You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "batulziiy (via GitHub)" <gi...@apache.org> on 2023/02/08 15:21:10 UTC
[GitHub] [airflow] batulziiy opened a new issue, #29429: SSH private key mounted with 777 permission as a volume
batulziiy opened a new issue, #29429:
URL: https://github.com/apache/airflow/issues/29429
### Official Helm Chart version
1.8.0 (latest released)
### Apache Airflow version
2.4.1
### Kubernetes Version
v1.25.5+k3s2
### Helm Chart configuration
workers:
extraVolumes:
- name: sshkey
secret:
secretName: airflow-ssh-keys
defaultMode: 0400
extraVolumeMounts:
- mountPath: /home/airflow/.ssh
name: sshkey
readOnly: true
### Docker Image customizations
_No response_
### What happened
Upgraded the helm chart to mount ssh private key as a volume. However, the keys mounted with rwx permission for all user. I tried all the ways. But it always mounts with 777 permission.
- Changed the airflow version to 2.2.5
- Tried binary, hex syntax of defaultMode
- added readOnly: true option
### What you think should happen instead
It should be mounted with 0400 permission.
### How to reproduce
Deploy the airflow latest version with helm chart with below values.
##value.yaml
workers:
extraVolumes:
- name: sshkey
secret:
secretName: airflow-ssh-keys
defaultMode: 0400
extraVolumeMounts:
- mountPath: /home/airflow/.ssh
name: sshkey
readOnly: true
### Anything else
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk closed issue #29429: SSH private key mounted with 777 permission as a volume
Posted by "potiuk (via GitHub)" <gi...@apache.org>.
potiuk closed issue #29429: SSH private key mounted with 777 permission as a volume
URL: https://github.com/apache/airflow/issues/29429
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #29429: SSH private key mounted with 777 permission as a volume
Posted by "potiuk (via GitHub)" <gi...@apache.org>.
potiuk commented on issue #29429:
URL: https://github.com/apache/airflow/issues/29429#issuecomment-1424008716
Closing provisionally as this is not airlfow issue likely.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] batulziiy commented on issue #29429: SSH private key mounted with 777 permission as a volume
Posted by "batulziiy (via GitHub)" <gi...@apache.org>.
batulziiy commented on issue #29429:
URL: https://github.com/apache/airflow/issues/29429#issuecomment-1424065700
After spending several hours, found that the symbolic link was showing that full permission. The original secret keys were mounted with 600 permission. Thanks all for your help.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on issue #29429: SSH private key mounted with 777 permission as a volume
Posted by "boring-cyborg[bot] (via GitHub)" <gi...@apache.org>.
boring-cyborg[bot] commented on issue #29429:
URL: https://github.com/apache/airflow/issues/29429#issuecomment-1422765951
Thanks for opening your first issue here! Be sure to follow the issue template!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #29429: SSH private key mounted with 777 permission as a volume
Posted by "potiuk (via GitHub)" <gi...@apache.org>.
potiuk commented on issue #29429:
URL: https://github.com/apache/airflow/issues/29429#issuecomment-1424008270
There are many people struggling with similar issues. For example here:
https://groups.google.com/g/kubernetes-sig-storage-bugs/c/5NzywW6b97A
I believe that this is not a docker image problem. Docker image has nothing to do with permissions that are specified for mounted volume. It is always applied by the deployment mechanism, not the image (not even the entrypoint).
There are two problems you have @batulziiy :
* the permissions for symbolic link always look like that. You need to add -L to the ls command to dereference the link and show the permissions of the file the link points at.
* Kubernetes only accepts DECIMAL specification for default mode and OCTAL is read as decimal - because of limitation of JSON.
At least this is how it **used** to be described in docs (See https://stackoverflow.com/questions/61728030/kubernetes-volume-mount-permissions-incorrect-for-secret) - you should have 256 as value, not 0400 . 0400 is read as "400" which is octal 0620 octal (group write).
I have not found a documenation about it in recent Secrets documentation of K8S so likely it has been solved differently. But you should check your permissions property first to see what's going on (with -L).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] xlanor commented on issue #29429: SSH private key mounted with 777 permission as a volume
Posted by "xlanor (via GitHub)" <gi...@apache.org>.
xlanor commented on issue #29429:
URL: https://github.com/apache/airflow/issues/29429#issuecomment-1423952074
I wonder if this is actually due to the [Docker image](https://github.com/apache/airflow/blob/main/Dockerfile#L1345) and not the helm chart.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] batulziiy commented on issue #29429: SSH private key mounted with 777 permission as a volume
Posted by "batulziiy (via GitHub)" <gi...@apache.org>.
batulziiy commented on issue #29429:
URL: https://github.com/apache/airflow/issues/29429#issuecomment-1424064979
After spending several hours, found that the symbolic link was showing that full permission. The original secret keys were mounted with 600 permission. Thanks all for your help.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org