local-storage: Fix permission #7217
Conversation
BoleynSu
force-pushed
the
master
branch
3 times, most recently
from
fdaaf73
to
55b6af7
Compare
| imagePullPolicy: IfNotPresent | ||
| commands: | ||
| - sleep |
There was a problem hiding this comment.
Modify this to:
- Run as a non-root user
- Successfully touch a file under the /data volume before sleeping
There was a problem hiding this comment.
Good catch! Changed the uid/gid of the pod.
There was a problem hiding this comment.
We also need to touch or perhaps echo some content into the file to confirm that it can be created.
| @@ -72,6 +72,10 @@ var _ = Describe("local storage", func() { | |||
| fileStat, err = os.Stat(k3sStorage + "/" + volumeName) | |||
| Expect(err).ToNot(HaveOccurred()) | |||
| Expect(fmt.Sprintf("%04o", fileStat.Mode().Perm())).To(Equal("0777")) | |||
|
|
|||
| touchResult, err := testutil.K3sCmd("kubectl --namespace=default exec -it volume-test -- touch /data/file") | |||
There was a problem hiding this comment.
Lets have the pod itself do this
There was a problem hiding this comment.
I prefer to exec here to avoid any possible race condition.
There was a problem hiding this comment.
No, I want to see the pod itself successfully creating the file, not your exec command. If you want to use an exec to test for the file's existence or having the correct content, that's fine. But We need to see that the file can be successfully created by a non-root user within the pod.
There was a problem hiding this comment.
exec commands excute the touch in the pod with a non-root user.
There was a problem hiding this comment.
I will add another test for what you want though. However, that test may be flaky in the future and I do not want to spend time fixing it atm.
There was a problem hiding this comment.
I'm not sure why it would be flakey, are you concerned that the test kubectl exec command might run before the pod has entered the sleep? If so, just wait for a second or two after the pod becomes ready before running the test.
I do want to see the pod command itself successfully writing a file to the PVC, not just the test command.
There was a problem hiding this comment.
Consider that the pod is ready and running then it is context switch to execute other codes before it write to the file. Later, we check for existence of the file before it gets context switched back. The eventally can work around this if the delay it less than 10s but the flakiness is still possible and will happen in the future.
BoleynSu
force-pushed
the
master
branch
2 times, most recently
from
b8c0f71
to
0d41313
Compare
/var/lib/rancher/k3s/storage/ should be 700 /var/lib/rancher/k3s/storage/* should be 777 Fixes k3s-io#2348 Signed-off-by: Boleyn Su <boleyn.su@gmail.com>
|
@dereknola this looks good to me. The AWX example workload from #3704 seems to work with this change: root@k3s-server-1:/# kubectl get pod -n awx
NAME READY STATUS RESTARTS AGE
awx-operator-controller-manager-77c67f9445-znc85 2/2 Running 0 18m
awx-demo-postgres-13-0 1/1 Running 0 14m
awx-demo-task-7d48b5497-dphxz 4/4 Running 0 14m
awx-demo-web-54f46445f-rqf25 3/3 Running 0 13m
root@k3s-server-1:/# kubectl get pvc -n awx
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
postgres-13-awx-demo-postgres-13-0 Bound pvc-bdeca81e-985b-434a-9c2e-bc235be7d04c 8Gi RWO local-path 14m
root@k3s-server-1:/# kubectl get pod -n awx
NAME READY STATUS RESTARTS AGE
awx-operator-controller-manager-77c67f9445-znc85 2/2 Running 0 18m
awx-demo-postgres-13-0 1/1 Running 0 14m
awx-demo-task-7d48b5497-dphxz 4/4 Running 0 14m
awx-demo-web-54f46445f-rqf25 3/3 Running 0 13m
root@k3s-server-1:/# ls -la /var/lib/rancher/k3s/storage/
total 12
drwx------ 3 root root 4096 Apr 17 23:14 .
drwxr-xr-x 6 root root 4096 Apr 17 23:14 ..
drwxrwxrwx 3 root root 4096 Apr 17 23:14 pvc-bdeca81e-985b-434a-9c2e-bc235be7d04c_awx_postgres-13-awx-demo-postgres-13-0
root@k3s-server-1:/# ls -la /var/lib/rancher/k3s/storage/pvc-bdeca81e-985b-434a-9c2e-bc235be7d04c_awx_postgres-13-awx-demo-postgres-13-0
total 12
drwxrwxrwx 3 root root 4096 Apr 17 23:14 .
drwx------ 3 root root 4096 Apr 17 23:14 ..
drwxrwxrwx 3 root root 4096 Apr 17 23:14 data
root@k3s-server-1:/# ls -la /var/lib/rancher/k3s/storage/pvc-bdeca81e-985b-434a-9c2e-bc235be7d04c_awx_postgres-13-awx-demo-postgres-13-0/data
total 12
drwxrwxrwx 3 root root 4096 Apr 17 23:14 .
