Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[question] Is SYS_ADMIN / --privileged capabilities needed to run geesfes within docker / k8s? #127

Open
vadimkantorov opened this issue Dec 20, 2024 · 6 comments
Open

[question] Is SYS_ADMIN / --privileged capabilities needed to run geesfes within docker / k8s? #127

vadimkantorov opened this issue Dec 20, 2024 · 6 comments

Comments

@vadimkantorov
Copy link

vadimkantorov commented Dec 20, 2024
edited
Loading

Typically these are needed to run sudo mount, but are these needed for running mounting with geesefs?

I also wonder if --mount docker's cmdline argument could be used for creating geesefs mounts at container launch time?

Thanks!
@vitalif
Copy link
Collaborator

vitalif commented Dec 20, 2024

Yes, FUSE needs it either for geesefs itself or for the fusermount utility. As I understand, FUSE can be mounted by the root user in a user namespace, but this feature is only available since k8s 1.30 and not enabled by default: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/. --mount can't be used because, according to the man page, "current supported mount TYPES are bind, volume, and tmpfs".

@vadimkantorov
Copy link
Author

Thanks! I think it would be very useful to mention these requirements and workarounds in the README, given that now more and more workloads are run inside docker / k8s and often without the admin capabilities...

@vadimkantorov
Copy link
Author

Also, related discussions:

@vadimkantorov
Copy link
Author

vadimkantorov commented Dec 26, 2024
edited
Loading

Also, there exists a project https://github.com/sholtrop/ldpfuse which tried on building a LD_PRELOAD'able library which transforms a FUSE-based file system into a LD_PRELOAD-based one. For many cases (and certainly for commands like ls/cat/find - I've experimented with these in https://github.com/vadimkantorov/libarchivepreload), it could be enough, I wonder if geesefs could be borrow its approach.

Then it could be a workaround for k8s/docker installs which do not allow for CSI plugin or user namespace stuff yet.

@vitalif
Copy link
Collaborator

vitalif commented Dec 26, 2024

https://github.com/jacobsa/fuse doesn't use a C library, it directly talks to the fuse kernel device. There's also another FUSE binding used for Windows version of geesefs, it is based on the FUSE C library indeed. But anyway LD_PRELOAD is a really ugly hack %)

@vadimkantorov
Copy link
Author

For that second version, I wonder if geesefs can provide as a library C interface representing a state of virtual FS and low-level syscall/libc/posix-like functions for working with it? (like the interface in ldpfuse)

If so, a custom implementation of LD_PRELOAD bridge could be easily implemented by a user (or the functions could be used for working with s3 from the user's custom C code)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vitalif @vadimkantorov