Examples for typical use cases?

[ckmaresca]

Could you all write up some examples in the docs for how to setup fstab in typical use cases?

My particular use case is we need a common storage for a load-balanced webserver cluster, which means mounting a bucket read/write (for the web server user, in this case www-data) across a number of servers... This is a pretty common use case in web-apps, but I couldn't find anywhere that showed how this might work. The closest I got was this SO post http://serverfault.com/questions/750640/permission-errors-using-gcsfuse-as-nonroot-user-on-google-compute-instance

I did finally get it working, but I'm sure it's wrong as I had to set the dir perms to 777 (not what I wanted). I'm thinking this should really be in the docs somewhere instead of vague references to allow_others with caveats about how your world will implode if you use it....

Oh, and in case anyone is looking for it, here is the fstab entry that finally worked: your-bucket-name /mnt/bucket gcsfuse rw,auto,user,dir_mode=777,file_mode=666,allow_other,key_file=/path/to/your/key.json

Note: I have not rebooted yet to see if this persists, but it should (theoretically). What I really wanted to do was restrict writes to a specific group, but none of the group_id, dir_mode or default_permissions flags worked. Seems like permissions are all or nothing, which is kinda useless... Of course, there is every likelyhood that I'm just clueless, which is why I'm asking for better docs.

[jacobsa]

The existing documentation has an example for the single-user case. I'm not willing to add an example for the multi-user case until I see a proof that it's not a bad idea security-wise. I don't understand the issues well enough to write that myself, but would be happy if you're able to write one.

[ckmaresca]

What a cop-out. If you don't know how to do this as the primary developer and can't get the resources/expertise from your peers at Google to help figure this out (for what is apparently an official project), how on earth is anyone else going to do it?

As it stands, we (users or perhaps victims) are all hacking things together with no guidance making things even worse and less secure (e.g. making buckets 777 since that is the only thing that apparently works because no one at Google knows how to do it any more securely). Maybe the official GCP documentation should stop saying Cloud Storage is a good way to share files between instances until this is figured out.

Yeah, I know, I'm sure it's above your paygrade, but if GCP is actually trying to compete with AWS and S3, making your products more robust and better documented would go a long way to making the platform more usable...

[jacobsa]

This has nothing to do with gcsfuse; it is a general fuse and kernel security concern documented here. I have neither the power to change the existing behavior nor the expertise to know whether circumventing it is a good idea. Please feel free to ask the fuse maintainers, the kernel mailing list, or some other expert. I'm only offering to republish your findings if you come up with them.