Why can't non-root users access files?

Virtual Private Cloud Classic infrastructure

You uploaded files to your IBM Cloud Object Storage service instance by using the console or the REST API. When you try to access these files with a non-root user that you defined with runAsUser in your app deployment, access to the files is denied.

In Linux, a file or a directory has three access groups: Owner, Group, and Other. When you upload a file to IBM Cloud Object Storage by using the console or the REST API, the permissions for the Owner, Group, and Other are removed. The permission of each file looks as follows:

d--------- 1 root root 0 Jan 1 1970 <file_name>

When you upload a file by using the IBM Cloud Object Storage plug-in, the permissions for the file are preserved and not changed.

To access the file with a non-root user, the non-root user must have read and write permissions for the file. Changing the permission on a file as part of your pod deployment requires a write operation. IBM Cloud Object Storage is not designed for write workloads.

Updating permissions during the pod deployment might prevent your pod from getting into a Running state.

To resolve this issue, before you mount the PVC to your app pod, create another pod to set the correct permission for the non-root user.

1. To check the permissions of your files in your bucket, create a configuration file for your test-permission pod and name the file test-permission.yaml.

   apiVersion: v1
   kind: Pod
   metadata:
     name: test-permission
   spec:
     containers:
     - name: test-permission
        image: nginx
        volumeMounts:
        - name: cos-vol
        mountPath: /test
     volumes:
     - name: cos-vol
        persistentVolumeClaim:
        claimName: <pvc_name>
   

2. Create the test-permission pod.

   oc apply -f test-permission.yaml
   

3. Log in to your pod.

   oc exec test-permission -it bash
   

4. Navigate to your mount path and list the permissions for your files.

   cd test && ls -al
   

   Example output

   d--------- 1 root root 0 Jan 1 1970 <file_name>
   

5. Delete the pod.

   oc delete pod test-permission
   

6. Create a configuration file for the pod that you use to correct the permissions of your files and name it fix-permission.yaml.

   apiVersion: v1
   kind: Pod
   metadata:
     name: fix-permission
     namespace: <namespace>
   spec:
     containers:
     - name: fix-permission
       image: busybox
       command: ['sh', '-c']
       args: ['chown -R <nonroot_userID> <mount_path>/*; find <mount_path>/ -type d -print -exec chmod u=+rwx,g=+rx {} \;']
       volumeMounts:
       - mountPath: "<mount_path>"
         name: cos-volume
     volumes:
     - name: cos-volume
       persistentVolumeClaim:
         claimName: <pvc_name>
   

7. Create the fix-permission pod.

   oc apply -f fix-permission.yaml
   

8. Wait for the pod to go into a Completed state.

   oc get pod fix-permission
   

9. Delete the fix-permission pod.

   oc delete pod fix-permission
   

10. Re-create the test-permission pod that you used earlier to check the permissions.

    oc apply -f test-permission.yaml