IBM Cloud Docs
Why can't non-root users access files?

Why can't non-root users access files?

Virtual Private Cloud Classic infrastructure

You uploaded files to your IBM Cloud Object Storage service instance by using the console or the REST API. When you try to access these files with a non-root user that you defined with runAsUser in your app deployment, access to the files is denied.

In Linux, a file or a directory has three access groups: Owner, Group, and Other. When you upload a file to IBM Cloud Object Storage by using the console or the REST API, the permissions for the Owner, Group, and Other are removed. The permission of each file looks as follows:

d--------- 1 root root 0 Jan 1 1970 <file_name>

When you upload a file by using the IBM Cloud Object Storage plug-in, the permissions for the file are preserved and not changed.

To access the file with a non-root user, the non-root user must have read and write permissions for the file. Changing the permission on a file as part of your pod deployment requires a write operation. IBM Cloud Object Storage is not designed for write workloads.

Updating permissions during the pod deployment might prevent your pod from getting into a Running state.

To resolve this issue, before you mount the PVC to your app pod, create another pod to set the correct permission for the non-root user.

  1. To check the permissions of your files in your bucket, create a configuration file for your test-permission pod and name the file test-permission.yaml.

    apiVersion: v1
    kind: Pod
    metadata:
      name: test-permission
    spec:
      containers:
      - name: test-permission
         image: nginx
         volumeMounts:
         - name: cos-vol
         mountPath: /test
      volumes:
      - name: cos-vol
         persistentVolumeClaim:
         claimName: <pvc_name>
    
  2. Create the test-permission pod.

    kubectl apply -f test-permission.yaml
    
  3. Log in to your pod.

    kubectl exec test-permission -it bash
    
  4. Navigate to your mount path and list the permissions for your files.

    cd test && ls -al
    

    Example output

    d--------- 1 root root 0 Jan 1 1970 <file_name>
    
  5. Delete the pod.

    kubectl delete pod test-permission
    
  6. Create a configuration file for the pod that you use to correct the permissions of your files and name it fix-permission.yaml.

    apiVersion: v1
    kind: Pod
    metadata:
      name: fix-permission
      namespace: <namespace>
    spec:
      containers:
      - name: fix-permission
        image: busybox
        command: ['sh', '-c']
        args: ['chown -R <nonroot_userID> <mount_path>/*; find <mount_path>/ -type d -print -exec chmod u=+rwx,g=+rx {} \;']
        volumeMounts:
        - mountPath: "<mount_path>"
          name: cos-volume
      volumes:
      - name: cos-volume
        persistentVolumeClaim:
          claimName: <pvc_name>
    
  7. Create the fix-permission pod.

    kubectl apply -f fix-permission.yaml
    
  8. Wait for the pod to go into a Completed state.

    kubectl get pod fix-permission
    
  9. Delete the fix-permission pod.

    kubectl delete pod fix-permission
    
  10. Re-create the test-permission pod that you used earlier to check the permissions.

    kubectl apply -f test-permission.yaml
    

Verifying that the permissions for your files are updated

  1. Log in to your pod.

    kubectl exec test-permission -it bash
    
  2. Navigate to your mount path and list the permissions for your files.

    cd test && ls -al
    

    Example output

    -rwxrwx--- 1 <nonroot_userID> root 6193 Aug 21 17:06 <file_name>
    
  3. Delete the test-permission pod.

    kubectl delete pod test-permission
    
  4. Mount the PVC to the app with the non-root user.

Set runAsUser and fsGroup to the same values in your deployment YAML.

After you set the correct file permissions in your IBM Cloud Object Storage service instance, don't upload files by using the console or the REST API. Use the IBM Cloud Object Storage plug-in to add files to your service instance.