [Conformance]", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same comment for secrets -- i'd like to see nonroot, fsgroup, and default mode in a test case.
f898967
to
51ae5a3
Compare
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Jenkins unit/integration failed for commit 51ae5a3. Full PR test history. The magic incantation to run this job again is |
Automatic merge from submit-queue (batch tested with PRs 38294, 37009, 36778, 38130, 37835) |
Automatic merge from submit-queue (batch tested with PRs 38294, 37009, 36778, 38130, 37835) fix permissions when using fsGroup Currently, when an fsGroup is specified, the permissions of the defaultMode are not respected and all files created by the atomic writer have mode 777. This is because in `SetVolumeOwnership()` the `filepath.Walk` includes the symlinks created by the atomic writer. The symlinks have mode 777 when read from `info.Mode()`. However, when the are chmod'ed later, the chmod applies to the file the symlink points to, not the symlink itself, resulting in the wrong mode for the underlying file. This PR skips chmod/chown for symlinks in the walk since those operations are carried out on the underlying file which will be included elsewhere in the walk. xref https://bugzilla.redhat.com/show_bug.cgi?id=1384458 @derekwaynecarr @pmorie
#38276-#37009-upstream-release-1.5 Automatic merge from submit-queue Automated cherry pick of #37594 #38276 #37009 upstream release 1.5 Batch cherry pick PRs #37594 #38276 #37009 from master to release-1.5 branch. PR #37009 had merge conflicts that needed to be resolved. CC Original PR Authors: @thockin @mbohlool @mwielgus @sjenning
Commit found in the "release-1.5" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked. |
Currently, when an fsGroup is specified, the permissions of the defaultMode are not respected and all files created by the atomic writer have mode 777. This is because in
SetVolumeOwnership()
thefilepath.Walk
includes the symlinks created by the atomic writer. The symlinks have mode 777 when read frominfo.Mode()
. However, when they are chmod'ed later, the chmod applies to the file the symlink points to, not the symlink itself, resulting in the wrong mode for the underlying file.This PR skips chmod/chown for symlinks in the walk since those operations are carried out on the underlying file which will be included elsewhere in the walk.
xref https://bugzilla.redhat.com/show_bug.cgi?id=1384458
@derekwaynecarr @pmorie
This change is![Reviewable](https://camo.githubusercontent.com/2d899f4291d07d3cd2fa4aaae1e3b243f164c23fce87d30a589ace0d496a444c/68747470733a2f2f72657669657761626c652e6b756265726e657465732e696f2f7265766965775f627574746f6e2e737667)