Open pkerwien opened 1 week ago
@pkerwien thank you for the comment; maybe the following steps can help you
(1) kubectl edit csidriver csi.trident.qnap.io
(2) fsGroupPolicy : "ReadWriteOnceWithFSType" ----> "File"
Thanks! This looks promising. The mariadb-operator now managed to deploy a DB cluster. I will do more testning later.
@davidcheng0716 All previously failed deployments work now! Can the changes be made during installation of QNAP CSI (to avoid patching) or will this CSI driver change be default in a future release?
@davidcheng0716 I just discovered that the Longhorn CSI driver uses fsGroupPolicy: ReadWriteOnceWithFSType
(same as QNAP CSI before patching). And in the longhorn storage class, I can see fsType: ext4
. Perhaps that is the reason fsGroup works as expected when using Longhorn. From https://kubernetes-csi.github.io/docs/support-fsgroup.html:
"ReadWriteOnceWithFSType: Indicates that volumes will be examined to determine if volume ownership and permissions should be modified to match the pod's security policy. Changes will only occur if the fsType is defined and the persistent volume's accessModes contains ReadWriteOnce."
In my QNAP storage class, there is no such fsType parameter. Not sure if I can add one or if that would make it work without having to patch the CSIDriver.
We appreciate your suggestion and will consider setting it as the default in a future version.
When deploying 3rd party applications like mariadb-operator, cloudnative-pg and bitnami/mariadb helm chart, they all fail when using a PVC on the QNAP NAS.
This happens since the CSI driver is not changing the volume permissions while mounting it when fsGroup is used in the manifests to allow the non-root container user to write to the filesystem.
Using this demo deployment with both Longhorn and QNAP-CSI:
Results in the following when using Longhorn CSI:
With QNAP-CSI:
PVC:
Since the container UID in this example is 999, the user can write to the volume when using Longhorn, but not when using QNAP-CSI.
Another example is using the mariadb-operator to deploy mariadb databases. The database pods will fail with:
Please add necessary fsGroup support into the CSI driver so all these non-root applications can be deployed using QNAP volumes.
My setup is:
My storage class for QNAP PVCs is: