feat(nfs-server): change shared filesystem ownership and mode (#125)

This PR introduces the FilePermissions `cas.openebs.io/config` PersistentVolumeClaim key. The data keys included within this config key are UID, GID, and mode. The openebs-nfs-provisioner process sets the values from these PersistentVolumeClaim keys into the ENVs FILEPERMISSIONS_UID, FILEPERMISSIONS_GID and FILEPERMISSIONS_MODE.

The /nfs-server-container/nfsd.sh script issues chmod and chown commands to change the ownership and file mode of the shared filesystem directory (backend volume at /nfsshare). The checking criteria is similar to the Kubernetes fsGroupChangePolicy OnRootMismatch.

NOTE: This also generates logs that announce the deprecation of the FSGID cas.openebs.io/config option in future releases. FSGID-like changes can be accomplished with file permissions. Instructions for this have been furnished in the user documentation(#128).

If 'FSGID' is specified, and 'GID' and/or 'mode' FilePermissions keys are also specified, this is treated as an invalid input and provisioning fail. This is done to keep the file permissions strictly declarative.

Signed-off-by: Niladri Halder <niladri.halder@mayadata.io>

Author: niladrih

Makefile

@@ -193,9 +193,9 @@ license-check:
 	@echo
 
 .PHONY: sanity-test
-sanity-test: sanity-test
+sanity-test:
 	@echo "--> Running sanity test";
-	go test -v -timeout 60m ./tests/...
+	go test -v -timeout 120m ./tests/...
 
 .PHONY: push
 push:

deploy/kubectl/busybox-openebs-rwx.yaml

@@ -3,6 +3,15 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: openebs-rwx-pvc
+  #annotaions:
+  #  cas.openebs.io/config: |
+  #      FilePermissions can be used to modify the owner, group
+  #      and file modes of the shared NFS filesystem.   
+  #    - name: FilePermissions
+  #      data:
+  #        UID: "1000"
+  #        GID: "2000"
+  #        mode: "0744"
 spec:
   accessModes:
     - ReadWriteMany

deploy/kubectl/openebs-nfs-provisioner.yaml

@@ -220,7 +220,9 @@ metadata:
       #  value: 30
       #  FSGID defines the group permissions of NFS Volume. If it is set
       #  then non-root applications should add FSGID value under pod
-      #  Suplemental groups
+      #  Suplemental groups.
+      #  The FSGID config key is being deprecated. Please use the
+      #  FilePermissions config key on the PersistentVolumeClaim instead.
       #- name: FSGID
       #  value: "120"
 provisioner: openebs.io/nfsrwx

go.sum

@@ -187,6 +187,7 @@ github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
 github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
@@ -206,6 +207,7 @@ github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoD
 github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=
 github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fvbommel/sortorder v1.0.1/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
@@ -300,6 +302,7 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
 github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -472,10 +475,12 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxv
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
 github.com/libopenstorage/openstorage v1.0.0/go.mod h1:Sp1sIObHjat1BeXhfMqLZ14wnOzEhNx2YQedreMcUyc=
@@ -886,6 +891,7 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20171026204733-164713f0dfce/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1093,6 +1099,7 @@ gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=

nfs-server-container/Dockerfile

@@ -15,7 +15,7 @@ FROM alpine:latest
 #LABEL branch "master"
 COPY Dockerfile README.md /
 
-RUN apk add --no-cache --update --verbose nfs-utils bash iproute2 && \
+RUN apk add --no-cache --update --verbose nfs-utils bash iproute2 coreutils && \
     rm -rf /var/cache/apk /tmp /sbin/halt /sbin/poweroff /sbin/reboot && \
     mkdir -p /var/lib/nfs/rpc_pipefs /var/lib/nfs/v4recovery && \
     echo "rpc_pipefs    /var/lib/nfs/rpc_pipefs rpc_pipefs      defaults        0       0" >> /etc/fstab && \

nfs-server-container/nfsd.sh

@@ -122,6 +122,94 @@ fi
 set -uo pipefail
 IFS=$'\n\t'
 
