-
Notifications
You must be signed in to change notification settings - Fork 439
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error: chmod <file> Operation not permitted #2645
Comments
Hi @sfrolich, The git clone feature is supported by default in gcsfuse releases from v2.3.0. I can clone other repositories using Thanks, |
Hi @Tulsishah I was using a random Public Github project to clone so you should be able to pick anyone and try it. Also you can just try to |
Cloning a repo inside a gcsfuse mounted directory worked for me without any problem with the both latest gcsfuse version (v2.5.0) and v2.3.2.
chown, and chperm are not supported in gcsfuse mounted directories as documented here. As in the above documentation, all the files/directories in a gcsfuse mount are owned by the UID of the process that created that mount. This ownership can be set only once i.e. at the mount-time by passing the --uid and/or --gid configs to the gcsfuse mount command. For other users to be able to access the mount, pass If |
Hmmm, interesting. Read the doc you had above and my chmod is not being ignored. It does this:
I'm using the GCS Fuse CSI Driver gke.gcr.io/gcs-fuse-csi-driver:v1.7.0-gke.0. I think that is my problem that chmod is not being ignored. |
thanks @sfrolich for sharing more info.
For me it's consistently passing without actually changing permission. I think for you it's not being ignored because the error is being generated by the Linux kernel itself because the file in question (foo) is owned by root (UID=0) and it's being
Yes, that looks like the blocker here. You definitely have the write permissions on all the files here, so I am assuming that you have the permissions to create new files/directories too in here, so ideally chmod shouldn't even come into picture. Also, could you share the gcsfuse command that you're using to mount your bucket (feel free to hide the real bucket-name or dir-names) ? |
@gargnitingoogle you are right. I thought if you were part of the group on a file you could run chown but apparently you need to be user/owner. Sorry about that. The Strange thing is something has changed in 2 separate environments that result in the same issue. Where git clone used to work, it no longer does. Suspected it was a fuse change. Is there a way to specify the user |
@sfrolich My bad. I missed out on the fact that you're accessing gcsfuse mounts through gke csi driver. For passing uid, gid to gcsfuse mounts through csi driver, you need to pass them through the mountOptions attribute in the gcsfuse volume in the pod config yaml. Refer https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/cloud-storage-fuse-csi-driver#consume-ephemeral-volume-pod for how/where to change gcsfuse mountOptions . You need to append Setting uid,gid on the mountOptions might cause other problems though e.g. Any file operations being done on the gcsfuse mount in the container's command may fail as the container would probably still be running as root user and then container run may run into a problem. I'd suggest moving the git clone (and other chmod command-sources) into your pod's container's command rather than changing the gcsfuse volume's uid/gid, if it's possible for you. |
@gargnitingoogle do you have any idea what has changed between the two versions? If this a CSI issue and not a driver issue? Without us changing anything on how we use the CSI driver git went from working to not working. |
I am not aware of any changes in the csi driver lately which might have affected file system permissions in the mounted directory. Please share your old gke cluster version and csi version, so that I could check with the gke team. |
The CSI Driver was: v1.3.2 |
Hi @sfrolich , This issue is easily reproducible by running This behavior makes sense to me; otherwise, it would create multiple security risks, as anyone can change the permission bit. I'm not sure how it worked before. Are you sure, there are no user/group related changes in the old working system? The recommendation would be to change the owner using the 'uid' option to get the git clone working. As the instructions provide by @gargnitingoogle in comment. In the meantime, I’ll confirm the behavior with the gcs-fuse-csi-driver team. Regards, |
I changed my uid and gid to match the current user's uid and gid and I got further. Now I'm running into this issue where I tried I also tried running |
Probably the git clone process or one of its sub-processes failed to write to .git/config file, probably because of some other permission issue. To debug this further, we need to look at your gcsfuse debug logs. Otherwise we're just shooting in the dark I think.
What is this issue ? |
Can't seem to get the trace logs to show. I tried the gcsfuseLoggingSeverity setting in both places below. Am I seeting it wrong?
|
Can you try adding - log-severity=trace under mountOptions similar to other flags. Can you try with 777 and check if its working? |
file-mode and dir-mode 777 didn't work either. root and 1000 user (to match the uid) didn't work either. I got the logs from doing a git clone attached. Thanks for going above and beyond on this. |
@sfrolich could you share the complete logs? I don't see the initial few log lines that log the GCSFuse configuration. |
downloaded-logs-20241202-135927.json
|
Here's another logs download with all the containers instead of just the gcs one. |
Describe the issue
When trying to run a chmod command on a file, I will get the error:
error: chmod <file> Operation not permitted
What I was actually trying to do is git clone a repo and the error I get from that is:
System & Version (please complete the following information):
Steps to reproduce the behavior with following information:
Additional context
I was able to git clone with v2.1.0 and with at least v2.3.2 I cannot git clone.
SLO:
We strive to respond to all bug reports within 24 business hours provided the information mentioned above is included.
The text was updated successfully, but these errors were encountered: