Why does my File Storage for VPC deployment fail due to a permissions error?
Virtual Private Cloud
Your app that uses File Storage for VPC fails with a permissions error.
You created your own storage class to use with an existing file share, but did not specify the correct uid
and gid
. When a process runs on Unix and Linux, the operating system identifies a user with a user ID (UID) and
group with a group ID (GID). These IDs determine which system resources a user or group can access. For example, if the file storage user ID is 12345 and its group ID is 6789, then the mount on the host node and in the container must have those
same IDs. The container’s main process must match one or both of those IDs to access the file share.
You can resolve the issue in one of the following ways.
-
If you need your app to run as non-root, create your own storage class with the correct
uid
andgid
that your app needs. -
If you want to run your app as as root user, edit your deployment to use
fsGroup: 0
.
Create your own storage class and specify the uid
and gid
your app needs
If you want to use File Storage for VPC with static provisioning, you must reference the correct uid
and gid
.
-
Create a storage class with the correct
uid
andgid
that your app needs.apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: custom-storageclas provisioner: vpc.file.csi.ibm.io mountOptions: - hard - nfsvers=4.0 - sec=sys parameters: profile: "custom-iops" # The VPC Storage profile used. /docs/vpc?topic=vpc-block-storage-profiles&interface=ui#tiers-beta iops: "400" # Default IOPS. User can override from secrets billingType: "hourly" # The default billing policy used. User can override this default encrypted: "false" # By default, all PVC using this class will only be provider managed encrypted. The user can override this default encryptionKey: "" # If encrypted is true, then a user must specify the encryption key used associated KP instance resourceGroup: "" # Use resource group if specified here. Otherwise, use the one mentioned in storage-secrete-store zone: "" # By default, the storage vpc driver will select a zone. The user can override this default tags: "" # A list of tags "a, b, c" that will be created when the volume is created. This can be overidden by user classVersion: "1" uid: "1234" # The initial user identifier for the file share. gid: "5678" # The initial group identifier for the file share. reclaimPolicy: "Delete" allowVolumeExpansion: true
-
Create the customized storage class in your cluster.
oc apply -f custom-storageclass.yaml
-
Verify that your storage class is available in the cluster.
oc get sc
Example output
NAME PROVISIONER ibmc-vpc-file-10iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-3iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-5iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-retain-10iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-retain-3iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-retain-5iops-tier vpc.file.csi.ibm.io ibmc-vpc-file-custom vpc.file.csi.ibm.io
Edit your app to run as root with fsGroup: 0
-
Log in to your cluster.
-
Identify the deployment in your cluster that you want to edit.
kubectl get deployments
-
Edit the deployment by adding
fsGroup: 0
in thesecurityContext
section of your deployment.kubectl get deployment -o yaml YOUR-DEPLOYMENT
apiVersion: apps/v1 kind: Deployment metadata: name: <deployment_name> labels: app: <deployment_label> spec: securityContext: fsGroup: 0 selector: matchLabels: app: <app_name> template: metadata: labels: app: <app_name> spec: containers: - image: <image_name> name: <container_name> volumeMounts: - name: <volume_name> mountPath: /<file_path> volumes: - name: <volume_name> persistentVolumeClaim: claimName: PVC-NAME
-
Apply the changes to your deployment.