-
Notifications
You must be signed in to change notification settings - Fork 14
Permission issues on mounted Volumes for RHDH container #254
Comments
I don't think this will be a problem for the |
@kadel |
Another note: |
I would be reluctant to set |
As part of the migration from janus-idp to redhat-developer in https://issues.redhat.com/browse/RHIDP-1021, this will be tracked in https://issues.redhat.com/browse/RHIDP-1560 |
The issue shown up in the hosted Kubernetes environments, such as AKS and EKS with default RHDH (showcase) container using both Helm Chart and Operator.
On Creating Backstage CR on unchanged default configuration RHDH InitContainer failed with error like:
#Error: EACCES: permission denied, open '/dynamic-plugins-root/backstage-plugin-scaffolder-backend-module-github-dynamic-0.2.2.tgz'
The reason why it is not failed on local environment is that chown/chmod/fix-permissions stuffs seems to work for mounted directories there, but does not work on AKS/EKS (which is quite expected IMO), so, we have permissions like:
drwxr-xr-x 1 root root 4096 Mar 1 18:56 dynamic-plugins
- for "hosted" (fails, with permission error)drwxrwxr-x 1 root root 4096 Mar 1 18:56 dynamic-plugins
- for "local" (works)To work around this problem, fsGroup= can be used in the Pod's securityContext, it makes directory permissions like:
drwxrwsr-x 14 root 1001 4096 Mar 11 14:59 dynamic-plugins-root
which works, but, it MAY lead to make Pod's startup slower. As stated here:
Kubernetes recursively changes ownership and permissions for the contents of each volume to match the fsGroup specified in a Pod's securityContext when that volume is mounted. For large volumes, checking and changing ownership and permissions can take a lot of time, slowing Pod startup.
Also, for Openshift it requires "Openshift friendly" UID.
So, it was decided to not to include it as a general solution and solve case-by-case, making proper documentation (for AKS/EKS etc), which is not ideal as well because it make the procedure more difficult while is not really "platform specific" strictly speaking.
The text was updated successfully, but these errors were encountered: