NFS volume created with nobody:nobody ownership. How to configure correctly?

keithB · January 2, 2024, 8:46am

i have storage-class that dynamically provision nfs volume. when i execute claim the volume is created as nobody:nobody on the remote nfs and from reading i assume it relate to the fact that the claim is forwarded to the nfs as root user, what is the correct way to setup the nfs or the claim ?

rolandHawkins · January 2, 2024, 8:53am

It depends on your cloud provider.
On Azure, you could create a volumeclaimtemplate where you could specify storageclassname. And then setup the claim as you expected.

rolandHawkins · January 2, 2024, 8:59am

Setup NFS example

mount -t nfs -o tcp,rw,async,vers=3 NFS-Server:ServerPath LocalPath

Created PersistentVolumeClaim example

apiVersion: v1
metadata:
  name: customdb-writerpool-volume-rack2-v0-1
  namespace: customdb-system
  labels:
    <http://app.kubernetes.io/component|app.kubernetes.io/component>: customdb-installation
    <http://app.kubernetes.io/instance|app.kubernetes.io/instance>: customdb
    <http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>: customdb-operator
    <http://app.kubernetes.io/name|app.kubernetes.io/name>: customdb-installation
    <http://app.kubernetes.io/namespace|app.kubernetes.io/namespace>: customdb-system
    <http://app.kubernetes.io/part-of|app.kubernetes.io/part-of>: customdb-installation
    <http://app.kubernetes.io/version|app.kubernetes.io/version>: 0.0.1
    <http://customdb.datastax.com/rack|customdb.datastax.com/rack>: rack2
    <http://customdb.datastax.com/writerpool-name|customdb.datastax.com/writerpool-name>: rack2
    <http://customdb.datastax.com/writerpool-revision|customdb.datastax.com/writerpool-revision>: '1'
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 500Gi
  storageClassName: local-path
  volumeMode: Filesystem```

keithB · January 2, 2024, 9:55am

the is no credentials here although. the pv is created on the nfs it just matter of permission on nfs that crack it to nobody:nobody probably as a result of root user use during provisionning

rolandHawkins · January 2, 2024, 10:23am

Believe you could specify credentials through NFS mount as following

mount -t nfs -o tcp,rw,async,vers=3, username=svc_account,password=password, NFS-Server:ServerPath LocalPath

keithB · January 2, 2024, 11:20am

wait i think we misunderstand each other.

• i installed csi-nfs-driver as provisioner.

keithB · January 2, 2024, 12:07pm

created storageclass:
apiVersion: http://storage.k8s.io/v1|storage.k8s.io/v1
kind: StorageClass
metadata:
name: harbor-database
provisioner: http://nfs.csi.k8s.io|nfs.csi.k8s.io
parameters:
server: 10.254.254.6
share: /harbor_repository/database
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: Immediate
mountOptions:

nfsvers=4.1

rolandHawkins · January 2, 2024, 12:43pm

The PVC has following fields you could play with
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#persistentvolumeclaimspec-v1-core

keithB · January 2, 2024, 12:58pm

created a claim:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc

namespace: harbor-repo

spec:
storageClassName: harbor-database
accessModes:
- ReadWriteMany
resources:
requests:
storage: 3Gi

the pv that is created on the nfs is with nobody:nobody permissions

keithB · January 2, 2024, 1:56pm

ok will try to hardcode to filesystem

rolandHawkins · January 2, 2024, 2:32pm

the Pod fails to read/write ?

keithB · January 2, 2024, 3:20pm

the pod failes to create relevent dir of pgdata under it and i suspect it due to permission of the owner dir since when i change that manually he was able to write what he needed

rolandHawkins · January 2, 2024, 3:35pm

Check the storageClass dynamic mechanism on the platform