search

eclipsesource / theia-cloud-helm

Eclipse Public License 2.0
3 stars 6 forks source link

IDE's user theia can not write to the mount path #23

Closed longfei-zhang closed 1 year ago

longfei-zhang commented 1 year ago

image

total 0
drwxr-xr-x 2 root  root   6 May  8 07:28 .
drwxr-xr-x 1 theia theia 23 May  8 07:28 ..

theia@e2231485-bb14-47ee-b3d0-52443fc24a2b-deployment-longfei-zhqwlcs:/home/project/persisted$ touch test
touch: cannot touch 'test': Permission denied

I serarched the configuration but no luck, anyone can tell me where to configure this?

longfei-zhang commented 1 year ago

Here are the deploy info:

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
  creationTimestamp: "2023-05-08T07:28:39Z"
  generation: 1
  name: e2231485-bb14-47ee-b3d0-52443fc24a2b-deployment-longfei-zhangz
  namespace: theia-cloud-env
  ownerReferences:
  - apiVersion: theia.cloud/v2beta
    kind: Session
    name: ws-asdfghjkl-theia-cloud-demo-longfei-zhang-easystack-cn-session
    uid: e2231485-bb14-47ee-b3d0-52443fc24a2b
  resourceVersion: "18161695"
  uid: ca1653b2-8358-47ba-9db1-99d99646fadf
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: ws-asdfghjkl-theia-cloud-demo-longfei-zhang-easystack-cn-sessi
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        kubernetes.io/egress-bandwidth: 30000k
        kubernetes.io/ingress-bandwidth: 30000k
      creationTimestamp: null
      labels:
        app: ws-asdfghjkl-theia-cloud-demo-longfei-zhang-easystack-cn-sessi
    spec:
      automountServiceAccountToken: false
      containers:
      - env:
        - name: THEIA_CLOUD_APP_ID
          value: asdfghjkl
        - name: THEIA_CLOUD_SERVICE_URL
          value: https://service.172.18.0.189.nip.io
        - name: THEIA_CLOUD_SESSION_UID
          value: e2231485-bb14-47ee-b3d0-52443fc24a2b
        - name: THEIA_CLOUD_SESSION_NAME
          value: ws-asdfghjkl-theia-cloud-demo-longfei-zhang-easystack-cn-session
        - name: THEIA_CLOUD_SESSION_USER
          value: longfei.zhang@easystack.cn
        - name: THEIA_CLOUD_SESSION_URL
          value: https://ws.172.18.0.189.nip.io/e2231485-bb14-47ee-b3d0-52443fc24a2b/
        image: theiacloud/theia-cloud-demo:0.8.0.MS8
        imagePullPolicy: Always
        name: theia-cloud-demo
        ports:
        - containerPort: 3000
          protocol: TCP
        resources:
          limits:
            cpu: "2"
            memory: 1200M
          requests:
            cpu: 100m
            memory: 1G
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /home/project/persisted
          name: user-data
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
      - name: user-data
        persistentVolumeClaim:
          claimName: cb060dba-34be-4dd5-90c1-c73b4bbf7f21-pvc-ws-asdfghjkl-theia-cl
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2023-05-08T07:28:59Z"
    lastUpdateTime: "2023-05-08T07:28:59Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2023-05-08T07:28:39Z"
    lastUpdateTime: "2023-05-08T07:28:59Z"
    message: ReplicaSet "e2231485-bb14-47ee-b3d0-52443fc24a2b-deployment-longfei-zhangz-b5bd8c487"
      has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 1
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

the securityContext: {} is empty

Here are the app info: the uid is default 101



apiVersion: theia.cloud/v4beta
kind: AppDefinition
metadata:
  annotations:
    meta.helm.sh/release-name: theia-cloud-release
    meta.helm.sh/release-namespace: theia-cloud-env
  creationTimestamp: "2023-05-06T02:47:46Z"
  generation: 2
  labels:
    app.kubernetes.io/managed-by: Helm
  name: theia-cloud-demo
  namespace: theia-cloud-env
  resourceVersion: "18158919"
  uid: 0dca8db6-bc0f-43ae-8916-e89a160db452
spec:
  downlinkLimit: 30000
  host: ws.172.18.0.189.nip.io
  image: theiacloud/theia-cloud-demo:0.8.0.MS8
  imagePullPolicy: Always
  ingressname: theia-cloud-demo-ws-ingress
  limitsCpu: "2"
  limitsMemory: 1200M
  maxInstances: 10
  minInstances: 0
  mountPath: /home/project/persisted
  name: theia-cloud-demo
  port: 3000
  requestsCpu: 100m
  requestsMemory: 1000M
  timeout:
    limit: 0
    strategy: FIXEDTIME
  uid: 101
  uplinkLimit: 30000```
longfei-zhang commented 1 year ago

