Skip to content

Fix RustFS tenant pod permissions and add log volume #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
loverustfs merged 1 commit into from
Dec 22, 2025
Merged

Fix RustFS tenant pod permissions and add log volume #58

loverustfs merged 1 commit into from
Dec 22, 2025

Conversation

@loverustfs
Copy link
Collaborator

@loverustfs loverustfs commented Dec 20, 2025

🐛 Bug Fix

This PR addresses the "Permission denied" issue reported in rustfs/rustfs#987 when bootstrapping clusters on storage backends like Longhorn or local paths where default volume permissions are root:root.

🛠 Changes

  1. Security Context Enforcement:

    • Configured PodSecurityContext to run as non-root user 10001 (RustFS default).
    • Set fsGroup: 10001 and fsGroupChangePolicy: "OnRootMismatch" to ensure Kubernetes recursively changes ownership of mounted PVCs to the RustFS user.

  2. Log Volume Management:

    • Added an EmptyDir volume mounted at /logs.
    • This prevents RustFS from trying to write logs to the container's root filesystem (which might be read-only) or a host path with incorrect permissions.

🧪 Testing

  • Unit Tests: Added test_statefulset_sets_security_context_and_log_volume to verify that### 🐛 Bug Fix

This PR addresses the "Permission denied" issue reported in #987 when bootstrapping clusters on storage backends like Longhorn or local paths where default volume permissions are root:root.

🛠 Changes

  1. Security Context Enforcement:

    • Configured PodSecurityContext to run as non-root user 10001 (RustFS default).
    • Set fsGroup: 10001 and fsGroupChangePolicy: "OnRootMismatch" to ensure Kubernetes recursively changes ownership of mounted PVCs to the RustFS user.

  2. Log Volume Management:

    • Added an EmptyDir volume mounted at /logs.
    • This prevents RustFS from trying to write logs to the container's root filesystem (which might be read-only) or a host path with incorrect permissions.

🧪 Testing

  • Unit Tests: Added test_statefulset_sets_security_context_and_log_volume to verify that

@loverustfs
Fix RustFS tenant pod permissions and add log volume
f412413 
Summary:
- Enforce non-root execution (UID/GID/fsGroup 10001) with fsGroupChangePolicy to make PVC mounts writable.
- Add EmptyDir-backed /logs mount to avoid host filesystem permission issues.
- Keep env merging behavior unchanged; credentials via Secret still honored.

This fixes the 'Permission denied' error seen when bootstrapping clusters on certain storage backends (e.g. Longhorn) where the default docker volume permissions are root:root.
This was referenced Dec 20, 2025
Closed
Closed
@loverustfs loverustfs enabled auto-merge December 20, 2025 03:46
@shahab96 shahab96 mentioned this pull request Dec 20, 2025
Open
@loverustfs loverustfs added this pull request to the merge queue Dec 22, 2025
Merged via the queue into main with commit 6ef089a Dec 22, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bestgopher bestgopher bestgopher approved these changes

+1 more reviewer

@shahab96 shahab96 shahab96 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@loverustfs @shahab96 @bestgopher