Why can't non-root users access files?
Virtual Private Cloud Classic infrastructure
You uploaded files to your IBM Cloud Object Storage service instance by using the console or the REST API. When you try to access these files with a non-root user that you defined with runAsUser
in your app deployment, access to the
files is denied.
In Linux, a file or a directory has three access groups: Owner
, Group
, and Other
. When you upload a file to IBM Cloud Object Storage by using the console or the REST API, the permissions for the Owner
,
Group
, and Other
are removed. The permission of each file looks as follows:
d--------- 1 root root 0 Jan 1 1970 <file_name>
When you upload a file by using the IBM Cloud Object Storage plug-in, the permissions for the file are preserved and not changed.
To access the file with a non-root user, the non-root user must have read and write permissions for the file. Changing the permission on a file as part of your pod deployment requires a write operation. IBM Cloud Object Storage is not designed for write workloads.
Updating permissions during the pod deployment might prevent your pod from getting into a Running
state.
To resolve this issue, before you mount the PVC to your app pod, create another pod to set the correct permission for the non-root user.
-
To check the permissions of your files in your bucket, create a configuration file for your
test-permission
pod and name the filetest-permission.yaml
.apiVersion: v1 kind: Pod metadata: name: test-permission spec: containers: - name: test-permission image: nginx volumeMounts: - name: cos-vol mountPath: /test volumes: - name: cos-vol persistentVolumeClaim: claimName: <pvc_name>
-
Create the
test-permission
pod.kubectl apply -f test-permission.yaml
-
Log in to your pod.
kubectl exec test-permission -it bash
-
Navigate to your mount path and list the permissions for your files.
cd test && ls -al
Example output
d--------- 1 root root 0 Jan 1 1970 <file_name>
-
Delete the pod.
kubectl delete pod test-permission
-
Create a configuration file for the pod that you use to correct the permissions of your files and name it
fix-permission.yaml
.apiVersion: v1 kind: Pod metadata: name: fix-permission namespace: <namespace> spec: containers: - name: fix-permission image: busybox command: ['sh', '-c'] args: ['chown -R <nonroot_userID> <mount_path>/*; find <mount_path>/ -type d -print -exec chmod u=+rwx,g=+rx {} \;'] volumeMounts: - mountPath: "<mount_path>" name: cos-volume volumes: - name: cos-volume persistentVolumeClaim: claimName: <pvc_name>
-
Create the
fix-permission
pod.kubectl apply -f fix-permission.yaml
-
Wait for the pod to go into a
Completed
state.kubectl get pod fix-permission
-
Delete the
fix-permission
pod.kubectl delete pod fix-permission
-
Re-create the
test-permission
pod that you used earlier to check the permissions.kubectl apply -f test-permission.yaml
Verifying that the permissions for your files are updated
-
Log in to your pod.
kubectl exec test-permission -it bash
-
Navigate to your mount path and list the permissions for your files.
cd test && ls -al
Example output
-rwxrwx--- 1 <nonroot_userID> root 6193 Aug 21 17:06 <file_name>
-
Delete the
test-permission
pod.kubectl delete pod test-permission
-
Mount the PVC to the app with the non-root user.
Set runAsUser
and fsGroup
to the same values in your deployment YAML.
After you set the correct file permissions in your IBM Cloud Object Storage service instance, don't upload files by using the console or the REST API. Use the IBM Cloud Object Storage plug-in to add files to your service instance.