-
Notifications
You must be signed in to change notification settings - Fork 808
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature support: set 777 filemode to mount directory #2211
Comments
@ConnorJC3 PTAL |
Hi - can you provide more details? The EBS CSI Driver does not currently support LVM volumes - can you clarify the situation under which this would be helpful, or provide a reproduction case? |
You can follow the steps below to replicate the issue we're currently facing. step1. Created a apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mysql-lvm
spec:
selector:
matchLabels:
app: mysql
serviceName: "mysql"
replicas: 1
template:
metadata:
labels:
app: mysql
spec:
securityContext:
runAsNonRoot: true
runAsUser: 5000
containers:
- image: mysql:8.4
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
value: password
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-persistent-storage
mountPath: /var/lib/mysql
volumeClaimTemplates:
- metadata:
name: mysql-persistent-storage
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "csi-lvm-sc"
resources:
requests:
storage: 1Gi step2. Replaced the apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mysql-ebs
spec:
selector:
matchLabels:
app: mysql
serviceName: "mysql"
replicas: 1
template:
metadata:
labels:
app: mysql
spec:
securityContext:
runAsNonRoot: true
runAsUser: 5000
containers:
- image: mysql:8.4
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
value: password
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-persistent-storage
mountPath: /var/lib/mysql
volumeClaimTemplates:
- metadata:
name: mysql-persistent-storage
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "ebs-sc2"
resources:
requests:
storage: 1Gi log as follows: 2024-11-07 12:08:28+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.4.3-1.el9 started.
2024-11-07 12:08:28+00:00 [Note] [Entrypoint]: Initializing database files
mysqld: Can't create/write to file '/var/lib/mysql/is_writable' (OS errno 13 - Permission denied)
2024-11-07T12:08:28.793268Z 0 [System] [MY-015017] [Server] MySQL Server Initialization - start.
2024-11-07T12:08:28.794330Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.4.3) initializing of server in progress as process 42
2024-11-07T12:08:28.795466Z 0 [ERROR] [MY-010460] [Server] --initialize specified but the data directory exists and is not writable. Aborting.
2024-11-07T12:08:28.795472Z 0 [ERROR] [MY-013236] [Server] The designated data directory /var/lib/mysql/ is unusable. You can remove all files that the server added to it.
2024-11-07T12:08:28.795503Z 0 [ERROR] [MY-010119] [Server] Aborting
2024-11-07T12:08:28.795794Z 0 [System] [MY-015018] [Server] MySQL Server Initialization - end. |
We used to have a lot of pods that relied on the |
we can add a flag args to config the permission for mount directory when start |
Hi - thanks for the explanation, that provides a more complete picture. Firstly, a workaround - if you use a
you would use:
Secondly, I do see that it is inconsistent between different CSI drivers what permission the root of a volume is given. I'm going to open a dialogue on the Kubernetes Slack with SIG Storage about this, to see if it's appropriate to standardize on a given value or to allow configuration given the potential security implications. I'll relay any important updates to this GitHub issue. |
If EBS CSI sets the root volume to 755 (which we can't configure), and the owner to root (which we also can't configure), doesn't that mean As in: The only way to get write access is if we change the The only workaround is |
|
@ConnorJC3 correct, but that was not the question. Should I try to rephrase my comment? |
To @blackliner's point, It doesn't matter if fsGroup changes which group "owns" the volume, as with 755 permissions even users in the fsGroup would not have write permissions on the volume. |
Sorry, for some reason GitHub didn't notify me about the reply here. To clarify, Kubernetes will also add any missing group write permission when an |
Awh interesting, that helps. Thank you for clarifying. |
Is your feature request related to a problem? Please describe.
issue description: #2207 (comment)
There are many pods in our cluster that use lvm storage. Although letting users switch to root can solve this issue, it would mean a significant overhaul cost for the users.
Describe the solution you'd like in detail
ebs plugin can grant 777 permission to the mount directory
Additional context
add a flags args (eg: mountPermission) to config the permission for mount directory.
The text was updated successfully, but these errors were encountered: