Running nfs-ganesha-server-and-external-provisioner as non-root user
696 views
Skip to first unread message
Nishit Khosla
Jul 21, 2021, 5:43:01 AM7/21/21
to kubernetes-sig-storage
Hi,
We are looking on using the provisioner in kubernetes environment however have stumbled upon a security problem, wherein we want to run the pods as non-root user.
I believe the only way forward is running nfsv4 only, however, it seems current implementation doesnt support it without updating the code. However, even after running it, we are getting below error while mounting the share:
21/07/2021 08:53:34 : epoch 60f7e018 : nfs-ganesha-nfs-server-provisioner-0 : nfs-ganesha-20[svc_9] fsal_common_is_referral :FSAL :EVENT :Failed to get attrs for referral, handle: 0x7f9cdaf5b780, valid_mask: 0, request_mask: 82, suppor
ted: 0, error: Forbidden action
21/07/2021 08:53:34 : epoch 60f7e018 : nfs-ganesha-nfs-server-provisioner-0 : nfs-ganesha-20[svc_9] fsal_common_is_referral :FSAL :EVENT :Failed to get attrs for referral, handle: 0x7f9cdaf5b780, valid_mask: 0, request_mask: 82, suppor
ted: 0, error: Forbidden action
Has anyone tried running ganesha.nfsd as non-root inside container and faced such issue?
Also, it seems kubernetes also recommends running processes as non-root and openshift also mandates running pods as non-root. Hence, this becomes even more important for us.
Regards,
Nishit
Guy Margalit
Jul 21, 2021, 6:02:28 AM7/21/21
to Nishit Khosla, kubernetes-sig-storage
Hey Nishit
I haven't run it as non-root, but just a small point - Ganesha will call setresuid/setresgid in order to assume the client uid, so it requires the SETUID/SETGID capabilities enabled, and I'm not sure if those syscalls can even be called for non-root users... Maybe related to your forbidden error on getattrs?
See the code -
You might want to try specifying the pod/container securityPolicy to see if this resolves the issue:
```
securityContext:
capabilities:
add: ["SETUID", "SETGID"]
capabilities:
add: ["SETUID", "SETGID"]
runAsUser: 0
runAsGroup: 0
runAsGroup: 0
```
Regards
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-storage" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-st...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-storage/6886ff6c-0e01-4d84-bd0c-e3c75120df8cn%40googlegroups.com.
GUY MARGALIT (gmar...@redhat.com)
Nishit Khosla
Jul 21, 2021, 6:20:33 AM7/21/21
to Guy Margalit, kubernetes-sig-storage
If I make the changes as proposed by you with runAsUser and runAsGroup set to "0", then it works fine. I actually dont need "SETUID" and "SETGID" capabilities. I tried setting these capabilities with user other than 0 and doesnt work.
However, the security concern is running as root itself as referenced in 11 Ways (Not) to Get Hacked | Kubernetes.
Regards,
Nishit
Reply all
Reply to author
Forward
0 new messages