Tried to edit the deploy to add:

        fsGroup: 0
        runAsGroup: 0
        runAsUser: 0

This will slove the problem, but still don't know how to grant theia to write on root's folder

jfaltermeier commented 1 year ago

Hi, is this with a minikube cluster? Then this might be a minikube only issue. Please have a look here: https://github.com/eclipsesource/theia-cloud/blob/0.8.0-MS8/doc/docs/platforms/Minikube.md#install-and-start-minikube

You can mount a directory with the expected user right manually:

# create the directory that will be mounted
mkdir ~/tmp/minikube

# mount into minikube with expected uids (id of the user in your docker image)
minikube mount ~/tmp/minikube:/tmp/hostpath-provisioner/theia-cloud --uid 101 --gid 101

Please let us know if this works for you, then we may readd to the documentation

longfei-zhang commented 1 year ago

Hi @jfaltermeier No, It's not a minikube cluster. I'm working on a plain K8S cluster.

[root@node-1 ~]# kubectl version

Client Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.14-es", GitCommit:"d687c6bdbefb31e33b117e94da0da1238b0191e0", GitTreeState:"clean", BuildDate:"2022-05-12T11:38:55Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.14-es", GitCommit:"d687c6bdbefb31e33b117e94da0da1238b0191e0", GitTreeState:"clean", BuildDate:"2022-05-12T11:38:38Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}
[root@node-1 ~]#
jfaltermeier commented 1 year ago

Hi, I had a look and I think I understood what is going on. I think you are using a configuration without keycloak but with persistent storage. Here the problem is that we assumed that the user in the session will always be a generated new id per session and so mapping a previously used storage to an anonymous user is not possible. So we haven't tested this configuration.

The template we are using for authenticated deployments is here: https://github.com/eclipsesource/theia-cloud/blob/main/java/operator/org.eclipse.theia.cloud.operator/src/main/resources/templateDeployment.yaml This contains:

          securityContext:
            runAsUser: placeholder-uid
            runAsGroup: placeholder-uid
      securityContext:
        fsGroup: placeholder-uid

This needs to be added here as well: https://github.com/eclipsesource/theia-cloud/blob/main/java/operator/org.eclipse.theia.cloud.operator/src/main/resources/templateDeploymentWithoutOAuthProxy.yaml

I have filed https://github.com/eclipsesource/theia-cloud/issues/176 Contributions are welcome!

longfei-zhang commented 1 year ago

Hi, In my case I enabled keycloak to auth, my login user is 'longfei' we can find my username inside the deploy's name and session's name and some others places. I guess I changed some configuration that might affected the OAuth Proxy part.(but I can't remeber)

image

If the OAuth Proxy config is correct then we can see two containers in the ide pod, but it's showing only one container (the first pod in my screenshot)

I deployed a new Theia Cloud in another cluster image

This time the pods looks correct and I can find the oauth2-proxy container definition in the deploy. And the permisson issue not existed in my new cluster.

longfei-zhang commented 1 year ago

Can I close this issue?

longfei-zhang commented 1 year ago

Hi, I had a look and I think I understood what is going on. I think you are using a configuration without keycloak but with persistent storage. Here the problem is that we assumed that the user in the session will always be a generated new id per session and so mapping a previously used storage to an anonymous user is not possible. So we haven't tested this configuration.

The template we are using for authenticated deployments is here: https://github.com/eclipsesource/theia-cloud/blob/main/java/operator/org.eclipse.theia.cloud.operator/src/main/resources/templateDeployment.yaml This contains:

          securityContext:
            runAsUser: placeholder-uid
            runAsGroup: placeholder-uid
      securityContext:
        fsGroup: placeholder-uid

This needs to be added here as well: https://github.com/eclipsesource/theia-cloud/blob/main/java/operator/org.eclipse.theia.cloud.operator/src/main/resources/templateDeploymentWithoutOAuthProxy.yaml

I have filed eclipsesource/theia-cloud#176 Contributions are welcome!

Here are the fix : https://github.com/eclipsesource/theia-cloud/pull/177