This repository was archived by the owner on Mar 9, 2022. It is now read-only.
This repository was archived by the owner on Mar 9, 2022. It is now read-only.
Volumes created for volumes defined in image do not permissions in the image #809
Description
This issue was observed running containerd 1.1.0 under k8s 1.10.3 with the following pod
spec:
containers:
- args:
- --storage.tsdb.retention=6h
- --config.file=/etc/prometheus/prometheus.yml
image: prom/prometheus:v2.2.1
imagePullPolicy: IfNotPresent
name: prometheus
ports:
- containerPort: 9090
name: admin-http
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/prometheus
name: prometheus-config
readOnly: trueThe prom/prometheus image has a folder /promethus that is owned by 65534. The docker image also has VOLUME /prometheus defined. When cri-containerd creates the the bind mount for /promethus the /var/lib/containerd/io.containerd.grpc.v1.cri/containers/XXX/volumes/XXX is not owned by 65534. The end result is that user 65534 can not mkdir /prometheus/data and the container fails to start.