Welcome to the Linux Foundation Forum!

Lab 9.3 Create a Persistent Volume Claim - permissions issue

I've just completed this lab and think I get it but I thought I'd try out writing to the hello.txt file pre-created on the volume from a container running on two different nodes. I found that it was not possible to write to the pre-created hello.txt file due to a permissions error.
kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "echo 'changed by s7lpl' >> /opt/hello.txt" /bin/bash: line 1: /opt/hello.txt: Permission denied
I found however that I could create a file from one of the containers and the write to it from both
kubectl exec nginx-nfs-76d96bcdb-x4thj -c nginx -- /bin/bash -c "echo 'x4thj change' > /opt/s7lplfile.txt" kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "cat /opt/s7lplfile.txt" x4thj change
Change from other container on other node
kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "echo 's71pl change' >> /opt/s7lplfile.txt"
File has now been changed by both containers
kubectl exec nginx-nfs-76d96bcdb-s7lpl -c nginx -- /bin/bash -c "cat /opt/s7lplfile.txt" x4thj change s71pl change
NFT exports on CP
lab1cp1:~$ cat /etc/exports /opt/sfw/ *(rw,sync,no_root_squash,subtree_check)

hello file permissions
lab1cp1:~$ ls -l /opt/sfw/hello.txt -rw-rw-rw- 1 samfraser samfraser 32 Sep 18 16:13 /opt/sfw/hello.txt

PV
lab1cp1:~$ kubectl get pv lab1pvvol-1 -o yaml apiVersion: v1 kind: PersistentVolume metadata: annotations: pv.kubernetes.io/bound-by-controller: "yes" creationTimestamp: "2025-09-18T13:18:23Z" finalizers: - kubernetes.io/pv-protection name: lab1pvvol-1 resourceVersion: "781741" uid: 48a9c3e4-2780-4527-99c0-4d667b335b3b spec: accessModes: - ReadWriteMany capacity: storage: 20Mi claimRef: apiVersion: v1 kind: PersistentVolumeClaim name: lab1pvc-one namespace: default resourceVersion: "781739" uid: 88b6ffac-662a-4136-a9b6-bb771a3dd6da nfs: path: /opt/sfw server: lab1cp persistentVolumeReclaimPolicy: Retain volumeMode: Filesystem

PVC
lab1cp1:~$ kubectl get pvc lab1pvc-one -o yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: pv.kubernetes.io/bind-completed: "yes" pv.kubernetes.io/bound-by-controller: "yes" creationTimestamp: "2025-09-18T13:38:12Z" finalizers: - kubernetes.io/pvc-protection name: lab1pvc-one namespace: default resourceVersion: "781743" uid: 88b6ffac-662a-4136-a9b6-bb771a3dd6da spec: accessModes: - ReadWriteMany resources: requests: storage: 10Mi volumeMode: Filesystem volumeName: lab1pvvol-1

Pod spec (relevant stuff)
spec: volumeMounts: - mountPath: /opt name: nfs-vol securityContext: fsGroup: 1000 volumes: - name: nfs-vol persistentVolumeClaim: claimName: lab1pvc-one

As you can see I've tried to add security Context with the same group as the file on the cp but that didn't make any difference, any ideas?

Comments

  • chrispokorni
    chrispokorni Posts: 2,517

    Hi @dsfraser,

    Did you set the permission on /opt/sfw/ as instructed in step 2 of lab exercise 9.2?

    Regards,
    -Chris

  • dsfraser
    dsfraser Posts: 9

    yes I have
    ls -l /opt/
    drwxrwxrwt 3 root root 4096 Sep 25 19:54 sfw

Categories

Upcoming Training