Closed longfei-zhang closed 1 year ago
Here are the deploy info:
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: "2023-05-08T07:28:39Z"
generation: 1
name: e2231485-bb14-47ee-b3d0-52443fc24a2b-deployment-longfei-zhangz
namespace: theia-cloud-env
ownerReferences:
- apiVersion: theia.cloud/v2beta
kind: Session
name: ws-asdfghjkl-theia-cloud-demo-longfei-zhang-easystack-cn-session
uid: e2231485-bb14-47ee-b3d0-52443fc24a2b
resourceVersion: "18161695"
uid: ca1653b2-8358-47ba-9db1-99d99646fadf
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: ws-asdfghjkl-theia-cloud-demo-longfei-zhang-easystack-cn-sessi
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
kubernetes.io/egress-bandwidth: 30000k
kubernetes.io/ingress-bandwidth: 30000k
creationTimestamp: null
labels:
app: ws-asdfghjkl-theia-cloud-demo-longfei-zhang-easystack-cn-sessi
spec:
automountServiceAccountToken: false
containers:
- env:
- name: THEIA_CLOUD_APP_ID
value: asdfghjkl
- name: THEIA_CLOUD_SERVICE_URL
value: https://service.172.18.0.189.nip.io
- name: THEIA_CLOUD_SESSION_UID
value: e2231485-bb14-47ee-b3d0-52443fc24a2b
- name: THEIA_CLOUD_SESSION_NAME
value: ws-asdfghjkl-theia-cloud-demo-longfei-zhang-easystack-cn-session
- name: THEIA_CLOUD_SESSION_USER
value: longfei.zhang@easystack.cn
- name: THEIA_CLOUD_SESSION_URL
value: https://ws.172.18.0.189.nip.io/e2231485-bb14-47ee-b3d0-52443fc24a2b/
image: theiacloud/theia-cloud-demo:0.8.0.MS8
imagePullPolicy: Always
name: theia-cloud-demo
ports:
- containerPort: 3000
protocol: TCP
resources:
limits:
cpu: "2"
memory: 1200M
requests:
cpu: 100m
memory: 1G
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /home/project/persisted
name: user-data
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: user-data
persistentVolumeClaim:
claimName: cb060dba-34be-4dd5-90c1-c73b4bbf7f21-pvc-ws-asdfghjkl-theia-cl
status:
availableReplicas: 1
conditions:
- lastTransitionTime: "2023-05-08T07:28:59Z"
lastUpdateTime: "2023-05-08T07:28:59Z"
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: "2023-05-08T07:28:39Z"
lastUpdateTime: "2023-05-08T07:28:59Z"
message: ReplicaSet "e2231485-bb14-47ee-b3d0-52443fc24a2b-deployment-longfei-zhangz-b5bd8c487"
has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
observedGeneration: 1
readyReplicas: 1
replicas: 1
updatedReplicas: 1
the securityContext: {}
is empty
Here are the app info: the uid is default 101
apiVersion: theia.cloud/v4beta
kind: AppDefinition
metadata:
annotations:
meta.helm.sh/release-name: theia-cloud-release
meta.helm.sh/release-namespace: theia-cloud-env
creationTimestamp: "2023-05-06T02:47:46Z"
generation: 2
labels:
app.kubernetes.io/managed-by: Helm
name: theia-cloud-demo
namespace: theia-cloud-env
resourceVersion: "18158919"
uid: 0dca8db6-bc0f-43ae-8916-e89a160db452
spec:
downlinkLimit: 30000
host: ws.172.18.0.189.nip.io
image: theiacloud/theia-cloud-demo:0.8.0.MS8
imagePullPolicy: Always
ingressname: theia-cloud-demo-ws-ingress
limitsCpu: "2"
limitsMemory: 1200M
maxInstances: 10
minInstances: 0
mountPath: /home/project/persisted
name: theia-cloud-demo
port: 3000
requestsCpu: 100m
requestsMemory: 1000M
timeout:
limit: 0
strategy: FIXEDTIME
uid: 101
uplinkLimit: 30000```
Tried to edit the deploy to add:
fsGroup: 0
runAsGroup: 0
runAsUser: 0
This will slove the problem, but still don't know how to grant theia to write on root's folder
Hi, is this with a minikube cluster? Then this might be a minikube only issue. Please have a look here: https://github.com/eclipsesource/theia-cloud/blob/0.8.0-MS8/doc/docs/platforms/Minikube.md#install-and-start-minikube
You can mount a directory with the expected user right manually:
# create the directory that will be mounted
mkdir ~/tmp/minikube
# mount into minikube with expected uids (id of the user in your docker image)
minikube mount ~/tmp/minikube:/tmp/hostpath-provisioner/theia-cloud --uid 101 --gid 101
Please let us know if this works for you, then we may readd to the documentation
Hi @jfaltermeier No, It's not a minikube cluster. I'm working on a plain K8S cluster.
