We are trying to deploy a pod amp container within our Harve Rancher Users #longhorn-storage

We are trying to deploy a pod & container with...

microscopic-accountant-76829

05/16/2025, 4:46 PM

We are trying to deploy a pod & container within our Harvester cluster using Longhorn as our storage solution. Everything goes fine except it attaches the ephemeral volume we create as root within the container itself with chmod 755 permissions, which prevents the container user from accessing or writing data to that mount. Is there something that is forcing these permissions? We're running everything for building the container using the securityContext propagated with runAsUser/Group, and also runAsNonRoot.

creamy-pencil-82913

05/16/2025, 5:10 PM

what exactly do you mean by “ephemeral volume”

creamy-pencil-82913

05/16/2025, 5:10 PM

Can you show the pod spec?

microscopic-accountant-76829

05/16/2025, 5:14 PM

Copy code

apiVersion: v1
kind: Pod
metadata:
  name: ephemeral
spec:
  securityContext:
    runAsGroup: 10001
    runAsNonRoot: true
    runAsUser: 10001
    supplementalGroups:
    - 1000
  containers:
  - name: fame-fs
    image: <http://mcr.microsoft.com/dotnet/aspnet:8.0-noble|mcr.microsoft.com/dotnet/aspnet:8.0-noble>
    command: ["sh", "-c", "tail -f /dev/null"]
    imagePullPolicy: IfNotPresent          
    resources:
      requests:
        memory: "1Gi"
        cpu: "250m"
      limits:
        memory: "1Gi"
        cpu: "250m"
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
    volumeMounts:
    - mountPath: /tmp
      name: tmp     
  volumes:
  - name: tmp
    ephemeral:
      volumeClaimTemplate:
        spec:
          accessModes: [ "ReadWriteOnce" ]
          resources:
            requests:
              storage: "5Gi"

creamy-pencil-82913

05/16/2025, 6:29 PM

Just out of curiosity, why are you using a generic ephemeral volume for this instead of emptydir?

creamy-pencil-82913

05/16/2025, 6:32 PM

I don’t see that you’re setting fsGroup in the securityContext, I think that is probably want you wanted to do?

creamy-pencil-82913

05/16/2025, 6:33 PM

see the docs on spec.securityContext.fsGroup and spec.securityContext.fsGroupChangePolicy

microscopic-accountant-76829

05/16/2025, 7:51 PM

I asked my dev why he choose ephemeral, and he thought it would be more robust - and also not share disk space with the pod that we're putting the container on.

creamy-pencil-82913

05/16/2025, 9:42 PM

You can control that. Per the docs:

The
emptyDir.medium
field controls where
emptyDir
volumes are stored. By default
emptyDir
volumes are stored on whatever medium that backs the node such as disk, SSD, or network storage, depending on your environment. If you set the
emptyDir.medium
field to
"Memory"
, Kubernetes mounts a tmpfs (RAM-backed filesystem) for you instead. While tmpfs is very fast, be aware that, unlike disks, files you write count against the memory limit of the container that wrote them.

creamy-pencil-82913

05/16/2025, 9:43 PM

I am not sure why robustness would matter for an ephemeral volume since it is… ephemeral

creamy-pencil-82913

05/16/2025, 9:44 PM

emptydir with tmpfs is usually what I use for stuff that I expect to behave like /tmp on a traditional host fs

2 Views

Open in Slack

Previous Next