+# Modify the shared directory (${SHARED_DIRECTORY}) file user owner
+# Does not support more than one shared directory
+if [ -n "${FILEPERMISSIONS_UID}" ]; then
+  # These variables will be used to handle errors
+  UID_ERROR=""
+  CHOWN_UID_ERROR=""
+  # Validating input UID value
+  # Errors if UID is not a decimal number
+  targetUID=$(printf %d ${FILEPERMISSIONS_UID}) || UID_ERROR=$?
+  if [ -n "${UID_ERROR}" ]; then
+    echo "user change error: Invalid UID ${FILEPERMISSIONS_UID}"
+    exit 1
+  fi
+
+  presentUID=$(stat ${SHARED_DIRECTORY} --printf=%u)
+
+  # OnRootMismatch-like check
+  if [ "$presentUID" -ne "$targetUID" ]; then
+    chown -R $targetUID ${SHARED_DIRECTORY} || CHOWN_UID_ERROR=$?
+    if [ -n "${CHOWN_UID_ERROR}" ]; then
+      echo "user change error: Failed to change user owner of ${SHARED_DIRECTORY}"
+      exit 1
+    fi
+
+    echo "chown user command succeeded"
+  fi
+fi
+
+# Modify the shared directory (${SHARED_DIRECTORY}) file group owner
+# Does not support more than one shared directory
+if [ -n "${FILEPERMISSIONS_GID}" ]; then
+  # These variables will be used to handle errors
+  GID_ERROR=""
+  CHOWN_GID_ERROR=""
+  # Validating input GID value
+  # Errors if GID is not a decimal number
+  targetGID=$(printf %d ${FILEPERMISSIONS_GID}) || GID_ERROR=$?
+  if [ -n "${GID_ERROR}" ]; then
+    echo "group change error: Invalid GID ${FILEPERMISSIONS_GID}"
+    exit 1
+  fi
+
+  presentGID=$(stat ${SHARED_DIRECTORY} --printf=%g)
+
+  # OnRootMismatch-like check
+  if [ "$presentGID" -ne "$targetGID" ]; then
+    chown -R :${targetGID} ${SHARED_DIRECTORY} || CHOWN_GID_ERROR=$?
+    if [ -n "${CHOWN_GID_ERROR}" ]; then
+      echo "group change error: Failed to change group owner of ${SHARED_DIRECTORY}"
+      exit 1
+    fi
+
+    echo "chown group command succeeded"
+  fi
+fi
+
+# Modify the shared directory (${SHARED_DIRECTORY}) file permissions
+# Does not support more than one shared directory
+if [ -n "${FILEPERMISSIONS_MODE}" ]; then
+  # These variables will be used to handle errors
+  TEST_CHMOD_ERROR=""
+  CHMOD_ERROR=""
+  
+  # 'chmod -c' output is a non-empty string if the file mode changes
+  # The TEST_CHMOD_OUT variable is used to capture this string
+  TEST_CHMOD_OUT=$(chmod ${FILEPERMISSIONS_MODE} ${SHARED_DIRECTORY} -c) || TEST_CHMOD_ERROR=$?
+  # If the command fails, the specified mode is invalid
+  if [ -n "${TEST_CHMOD_ERROR}" ]; then
+    echo "mode change error: chmod test command failed. 'mode' value ${FILEPERMISSIONS_MODE} might be invalid"
+    exit 1
+  fi
+
+  # If the TEST_CHMOD_OUT is not empty, then there is a root mismatch
+  # (Similar to OnRootMismatch)
+  # Thus a recursive chmod is issued if there is root mismatch
+  # NOTE: This test won't work if we want to handle root mismatch in
+  #       any other way than the execution of the recursive chmod
+  if [ -n "${TEST_CHMOD_OUT}" ]; then
+    chmod -R ${FILEPERMISSIONS_MODE} ${SHARED_DIRECTORY} || CHMOD_ERROR=$?
+    if [ -n "${CHMOD_ERROR}" ]; then
+      echo "mode change error: Failed to change file mode of ${SHARED_DIRECTORY}"
+      exit 1
+    fi
+
+    echo "chmod command succeeded"
+  fi
+fi
+
 # This loop runs till until we've started up successfully
 while true; do