-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When using sysbox 0.6.5, k8s secrets are mounted with owner nobody nogroup
#874
Comments
Hi @top-oai, thanks for reporting the issue. Can you do a Typically this problem is caused by Sysbox not being able to use |
Yes I certainly can:
(there of course is more output, so let me know if you think more would be helpful to see) |
Thanks @top-oai.
That mount needs to have either But ID-mapped mounts with tmpfs only work in kernel 6.3+, and you have kernel 5.15. So the other solution is Can you provide the output of |
Sure here is the log output: https://gist.github.com/top-oai/8f5922dc2f1af36cc0aebd282b0a6b08 Notably I see this at the top:
and I see this also (from https://github.com/nestybox/sysbox/blob/master/docs/user-guide/design.md#shiftfs-module):
|
Thanks;
That's the problem; strange however, since the next line says:
Thus, you must be hitting a bug we just found (and fixed) in the shiftfs checker. The fix is not yet released however, will be present in the upcoming v0.6.6 release (towards end of this week). |
Oh, wonderful! I look forward to trying it out, thank you! |
This issue appears to still be present in the latest version:
sysbox-mgr logs:
Inside a pod:
|
Hi @jojonium, thanks for reporting. What's the underlying filesystem on the K8s node at
Is it I ask because |
I'm running a pod in Kubernetes on a sysbox 0.6.5 runtime. In the Kubernetes spec, I've mounted a secret into a folder, and it's being mounted with owner
nobody nogroup
. This is no problem if we use the default k8s secret permissions of 0644, so all users can read, but if we choose to set e.g.defaultMode: 256
(0400 in oct) in the kubernets secret volume spec (which translates to 0400 where only the owner can read), then we're in trouble because root nor any other owner owns anobody
file. In this case, I hit a permission denied error. When sysbox is not installed, or if sysbox 0.6.4 or 0.6.3 is installed (I didn't observe this erroneous behavior before upgrading), then the owner is properly set to root.I'm running on Linux kernel
5.15.0-1067-azure
(it's an Azure AKS node).I'm installing specifically using https://raw.githubusercontent.com/nestybox/sysbox/8834a2d9b8eabbfeb2a2181b8649684e14a619f1/sysbox-k8s-manifests/sysbox-install.yaml as my sysbox k8s install spec with no modifications.
I define my secrets in my k8s spec with:
and
in this case I'm observing the same beahvior on both kubernetes versions 1.28.9 and 1.30.5.
The text was updated successfully, but these errors were encountered: