How to change user and group owner for VolumeMount

7/27/2018

I want to set up a pod and there are two containers running inside the pod, which try to access a mounted file /var/run/udspath. In container serviceC, I need to change the file and group owner of /var/run/udspath, so I add a command into the yaml file. But it does not work.

kubectl apply does not complain, but container serviceC is not created. Without this "command: ['/bin/sh', '-c', 'sudo chown 1337:1337 /var/run/udspath']", the container could be created.

apiVersion: v1
kind: Service
metadata:
  name: clitool
  labels:
app: httpbin
spec:
  ports:
  - name: http
port: 8000
  selector:
app: httpbin
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  creationTimestamp: null
  name: clitool
spec:
  replicas: 1
  strategy: {}
  template:
metadata:
  annotations:
    sidecar.istio.io/status: '{"version":"1c09c07e5751560367349d807c164267eaf5aea4018b4588d884f7d265cf14a4","initContainers":["istio-init"],"containers":["serviceC"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}'
  creationTimestamp: null
  labels:
    app: httpbin
    version: v1
spec:
  containers:
  - image: 
    name: serviceA
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - mountPath: /var/run/udspath
      name: sdsudspath
  - image: 
    imagePullPolicy: IfNotPresent
    name: serviceB
    ports:
    - containerPort: 8000
    resources: {}
  - args:
    - proxy
    - sidecar
    - --configPath
    - /etc/istio/proxy
    - --binaryPath
    - /usr/local/bin/envoy
    - --serviceCluster
    - httpbin
    - --drainDuration
    - 45s
    - --parentShutdownDuration
    - 1m0s
    - --discoveryAddress
    - istio-pilot.istio-system:15007
    - --discoveryRefreshDelay
    - 1s
    - --zipkinAddress
    - zipkin.istio-system:9411
    - --connectTimeout
    - 10s
    - --statsdUdpAddress
    - istio-statsd-prom-bridge.istio-system:9125
    - --proxyAdminPort
    - "15000"
    - --controlPlaneAuthPolicy
    - NONE
    env:
    - name: POD_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name
    - name: POD_NAMESPACE
      valueFrom:
        fieldRef:
          fieldPath: metadata.namespace
    - name: INSTANCE_IP
      valueFrom:
        fieldRef:
          fieldPath: status.podIP
    - name: ISTIO_META_POD_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name
    - name: ISTIO_META_INTERCEPTION_MODE
      value: REDIRECT
    image: 
    imagePullPolicy: IfNotPresent
    command: ["/bin/sh"]
    args: ["-c", "sudo chown 1337:1337 /var/run/udspath"]
    name: serviceC
    resources:
      requests:
        cpu: 10m
    securityContext:
      privileged: false
      readOnlyRootFilesystem: true
      runAsUser: 1337
    volumeMounts:
    - mountPath: /etc/istio/proxy
      name: istio-envoy
    - mountPath: /etc/certs/
      name: istio-certs
      readOnly: true
    - mountPath: /var/run/udspath
      name: sdsudspath
  initContainers:
  - args:
    - -p
    - "15001"
    - -u
    - "1337"
    - -m
    - REDIRECT
    - -i
    - '*'
    - -x
    - ""
    - -b
    - 8000,
    - -d
    - ""
    image: docker.io/quanlin/proxy_init:180712-1038
    imagePullPolicy: IfNotPresent
    name: istio-init
    resources: {}
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
      privileged: true
  volumes:
  - name: sdsudspath
    hostPath:
      path: /var/run/udspath
  - emptyDir:
      medium: Memory
    name: istio-envoy
  - name: istio-certs
    secret:
      optional: true
      secretName: istio.default
status: {}
---

kubectl describe pod xxx shows that

  serviceC:
    Container ID:  
    Image:         
    Image ID:      
    Port:          <none>
    Command:
      /bin/sh
    Args:
      -c
      sudo chown 1337:1337 /var/run/udspath
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Mon, 30 Jul 2018 10:30:04 -0700
      Finished:     Mon, 30 Jul 2018 10:30:04 -0700
    Ready:          False
    Restart Count:  2
    Requests:
      cpu:  10m
    Environment:
      POD_NAME:                      clitool-5d548b856-6v9p9 (v1:metadata.name)
      POD_NAMESPACE:                 default (v1:metadata.namespace)
      INSTANCE_IP:                    (v1:status.podIP)
      ISTIO_META_POD_NAME:           clitool-5d548b856-6v9p9 (v1:metadata.name)
      ISTIO_META_INTERCEPTION_MODE:  REDIRECT
    Mounts:
      /etc/certs/ from certs (ro)
      /etc/istio/proxy from envoy (rw)
      /var/run/udspath from sdsudspath (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-g2zzv (ro)
-- JimmyCYJ
kubernetes

1 Answer

7/27/2018

More information would be helpful. Like what error are you getting.

Nevertheless, it really depends on what is defined in ServiceC's dockerfile entrypoint or cmd.

Mapping between docker and kubernetes:

Docker Entrypoint --> Pod command (The command run by the container) Docker cmd --> Pod args (The arguments passed to the command)

https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/

-- Bal Chua
Source: StackOverflow