[root@node-1 ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.14-es", GitCommit:"d687c6bdbefb31e33b117e94da0da1238b0191e0", GitTreeState:"clean", BuildDate:"2022-05-12T11:38:55Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.14-es", GitCommit:"d687c6bdbefb31e33b117e94da0da1238b0191e0", GitTreeState:"clean", BuildDate:"2022-05-12T11:38:38Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}
[root@node-1 ~]#
Hi, I had a look and I think I understood what is going on. I think you are using a configuration without keycloak but with persistent storage. Here the problem is that we assumed that the user in the session will always be a generated new id per session and so mapping a previously used storage to an anonymous user is not possible. So we haven't tested this configuration.
The template we are using for authenticated deployments is here: https://github.com/eclipsesource/theia-cloud/blob/main/java/operator/org.eclipse.theia.cloud.operator/src/main/resources/templateDeployment.yaml This contains:
securityContext:
runAsUser: placeholder-uid
runAsGroup: placeholder-uid
securityContext:
fsGroup: placeholder-uid
This needs to be added here as well: https://github.com/eclipsesource/theia-cloud/blob/main/java/operator/org.eclipse.theia.cloud.operator/src/main/resources/templateDeploymentWithoutOAuthProxy.yaml
I have filed https://github.com/eclipsesource/theia-cloud/issues/176 Contributions are welcome!
Hi, In my case I enabled keycloak to auth, my login user is 'longfei' we can find my username inside the deploy's name and session's name and some others places. I guess I changed some configuration that might affected the OAuth Proxy part.(but I can't remeber)
If the OAuth Proxy config is correct then we can see two containers in the ide pod, but it's showing only one container (the first pod in my screenshot)
I deployed a new Theia Cloud in another cluster
This time the pods looks correct and I can find the oauth2-proxy container definition in the deploy. And the permisson issue not existed in my new cluster.
Can I close this issue?
Hi, I had a look and I think I understood what is going on. I think you are using a configuration without keycloak but with persistent storage. Here the problem is that we assumed that the user in the session will always be a generated new id per session and so mapping a previously used storage to an anonymous user is not possible. So we haven't tested this configuration.
The template we are using for authenticated deployments is here: https://github.com/eclipsesource/theia-cloud/blob/main/java/operator/org.eclipse.theia.cloud.operator/src/main/resources/templateDeployment.yaml This contains:
securityContext: runAsUser: placeholder-uid runAsGroup: placeholder-uid securityContext: fsGroup: placeholder-uid
This needs to be added here as well: https://github.com/eclipsesource/theia-cloud/blob/main/java/operator/org.eclipse.theia.cloud.operator/src/main/resources/templateDeploymentWithoutOAuthProxy.yaml
I have filed eclipsesource/theia-cloud#176 Contributions are welcome!
Here are the fix : https://github.com/eclipsesource/theia-cloud/pull/177
I serarched the configuration but no luck, anyone can tell me where to configure this?