Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

permissions for CSI volume mounted to exec driver don't allow task's user #15540

Open
akamensky opened this issue Dec 13, 2022 · 6 comments
Open

Comments

@akamensky
Copy link

Nomad version

Nomad v1.4.3 (f464aca)

Operating system and Environment details

Fedora 36 (Server)

Issue

Using CSI volume mounted in the task started using exec driver is impossible due to mount point being owned by root with 0755 permissions.

Reproduction steps

Expected Result

  • Mount point is owned by the same user as the one inside the namespace (default nobody)
  • OR mount point is otherwise made write-able (i.e. setting permissions)

Actual Result

  • Mount point is owned by root and uses 0755 permissions. Hence default nobody user can't use it.

Note

I'd consider this a bug since there is no clear way to use CSI volumes with exec driver other than running process as root.

@akamensky
Copy link
Author

akamensky commented Dec 13, 2022

The insecure workaround is to:

  1. Change client config to allow running tasks as root (i.e. "user.denylist" = "")
  2. Run prestart task as user = "root" that calls chown nobody:nobody /path/to/mount

@tgross
Copy link
Member

tgross commented Dec 14, 2022

Hi @akamensky! Yeah this one is a little tricky because it lets a job operator overwrite the permissions of the contents of a volume outside of the user permissions they otherwise have. We've got an unfortunately-long-open issue #8892 that covers this, so I'm going to close this as a duplicate. Thanks for opening it though, and if you have additional thoughts feel free to add them to #8892. Thanks!

@akamensky
Copy link
Author

akamensky commented Dec 14, 2022

@tgross I respectfully disagree on bundling those issues together. #8892 is a feature request to provide controls for managing volume permissions in Docker driver tasks, which very well could be a reason for it to be stale/forgotten for over 2 years. This issue is a bug report about volume being mounted as a user entirely different than the one that the process is running as in exec environment.

The difference here is that in case of Docker driver tasks you may have limited options on managing external volumes and it being feature request with known workaround could be put in the ice box. In case of exec driver Nomad is in control of all aspects of isolated environment and there should be no excuse to mounting volume as wrong user. If this issue is closed as a dup of the other one, then there is no guarantee that it will be fixed whenever (if at all) the other one will be looked at (that is the other issue may get fixed for docker only).

@tgross
Copy link
Member

tgross commented Dec 16, 2022

I see where you're going with that, but the CSI mount is working as intended; the spec doesn't include any handling of permissions (which sucks, but the CSI spec is surprisingly underbaked on those details). And whatever we do to implement this would effectively need to be done everywhere, so it's not like it's an exec-specific solution either. Marking it as a bug doesn't do a lot for prioritization on it's own, either. But sure, I'll reopen and put it on the bug backlog.

@tgross tgross reopened this Dec 16, 2022
@tgross tgross changed the title CSI volume mounted in task with exec driver are unusable permissions for CSI volume mounted to exec driver don't allow task's user Dec 16, 2022
@apollo13
Copy link
Contributor

apollo13 commented Jan 9, 2023

Just putting down some links here that might or might not help. Podman has similar problems with user namespaces:
containers/podman#12154

Newer kernels allow id-mapping mounts:
https://lore.kernel.org/lkml/20210213130042.828076-1-christian.brauner@ubuntu.com/T/#u

@116davinder
Copy link

Hopefully, this will be fixed or documented somewhere properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Needs Roadmapping
Development

No branches or pull requests

4 participants