sysbox icon indicating copy to clipboard operation
sysbox copied to clipboard

Published 20 hours ago verified publisher icon nestybox

sysbox 0.6.1 does not support K8S 1.23.x fsGroup PodSecurityContext making all kind of non-host volumes useless

Open FFock opened this issue 2 years ago • 6 comments
trafficstars

Install an Ubuntu image with a EmptyDir volume and a Longhorn volume on a Kubernetes 1.23.16 cluster created with Rancher 2.7.3 RKE1 on Ubuntu 20.04 (22.04 does not work with sysbox installer, see https://github.com/nestybox/sysbox/issues/567) and specify "fsGroup: 1000" in the pods securityContext as described here https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods

You will see that the empty dir volume as well as the longhorn volume will be mounted as:

drwxrwxrwx   2 nobody nogroup 4096 May 24 17:02 data
drwxrwsr-x   3 nobody nogroup 4096 May 24 15:39 data2

Even if you do not use the fsGroup security context, the volumes are mounted the same. When running the pod without sysbox runtime, everything works as exptected, i.e., with fsGroup 1000, the volumes are mounted at GID 1000 and without fsGroup they are mounted as group ID 0.

FFock avatar May 24 '23 17:05 FFock

With RKE2, K8S 1.25.9 and Ubuntu 22.04, the Longhorn volume mount with fsGroup pod security context works, however mounting a secret with fsGroup set, still mounts the secret with nobody:nogroup.

FFock avatar May 25 '23 22:05 FFock

@FFock, thanks for reporting this one.

A couple of questions:

  • Could you please obtain journalctl -u sysbox-mgr output in the k8s node where sysbox was installed?
  • Could you obtain a findmnt within one of the sysbox pods where you observe the volume issue?

Thanks.

rodnymolina avatar May 25 '23 23:05 rodnymolina

@rodnymolina, sure, I can provide the requested data. Can I sent it on a private channel?

FFock avatar May 25 '23 23:05 FFock

@FFock, sure, please ping on slack.

rodnymolina avatar May 26 '23 07:05 rodnymolina

@FFock just an fyi, we ran into a similar issue ourselves, it was resolved by using a 0.6.2 prerelease. We've been running that version in test and prod for a couple of weeks now with no issues. We did make a clone of that specific version to use, however.

joncbenderkh avatar Jun 05 '23 07:06 joncbenderkh

we ran into a similar issue ourselves, it was resolved by using a 0.6.2 prerelease. We've been running that version in test and prod for a couple of weeks now with no issues.

Thanks @joncbenderkh for chiming in.

FYI, to use sysbox-deploy-k8s with the Sysbox v0.6.2 pre-release, simply replace the image: line in the sysbox-install YAML with this one:

image: ghcr.io/nestybox/sysbox-deploy-k8s:v0.6.2-dev

We should be releasing Sysbox v0.6.2 later this week.

ctalledo avatar Jun 05 '23 17:06 ctalledo