-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
permissions for CSI volume mounted to exec
driver don't allow task's user
#15540
Comments
The insecure workaround is to:
|
Hi @akamensky! Yeah this one is a little tricky because it lets a job operator overwrite the permissions of the contents of a volume outside of the user permissions they otherwise have. We've got an unfortunately-long-open issue #8892 that covers this, so I'm going to close this as a duplicate. Thanks for opening it though, and if you have additional thoughts feel free to add them to #8892. Thanks! |
@tgross I respectfully disagree on bundling those issues together. #8892 is a feature request to provide controls for managing volume permissions in Docker driver tasks, which very well could be a reason for it to be stale/forgotten for over 2 years. This issue is a bug report about volume being mounted as a user entirely different than the one that the process is running as in exec environment. The difference here is that in case of Docker driver tasks you may have limited options on managing external volumes and it being feature request with known workaround could be put in the ice box. In case of exec driver Nomad is in control of all aspects of isolated environment and there should be no excuse to mounting volume as wrong user. If this issue is closed as a dup of the other one, then there is no guarantee that it will be fixed whenever (if at all) the other one will be looked at (that is the other issue may get fixed for docker only). |
I see where you're going with that, but the CSI mount is working as intended; the spec doesn't include any handling of permissions (which sucks, but the CSI spec is surprisingly underbaked on those details). And whatever we do to implement this would effectively need to be done everywhere, so it's not like it's an |
exec
driver don't allow task's user
Just putting down some links here that might or might not help. Podman has similar problems with user namespaces: Newer kernels allow id-mapping mounts: |
Hopefully, this will be fixed or documented somewhere properly. |
Nomad version
Operating system and Environment details
Fedora 36 (Server)
Issue
Using CSI volume mounted in the task started using
exec
driver is impossible due to mount point being owned by root with 0755 permissions.Reproduction steps
exec
driver that mounts above volume withread_only = false
Expected Result
nobody
)Actual Result
nobody
user can't use it.Note
I'd consider this a bug since there is no clear way to use CSI volumes with
exec
driver other than running process asroot
.The text was updated successfully, but these errors were encountered: