All geek questions in one place

A non-root user docker installed in the Google Container Engine cannot write to the installed GCE permanent drive

I play with kubernet and google container engine (GKE).

I deployed the container from this jupyter / all-spark-notebook image

This is my replication controller:

{ "apiVersion": "v1", "kind": "ReplicationController", "metadata": { "name": "datalab-notebook" }, "spec": { "replicas": 1, "selector": { "app": "datalab-notebook" }, "template": { "metadata": { "name": "datalab-notebook", "labels": { "environment": "TEST", "app": "datalab-notebook" } }, "spec": { "containers": [{ "name": "datalab-notebook-container", "image": "jupyter/all-spark-notebook", "env": [], "ports": [{ "containerPort": 8888, "name": "datalab-port" }], "volumeMounts": [{ "name": "datalab-notebook-persistent-storage", "mountPath": "/home/jovyan/work" }] }], "volumes": [{ "name": "datalab-notebook-persistent-storage", "gcePersistentDisk": { "pdName": "datalab-notebook-disk", "fsType": "ext4" } }] } } } }

As you can see, I installed the Google Compute Engine Persistent Permanent Disk. My problem is that the container uses a non-root user, and the installed disk belongs to root. therefore my container cannot write to disk.

  • Is there a way to mount persistent GCE disks and make them read / write for containers without root users?
  • Another common question: is it safe to run a container with root user in the Google Container Engine?

Thank you in advance for your inputs.

+5
source share
2 answers

I ran into the same problem. The workaround I used was to run df -h on the main machine the container was running on. From there, I was able to find the anchor point of the persistent vault. It should look something like /var/lib/kubelet/plugins/kubernetes.io/gce-pd/mounts/<pd-name> . It will also be one of those that has a file system that starts with /dev , which is not installed on root.

Once you find that you can run sudo chmod -R 0777 /var/lib/kubelet/plugins/kubernetes.io/gce-pd/mounts/<pd-name> from the host window, and now at least your container can use the directory, although the files will still be owned by root.

+2
source

You can use the FSGroup field in the pod security context to make GCE PDs writable by non-root users.

In this example, the gce volume will belong to group 1234, and the container process will have 1234 in its list of additional groups:

 apiVersion: v1 kind: Pod metadata: name: test-pd spec: securityContext: fsGroup: 1234 containers: - image: gcr.io/google_containers/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume # This GCE PD must already exist. gcePersistentDisk: pdName: my-data-disk fsType: ext4
+11
source

Source: https://habr.com/ru/post/1242330/

More articles:


All Articles