drwxrwxrwx 3 root root 4096 Apr 17 23:14 ..
drwx------ 19 999 root 4096 Apr 17 23:14 pgdata
root@k3s-server-1:/# kubectl exec -it -n awx awx-demo-postgres-13-0 -- /bin/sh -c 'grep data /proc/mounts; ls -la /var/lib/postgresql/data'
/dev/root /var/lib/postgresql/data ext4 rw,relatime,discard,errors=remount-ro 0 0
total 12
drwxrwxrwx 3 root root 4096 Apr 17 23:14 .
drwxr-xr-x 1 postgres postgres 4096 Apr 12 05:57 ..
drwx------ 19 postgres root 4096 Apr 17 23:14 pgdata |
|
I will approve this once the local storage integration test passes in CI |
|
Friendly ping |
|
It's still failing for some reason, haven't had a chance to see why |
Signed-off-by: Derek Nola <derek.nola@suse.com>
Codecov ReportPatch coverage has no change and project coverage change:
Additional details and impacted files@@ Coverage Diff @@
## master #7217 +/- ##
==========================================
+ Coverage 9.82% 19.57% +9.75%
==========================================
Files 147 81 -66
Lines 10845 5461 -5384
==========================================
+ Hits 1065 1069 +4
+ Misses 9558 4170 -5388
Partials 222 222
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| @@ -26,7 +26,7 @@ var _ = BeforeSuite(func() { | |||
| } | |||
| }) | |||
|
|
|||
| var _ = Describe("local storage", func() { | |||
| var _ = Describe("local storage", Ordered, func() { | |||
|
Lets be sure to squash this on merge. |
* local-storage: Fix permission /var/lib/rancher/k3s/storage/ should be 700 /var/lib/rancher/k3s/storage/* should be 777 Fixes k3s-io#2348 Signed-off-by: Boleyn Su <boleyn.su@gmail.com> * Fix pod command field type * Fix to int test Signed-off-by: Derek Nola <derek.nola@suse.com> --------- Signed-off-by: Boleyn Su <boleyn.su@gmail.com> Signed-off-by: Derek Nola <derek.nola@suse.com> Co-authored-by: Brad Davidson <brad@oatmail.org> Co-authored-by: Derek Nola <derek.nola@suse.com>
* local-storage: Fix permission /var/lib/rancher/k3s/storage/ should be 700 /var/lib/rancher/k3s/storage/* should be 777 Fixes k3s-io#2348 Signed-off-by: Boleyn Su <boleyn.su@gmail.com> * Fix pod command field type * Fix to int test Signed-off-by: Derek Nola <derek.nola@suse.com> --------- Signed-off-by: Boleyn Su <boleyn.su@gmail.com> Signed-off-by: Derek Nola <derek.nola@suse.com> Co-authored-by: Brad Davidson <brad@oatmail.org> Co-authored-by: Derek Nola <derek.nola@suse.com>
* local-storage: Fix permission /var/lib/rancher/k3s/storage/ should be 700 /var/lib/rancher/k3s/storage/* should be 777 Fixes k3s-io#2348 Signed-off-by: Boleyn Su <boleyn.su@gmail.com> * Fix pod command field type * Fix to int test Signed-off-by: Derek Nola <derek.nola@suse.com> --------- Signed-off-by: Boleyn Su <boleyn.su@gmail.com> Signed-off-by: Derek Nola <derek.nola@suse.com> Co-authored-by: Brad Davidson <brad@oatmail.org> Co-authored-by: Derek Nola <derek.nola@suse.com>
* local-storage: Fix permission /var/lib/rancher/k3s/storage/ should be 700 /var/lib/rancher/k3s/storage/* should be 777 Fixes #2348 * Fix pod command field type * Fix to int test --------- Signed-off-by: Boleyn Su <boleyn.su@gmail.com> Signed-off-by: Derek Nola <derek.nola@suse.com> Co-authored-by: Boleyn Su <boleyn.su@gmail.com> Co-authored-by: Brad Davidson <brad@oatmail.org>
* local-storage: Fix permission /var/lib/rancher/k3s/storage/ should be 700 /var/lib/rancher/k3s/storage/* should be 777 Fixes #2348 Signed-off-by: Boleyn Su <boleyn.su@gmail.com> Signed-off-by: Derek Nola <derek.nola@suse.com> Co-authored-by: Boleyn Su <boleyn.su@gmail.com> Co-authored-by: Brad Davidson <brad@oatmail.org>
/var/lib/rancher/k3s/storage/ should be 700
/var/lib/rancher/k3s/storage/* should be 777
Fixes #2348