Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Localpath provisioner regression v1.21.3: Non-root users can't write to volume #3785

Closed
1 task
nsmith5 opened this issue Aug 6, 2021 · 2 comments
Closed
1 task

Localpath provisioner regression v1.21.3: Non-root users can't write to volume #3785

nsmith5 opened this issue Aug 6, 2021 · 2 comments

Comments

@nsmith5
Copy link

nsmith5 commented Aug 6, 2021

Environmental Info:
K3s Version:

  • Broken on v1.21.3+k3s1
  • Workingo on v1.20.9+k3s1

Node(s) CPU architecture, OS, and Version:

  • kernel and arch: Linux 5.12.19-300.fc34.x86_64 x86_64 x86_64 x86_64 GNU/Linux
  • OS: Fedora CoreOS 34
  • Selinux disabled completely

Cluster Configuration:

  • Single standalone node (server + agent all in one)

Describe the bug:
Permissions appear to be incorrect on PVC's created with local path provisioner. On v1.21.3 I see the PVC directories under /var/lib/rancher/k3s/storage created with 0700 and owned by root. On v1.20.9 I see the PVC directories under /var/lib/rancher/k3s/storage created with 0777. The 0700 permission forbids non-root users from writing any data to these PVC directories when they're mounted into containers where as the old 0777 permissions allowed non-root users to write immediately without any further configuration

Steps To Reproduce:

  • Install k3s binary for v1.21.3 in /usr/local/bin and run k3s systemd unit as follows:
Description=Lightweight Kubernetes
Documentation=https://k3s.io
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=-/etc/default/%N
EnvironmentFile=-/etc/sysconfig/%N
EnvironmentFile=-/etc/systemd/system/k3s.service.env
ExecStart=/usr/local/bin/k3s server
KillMode=process
Delegate=yes
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
TimeoutStartSec=0
Restart=always
RestartSec=5s

[Install]
WantedBy=multi-user.target

Expected behavior:
Should have same behaviour as 1.20.9 (non-root users should be able to write to a PVC created by local-path provisioner without any additional work)

Actual behavior:
Not possible in 1.21.3. Need to chmod the PVC directory as 0777 before that is possible (or chown with the container user id)

Additional context / logs:

Backporting

  • Needs backporting to older releases
@ChristianCiach
Copy link

Duplicate of #3704

@nsmith5
Copy link
Author

nsmith5 commented Aug 6, 2021

Closing as a duplicate (thanks @ChristianCiach !)

@nsmith5 nsmith5 closed this as completed Aug 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nsmith5 @ChristianCiach