How to change permission of mapped volume in kubernetes/Docker

About

Asked 16/10, 2017 at 11:33 Answered 16/10, 2017 at 11:41

I just created image using Docker file and for changing user I just used:

USER myuser

We are using a directory to store data, we change that directory permission using:

chown -R myuser:myuser /data-dir

This Docker file is for etcd, where we want /data-dir use by etcd to store data. Now, we map the /data-dir to efs volume using kubernetes yml file.

With the below code:

volumeMounts:
        - name: etcdefs
          mountPath: /data-dir
      volumes:
      - name: etcdefs
        persistentVolumeClaim:
          claimName: efs-etcd

After this, I expect, that mapped directory /data-dir should have permission as myuser:myuser but it making the directory as root:root

Can any one suggest what I am doing wrong here ?

Oriole answered 16/10, 2017 at 11:33 Comment(0)

This is because of docker. It mounts volume with only root permission and you can change it with chmod but only after the container is started.

You can read more about it here https://github.com/moby/moby/issues/2259 This issues is here for a long time.

What you can do in kubernetes is use fsGroup and force that volume is writable by GID specified. This is working solution and documented as well. More information here https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

Here is an example deployment:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: alpine
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: alpine
    spec:
      securityContext:
        fsGroup: 1000
      containers:
        - name: alpine
          image: alpine
          volumeMounts:
              - mountPath: /var/alpine
                name: alpine
      volumes:
        - name: alpine
          awsElasticBlockStore:
            volumeID: vol-1234567890
            fsType: ext4

Pythagoras answered 16/10, 2017 at 11:41 Comment(8)

Hey, can you give me example of how to write to make use of kubernetes with fsGroup. In my example give above – Oriole 16/10, 2017 at 13:4

@SaganPariyar I have modified my answer and now it has example deployment using fsGroup – Pythagoras 16/10, 2017 at 13:21

Hey, thanks for the answer, actually error was something else. Earlier we made docker images using root and while mapping it created directories using root, next time when I use myuser as the mapped volume already had directory created with root user so its giving the permission issue. I just delete the directory and recreated it with myuser and it works fine. – Oriole 17/10, 2017 at 10:6

Good to hear you solve it. One thing that comes to my mind is that creating a directory in container will make you prone to changes in how docker mounts volume, with kubernetes fsGroup option you will be. – Pythagoras 17/10, 2017 at 12:25

It should be noted that if you're using minikube, your PersistentVolume / PersistentVolumeClaim should use the default storage class. See: github.com/kubernetes/minikube/issues/… – Realm 22/6, 2018 at 2:16

How about volume mounted from configMap? – Bevbevan 24/2, 2019 at 6:44

What should be the volume ID "volumeID: vol-1234567890" in the case of Local - docker desktop ? – Foot 22/4, 2020 at 6:32

@happyyangyuan, looks like this feature doesn't support configMaps. "This field has no effect on ephemeral volume types such as secret, configMap, and emptydir." kubernetes.io/docs/tasks/configure-pod-container/… – Sulfapyridine 13/11, 2021 at 14:44

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags